Information security technology - Electronic discovery - Part 1: Overview and concepts
1 Scope
Electronic discovery is the process of discovering pertinent Electronically Stored Information (ESI) or data by one or more parties involved in an investigation or litigation, or similar proceeding. This document provides an overview of electronic discovery. In addition, it defines related terms and describes the concepts, including, but not limited to, identification, preservation, collection, processing, review, analysis, and production of ESI. This document also identifies other relevant standards (e.g. ISO/IEC 27037) and how they relate to, and interact with, electronic discovery activities.
This document is relevant to both non-technical and technical personnel involved in some or all of the electronic discovery activities.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology - Security techniques - Information security management systems - Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply.
3.1
chain of custody
demonstrable possession, movement, handling, and location of material from one point in time until another
3.2
custodian
person or entity that has custody, control or possession of Electronically Stored Information (3.8)
3.3
data breach
compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed
[SOURCE: ISO/IEC 27040:2015, 3.7]
3.4
discovery
process by which each party obtains information held by another party or non-party concerning a matter
Note 1: Discovery is applicable more broadly than to parties in adversarial disputes.
Note 2: Discovery is also the disclosure of hardcopy documents, Electronically Stored Information (3.8) and tangible objects by an adverse party.
Note 3: In some jurisdictions, the term disclosure is used interchangeably with discovery.
3.5
disposition
range of processes associated with implementing records retention, destruction or transfer decisions which are documented in disposition authorities or other instruments
[SOURCE: GB/T 26162-2018, 3.8]
3.6
electronic archive
long-term repository of Electronically Stored Information (3.8)
Note 1: Electronic archives can be online, and therefore accessible, or off-line and not easily accessible.
Note 2: Backup systems (e.g. tape, virtual tape, etc.) are not intended to be electronic archives, but rather data protection systems (i.e. recovery mechanisms for disaster recovery and business continuity).
3.7
electronic discovery
discovery (3.4) that includes the identification, preservation, collection, processing, review, analysis, or production of Electronically Stored Information (3.8)
Note: Although electronic discovery is often considered a legal process, its use is not limited to the legal domain.
3.8
Electronically Stored Information;ESI
data or information of any kind and from any source, whose temporal existence is evidenced by being stored in or on any electronic medium
Note 1: ESI includes traditional e-mail, memos, letters, spreadsheets, databases, office documents, presentations and other electronic formats commonly found on a computer. ESI also includes system, application and file-associated metadata such as timestamps, revision history, file type, etc.
Note 2: Electronic medium can take the form of, but is not limited to, storage devices and storage elements.
[SOURCE: ISO/IEC 27040:2015, 3.16]
3.9
ESI analysis
element of an electronic discovery (3.7) process focused on evaluating Electronically Stored Information (3.8) for content and context to identify facts, relationships, key patterns, and other features that can lead to improved understanding of an ESI (3.9) corpus
Note: Content and context can include key patterns, topics, people and discussions.
3.10
ESI collection
element of an electronic discovery (3.7) process focused on gathering Electronically Stored Information (3.8) and other related material
3.11
ESI identification
element of an electronic discovery (3.7) process focused on locating potential sources and the criteria for selecting potentially relevant Electronically Stored Information (3.8)
3.12
ESI preservation
element of an electronic discovery (3.7) process focused on maintaining Electronically Stored Information (3.8) in its original or existing state
Note: In some matters or jurisdictions, there can be requirements to prevent spoliation (3.21) of Electronically Stored Information (3.8).
3.13
ESI processing
element of an electronic discovery (3.7) process focused on extracting Electronically Stored Information (3.8) and converting it, if necessary, to forms more suitable for ESI review (3.15) and ESI analysis (3.9)
3.14
ESI production
element of an electronic discovery (3.7) process focused on delivering or making available Electronically Stored Information (3.8)
Note 1: ESI production can also include getting Electronically Stored Information (3.8) in appropriate forms and using appropriate delivery mechanisms.
Note 2: ESI production can be to any person or organization.
3.15
ESI review
element of an electronic discovery (3.7) process focused on screening Electronically Stored Information (3.8) based on specific criteria
Note: In some matters or jurisdictions, Electronically Stored Information that is considered privileged can be excluded from production.
3.16
investigation
systematic or formal process of inquiring into or researching, and examining facts or materials associated with a matter
Note: Materials can take the form of hardcopy documents or Electronically Stored Information (3.8).
