Compliance & Standards
The standards that define trustworthy recordkeeping — DoD 5015.2, ISO 15489, and ISO 16175 — and how organizations demonstrate compliance.
Trustworthy recordkeeping is not a matter of opinion. When an auditor, a court, an inspector general, or a citizen asks whether an organization’s records can be relied upon, the answer rests on a body of published standards and requirements that define what “good” looks like — and on the evidence an organization can produce to show it meets them. Compliance and standards are the connective tissue between the abstract goal of “keeping good records” and the concrete, defensible practices that make records authentic, reliable, complete, and usable over time. They translate principles into testable criteria.
This topic sits at the intersection of policy, technology, and accountability. It answers a deceptively simple question: how do you prove that a record is what it claims to be, that it has not been altered, that it was kept as long as it should have been and no longer, and that the whole system can be trusted? The answers come from a small but influential set of frameworks — chiefly DoD 5015.2, the ISO 15489 and ISO 16175 families, and the U.S. National Archives’ Universal Electronic Records Management (ERM) Requirements — supported by the discipline of audit trails and the practice of building an audit-ready program.
What Compliance and Standards Mean in Recordkeeping
A standard is a documented, agreed-upon specification of how something should be done. In records management, standards describe the characteristics a record and a recordkeeping system must have to be trustworthy, and the functions a system must perform — capture, classification, retention, disposition, search, and protection. Compliance is the demonstrable state of conforming to those specifications, along with any laws and policies that apply to a given organization.
The distinction matters. Standards are largely voluntary descriptions of best practice; laws and regulations are mandatory. Much of the work in this field is mapping the two together: an organization is legally obligated to manage certain records, and standards supply the proven means of meeting that obligation in a way that will hold up under scrutiny. Crucially, compliance is not a one-time event. It is a continuous condition that must be designed into systems, sustained through operations, and re-demonstrated whenever someone asks.
The Governing Frameworks
Several authorities shape this landscape, each with a different scope and origin.
-
DoD 5015.2 is the long-influential U.S. Department of Defense design criteria standard for electronic records management software. For two decades it functioned as a de facto procurement benchmark across much of the U.S. federal government and beyond, defining baseline and optional requirements that records systems were tested against and certified to. Its detailed, prescriptive checklist gave agencies a common yardstick.
-
The ISO 15489 family is the international standard for records management as a discipline. Rather than specifying software features, it sets out principles and a process model: the characteristics of an authoritative record, the elements of a records program, and the responsibilities that sustain it. It is technology-neutral and applicable to any sector worldwide.
-
ISO 16175 complements this by addressing the functional requirements for managing records in digital environments. It bridges the principle-level guidance of ISO 15489 and the practical question of what a system must actually do, and it has become a widely referenced basis for system requirements internationally.
-
NARA’s Universal ERM Requirements represent a significant shift in the U.S. landscape. The National Archives and Records Administration developed a set of universal, outcome-focused electronic records management requirements, expressed in a way that can be referenced through its Federal Electronic Records Modernization Initiative. Importantly, NARA retired its longstanding endorsement of DoD 5015.2 (around 2022), signaling a move away from certifying specific software against a fixed checklist and toward defining the universal capabilities any solution should provide. Practitioners working in or with U.S. federal agencies should treat the Universal ERM Requirements as the current point of reference, while recognizing that DoD 5015.2 remains relevant within the Department of Defense and as a mature articulation of recordkeeping functionality.
These frameworks are not mutually exclusive. Many organizations read them together — using ISO for principles and program design, functional requirements standards for system specifications, and NARA’s guidance for federal obligations.
Audit Trails: The Evidence Layer
If standards define what trustworthy looks like, audit trails are how trustworthiness is proven. An audit trail is the system-generated, tamper-resistant record of actions taken on a record or within a recordkeeping system: who did what, to which item, and when. It captures creation, access, classification changes, edits, exports, and — critically — disposition events such as destruction or transfer.
Audit trails underpin several of the core qualities the standards demand. They support authenticity by linking a record to its provenance, integrity by evidencing that content has not been altered without trace, and accountability by attributing actions to identified users. Without reliable audit data, an organization may have the right records but no way to prove the system around them behaved correctly. Good practice treats audit logs as records in their own right — protected from alteration, retained appropriately, and reviewable. This is the connective theme that links the cluster’s deeper articles together.
How Compliance Fits the Records Lifecycle
Compliance is not bolted on at the end; it threads through every stage of the records lifecycle. At capture, standards require that records be reliably fixed with sufficient metadata to establish context and identity. During classification and active use, they require that records be organized, findable, and protected according to their sensitivity. Through retention, they require that records be kept for legally mandated periods. At disposition, they require that destruction or transfer be authorized, documented, and irreversible — never accidental, never premature.
The audit trail spans all of these stages, providing the continuous evidentiary thread that ties the lifecycle together. Viewed this way, compliance is less a separate activity than a quality woven into how every lifecycle function is performed and recorded.
