In the D:Drive blog post “An International Standard on E-Discovery is Becoming a Reality”, I introduced the development of an international standard for electronic discovery, “ISO/IEC 27050 – Information technology – Security techniques – Electronic discovery” (“ISO/IEC 27050”). ISO/IEC 27050 aims to put in place internationally-recognized standard procedures and practices for the stages of “e-discovery”, the process of discovering pertinent Electronically Stored Information (ESI) by one or both parties involved in an investigation and any resulting actions.
ISO/IEC 27050 addresses activities in e-discovery, including identification, preservation, collection, processing, review, analysis, and production of ESI. While ISO/IEC 27050 is not intended to contradict or supersede local jurisdictional laws and regulations, it will likely impact multi-national organizations by bringing consistency to issues that span across international borders.
I am the expert advisor representing Canada with respect to the negotiation of the ISO/IEC 27050 and I am on the editing team, with a focus on Part 3, Code of practice for electronic discovery. My co-editor on Part 3 and the Project Editor of all parts of the standard is Eric Hibbard, who is a member of the US expert team with whom I negotiate international information security standards.
Eric Hibbard has written an excellent article, “Electronic Discovery Standardization,” in which he describes the genesis and scope of the ISO/EIC 27050 project and explains the content of the working drafts.
As Mr. Hibbard describes in his article, ISO/IEC 27050 will be a four-part international standard addressing activities in e-discovery:
- Part 1: Overview and Concepts - Provides an overview of e-discovery, introducing relevant terminology, concepts, and processes. This Part is intended to be informative rather than normative.
- Part 2: Governance and Management - Targets C-level executives within organizations that may be confronted with e-discovery scenarios, which may or may not be legal in nature. This Part describes how such personnel can identify and take ownership of risks related to e-discovery, set policy relating to e-discovery and achieve compliance with external and internal requirements relating to e-discovery.
- Part 3: Code of Practice - This Part sets out the document that will contain the bulk of the guidance, and more importantly, the requirements, for practising e-discovery. Part 3 is expected to have the most impact on e-discovery because of the inclusion of requirements that can serve as the basis for conformance and ultimately certification of entities as being in compliance with internationally-recognized best practices.
- Part 4: ICT Readiness - Part 4 is intended to address the e-discovery technology issues. This Part takes the policies and management from Part 2, combines it with the guidance and requirements for the e-discovery processes and activities in Part 3, and provides guidance for the use of technology to make e-discovery more effective and efficient.
I am delighted that Mr. Hibbard, as well as the Ave Maria Law Review, have given me permission to republish this article for readers of the D: Drive.
The next round of face-to-face international meetings to discuss the development of ISO/IEC 27050 is scheduled for May 4-9, 2015, in Kuching, Malaysia, and the editing team has been hard at work preparing the drafts that will form the basis of those discussions.