3.17
legal hold
process of suspending the normal disposition (3.5) or processing of records and Electronically Stored Information (3.8) as a result of current or anticipated litigation, audit, government investigation or other such matters
Note: The issued communication that implements the legal hold can also be called a “hold,” “preservation order,” “preservation notice,” “suspension order,” “freeze notice,” “hold order,” or “hold notice.”
3.18
metadata
data that defines and describes other data
[SOURCE: ISO/IEC 11179-1:2023, 3.2.26]
3.19
provenance
information that documents the origin or source of Electronically Stored Information (3.9), any changes that have taken place since it was originated, and who has had custody of it since it was originated
3.20
sanitize
render access to target data on storage media infeasible for a given level of effort
Note: Clear, purge, and destruct are actions that can be taken to sanitize storage media.
[SOURCE: ISO/IEC 27040:2015, 3.38]
3.21
spoliation
act of making or allowing a change to or destruction of Electronically Stored Information (3.8) where there is a requirement to keep it intact
Note: Spoliation can take the form of ESI destruction, corruption, or alteration of the ESI or associated metadata as well as rendering ESI unavailable (e.g. due to encryption with no access to the decryption key, loss of media, under the control of a third party, etc.).
3.22
storage
device, function, or service supporting data entry and retrieval
[SOURCE: ISO/IEC 27040:2015, 3.43]
3.23
store
record data on volatile storage or non-volatile storage
Note: Non-volatile storage refers to storage that retains its contents even after power is removed, while volatile storage refers to storage that fails to retain its contents after power is removed.
[SOURCE: ISO/IEC 27040:2015, 3.50, modified]
4 Symbols and abbreviated terms
CD compact disc
DVD digital versatile disc
EDMS electronic document management system
ERMS electronic records management system
ICT information and communications technology
NAS network attached storage
OCR optical character recognition
PII personally identifiable information
RAM random access memory
Standard
GB/T 43577.1-2023 Information security technology—Electronic discovery—Part 1: Overview and concepts (English Version)
Standard No.
GB/T 43577.1-2023
Status
valid
Language
English
File Format
PDF
Word Count
12500 words
Price(USD)
375.0
Implemented on
2024-7-1
Delivery
via email in 1~3 business day
Detail of GB/T 43577.1-2023
Standard No.
GB/T 43577.1-2023
English Name
Information security technology—Electronic discovery—Part 1: Overview and concepts
Information security technology - Electronic discovery - Part 1: Overview and concepts
1 Scope
Electronic discovery is the process of discovering pertinent Electronically Stored Information (ESI) or data by one or more parties involved in an investigation or litigation, or similar proceeding. This document provides an overview of electronic discovery. In addition, it defines related terms and describes the concepts, including, but not limited to, identification, preservation, collection, processing, review, analysis, and production of ESI. This document also identifies other relevant standards (e.g. ISO/IEC 27037) and how they relate to, and interact with, electronic discovery activities.
This document is relevant to both non-technical and technical personnel involved in some or all of the electronic discovery activities.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology - Security techniques - Information security management systems - Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply.
3.1
chain of custody
demonstrable possession, movement, handling, and location of material from one point in time until another
3.2
custodian
person or entity that has custody, control or possession of Electronically Stored Information (3.8)
3.3
data breach
compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed
[SOURCE: ISO/IEC 27040:2015, 3.7]
3.4
discovery
process by which each party obtains information held by another party or non-party concerning a matter
Note 1: Discovery is applicable more broadly than to parties in adversarial disputes.
Note 2: Discovery is also the disclosure of hardcopy documents, Electronically Stored Information (3.8) and tangible objects by an adverse party.
Note 3: In some jurisdictions, the term disclosure is used interchangeably with discovery.
3.5
disposition
range of processes associated with implementing records retention, destruction or transfer decisions which are documented in disposition authorities or other instruments
[SOURCE: GB/T 26162-2018, 3.8]
3.6
electronic archive
long-term repository of Electronically Stored Information (3.8)
Note 1: Electronic archives can be online, and therefore accessible, or off-line and not easily accessible.
Note 2: Backup systems (e.g. tape, virtual tape, etc.) are not intended to be electronic archives, but rather data protection systems (i.e. recovery mechanisms for disaster recovery and business continuity).