Common Challenges and Good Practice
Organizations stumble in predictable ways. Records are scattered across systems that were never designed with recordkeeping in mind. Retention schedules exist on paper but are not enforced in technology. Metadata is inconsistent, making search and disposition unreliable. And audit data, where it exists, is incomplete or never reviewed.
Building an audit-ready program — the subject of one of this cluster’s central articles — is the antidote. The hallmarks of such a program include:
- Documented policies that map legal obligations and chosen standards to concrete practices.
- A defensible retention schedule that is actually applied, not merely published.
- Reliable metadata and classification applied consistently at capture.
- Protected, reviewable audit trails covering the full lifecycle, especially disposition.
- Periodic self-assessment so gaps are found internally before an external auditor finds them.
The unifying idea is that compliance should be demonstrable on demand. An audit-ready organization can answer “show me” — not with assertions, but with evidence.
Where the Topic Is Heading
The trajectory is away from certifying specific products against fixed checklists and toward outcome-based, universal requirements that any system — cloud, on-premises, or hybrid — can be measured against. NARA’s pivot reflects a broader recognition that recordkeeping now happens across email, collaboration platforms, messaging, and automated systems, not in a single repository. As records volumes grow and automation increasingly drives capture and disposition, the emphasis shifts from feature lists to verifiable behavior: can the organization prove, continuously and at scale, that its records remain authentic, complete, and properly governed? In that future, the organizations best positioned are those that treat compliance not as a hurdle to clear once, but as a durable, evidenced quality of how they work — anchored in standards, sustained by audit, and ready to be shown at any moment.
Articles in Standards
FERMI: The Federal Electronic Records Modernization Initiative
A plain-language guide to FERMI, NARA and OMB's effort to modernize federal electronic records management through shared standards, requirements, and acquisition tools.
ISO 30300: Management Systems for Records
ISO 30300 is the international management-system standard for records, applying a high-level management approach so recordkeeping is governed like quality or security.
The NARA Federal Records Management Self-Assessment
A plain-language guide to NARA's annual Federal records management self-assessment, including what it measures, how agencies report, and how results shape oversight.
Records Management Metrics and KPIs
A practical guide to records management metrics and KPIs, covering what to measure, how to build a balanced program, and how to tie indicators to compliance.
Trustworthy Digital Repositories: OAIS and ISO 16363
How OAIS and ISO 16363 define and audit trustworthy digital repositories that preserve authentic, usable records over the long term.
The Universal ERM Requirements: A Deep Dive
A detailed look at how NARA's Universal ERM Requirements are structured, what functional capabilities they cover, and how agencies and vendors apply them.
Building an Audit-Ready Records Program
Compliance is something you demonstrate, not just claim. Here's how to build a records program that can prove its records are trustworthy and properly managed when an auditor asks.
Audit Trails: How You Prove Recordkeeping Compliance
Standards and laws are demonstrated through evidence. Audit trails — the record of who did what to a record and when — are how an organization proves its recordkeeping is trustworthy.
ISO 15489 and ISO 16175: The International Records Standards
ISO 15489 defines the principles of records management; ISO 16175 sets functional requirements for records in digital environments. Together they frame trustworthy recordkeeping worldwide.
DoD 5015.2 Explained: The Records Management Standard
DoD 5015.2 long defined the functional requirements for U.S. government records management software and became a de facto baseline — until NARA revoked its endorsement in 2022. Here's what it covers and where it stands now.
Common questions
- Can a commercial off-the-shelf system meet the NARA Universal ERM Requirements without being DoD 5015.2 certified?
- Can a company be fined or sanctioned for not following ISO 15489 in a lawsuit?
- Can a US company store its records on servers in another country, and what cross-border data rules apply?
- Can following ISO 15489 actually help us pass an audit or hold up in court?
- Can I just adopt ISO 15489 word-for-word as our records policy, or does it not work that way?
- Can I just pick whichever records standard is easiest, since DoD 5015.2, ISO 15489, and ISO 16175 all basically do the same thing?
- Do I have to pay to read the official ISO 15489 standard or is it available for free?
- Do I really need to follow the NARA Universal ERM Requirements if my agency already passed an inspection a few years ago?
- Does a company in the private sector need to follow DoD 5015.2 or is it only for government agencies?
- Does buying DoD 5015.2 certified software make my organization automatically compliant?
- Does FINRA require broker-dealers to capture text messages and WhatsApp chats as business records?
- Does my agency have to meet the NARA Universal ERM Requirements by a deadline?
- How do I get a records management system certified to DoD 5015.2?
- How do I know if my records management software is actually compliant with the standards it claims to meet?
- How do regulators prove a record was altered or backdated after the fact?
Key terms
- Audit Trail
- Conformance and Certification
- DoD 5015.2-STD
- Functional Requirements
- Generally Accepted Recordkeeping Principles
- ISO 15489
- ISO 16175
- ISO 16363
- ISO 23081 Records Metadata
- ISO 30300
- Key Performance Indicator
- MoReq
- OAIS Reference Model (ISO 14721)
- Records Management Application
- Records Management Self-Assessment
- Universal Electronic Records Management Requirements