3.7
electronic discovery
discovery (3.4) that includes the identification, preservation, collection, processing, review, analysis, or production of Electronically Stored Information (3.8)
Note: Although electronic discovery is often considered a legal process, its use is not limited to the legal domain.
3.8
Electronically Stored Information;ESI
data or information of any kind and from any source, whose temporal existence is evidenced by being stored in or on any electronic medium
Note 1: ESI includes traditional e-mail, memos, letters, spreadsheets, databases, office documents, presentations and other electronic formats commonly found on a computer. ESI also includes system, application and file-associated metadata such as timestamps, revision history, file type, etc.
Note 2: Electronic medium can take the form of, but is not limited to, storage devices and storage elements.
[SOURCE: ISO/IEC 27040:2015, 3.16]
3.9
ESI analysis
element of an electronic discovery (3.7) process focused on evaluating Electronically Stored Information (3.8) for content and context to identify facts, relationships, key patterns, and other features that can lead to improved understanding of an ESI (3.9) corpus
Note: Content and context can include key patterns, topics, people and discussions.
3.10
ESI collection
element of an electronic discovery (3.7) process focused on gathering Electronically Stored Information (3.8) and other related material
3.11
ESI identification
element of an electronic discovery (3.7) process focused on locating potential sources and the criteria for selecting potentially relevant Electronically Stored Information (3.8)
3.12
ESI preservation
element of an electronic discovery (3.7) process focused on maintaining Electronically Stored Information (3.8) in its original or existing state
Note: In some matters or jurisdictions, there can be requirements to prevent spoliation (3.21) of Electronically Stored Information (3.8).
3.13
ESI processing
element of an electronic discovery (3.7) process focused on extracting Electronically Stored Information (3.8) and converting it, if necessary, to forms more suitable for ESI review (3.15) and ESI analysis (3.9)
3.14
ESI production
element of an electronic discovery (3.7) process focused on delivering or making available Electronically Stored Information (3.8)
Note 1: ESI production can also include getting Electronically Stored Information (3.8) in appropriate forms and using appropriate delivery mechanisms.
Note 2: ESI production can be to any person or organization.
3.15
ESI review
element of an electronic discovery (3.7) process focused on screening Electronically Stored Information (3.8) based on specific criteria
Note: In some matters or jurisdictions, Electronically Stored Information that is considered privileged can be excluded from production.
3.16
investigation
systematic or formal process of inquiring into or researching, and examining facts or materials associated with a matter
Note: Materials can take the form of hardcopy documents or Electronically Stored Information (3.8).
3.17
legal hold
process of suspending the normal disposition (3.5) or processing of records and Electronically Stored Information (3.8) as a result of current or anticipated litigation, audit, government investigation or other such matters
Note: The issued communication that implements the legal hold can also be called a “hold,” “preservation order,” “preservation notice,” “suspension order,” “freeze notice,” “hold order,” or “hold notice.”
3.18
metadata
data that defines and describes other data
[SOURCE: ISO/IEC 11179-1:2023, 3.2.26]
3.19
provenance
information that documents the origin or source of Electronically Stored Information (3.9), any changes that have taken place since it was originated, and who has had custody of it since it was originated
3.20
sanitize
render access to target data on storage media infeasible for a given level of effort
Note: Clear, purge, and destruct are actions that can be taken to sanitize storage media.
[SOURCE: ISO/IEC 27040:2015, 3.38]
3.21
spoliation
act of making or allowing a change to or destruction of Electronically Stored Information (3.8) where there is a requirement to keep it intact
Note: Spoliation can take the form of ESI destruction, corruption, or alteration of the ESI or associated metadata as well as rendering ESI unavailable (e.g. due to encryption with no access to the decryption key, loss of media, under the control of a third party, etc.).
3.22
storage
device, function, or service supporting data entry and retrieval
[SOURCE: ISO/IEC 27040:2015, 3.43]
3.23
store
record data on volatile storage or non-volatile storage
Note: Non-volatile storage refers to storage that retains its contents even after power is removed, while volatile storage refers to storage that fails to retain its contents after power is removed.
[SOURCE: ISO/IEC 27040:2015, 3.50, modified]
4 Symbols and abbreviated terms
CD compact disc
DVD digital versatile disc
EDMS electronic document management system
ERMS electronic records management system
ICT information and communications technology
NAS network attached storage
OCR optical character recognition
PII personally identifiable information
RAM random access memory
