Records Management

Best Practices Guide

A Practical Approach to Building a Comprehensive and Compliant Records Management Program

Protecting and Managing

the Worlds Information.

Since 1951, Iron Mountain has been the

partner that thousands of companies
depend on to store, manage, and protect
records, media, and electronic data in any
format, for any length of time.
Today, we continue to lead the industry
as the only partner you can trust to design
and implement a comprehensive and compliant records management program. We
have more expertise, resources, experience,
proven processes, and responsive services
to meet your information management
challenges now and in the years ahead.

p. 2 | ironmountain.com

The Iron Mountain best practices initiative is a direct response to requests from our customers for guidance on:
Best-in-class compliant records management practices
Continual program improvement ideas
Government regulations that impact records and
information management
Now, more than ever, it is critical that organizations have solid records management practices in place for all media across all business units. These practices should feed into a
comprehensive and consistently applied records management master plan. Organizations
that meet and demonstrate regulatory compliance will be the ones that stand out and are
identified as the best in class, while others scramble to protect their corporate reputation
and shareholder value.
This Records Management Best Practices Guide represents the collective experiences of
hundreds of thousands of Iron Mountain customers and over fifty years of records management history. From those years of experience, records management fundamentals
have been tried and proven true, processes and workflows have been crystallized for
greater efficiencies and less exposure, and best practices have evolved to cover the many
integral aspects of proper records management. These best practices are provided here as
a practical approach to a comprehensive and compliant records management program.

C. Richard Reese
Chairman and Chief Executive Officer
Iron Mountain Incorporated

Records Management Best Practices Guide | p. 3

Table of Contents

p. 4 | ironmountain.com

Introduction
Why Do You Need Best Practices for Records Management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Why Is Consistency So Important? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Where Do We Start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Records Management Best Practices
I. Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Identify Major Record Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Create A Universal Record Classification Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Perform Legal Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Overlay Operational Retention Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Guiding Principles of Retention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
II. Policies and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Guiding Principles of Policies and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
III. Access and Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Guiding Principles for Access and Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
IV. Compliance and Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Guiding Principles of Compliance and Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
V. Disposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Guiding Principles of Disposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Records Management Best Practices Guide | p. 5

Introduction

Why Do You Need

Best Practices for
Records Management?

p. 6 | ironmountain.com

A compliant records management program is necessary for organizations to proactively and progressively manage all data, media and information. As the number of laws and severity of
punishment governing records management continues to increase, it becomes even more paramount that organizations follow best practices for proper records management. Organizations need
to demonstrate good faith intentions to follow these best practices consistently and accurately. An
organization with a solid foundation of proven successful records management practices will:
Preserve the right information for the correct length of time
Meet legal requirements faster and more cost effectively
Control and manage records management storage and destruction fees
Demonstrate proven practices of good faith through consistent implementation
Archive vital information for business continuity and disaster recovery
Provide information in a timely and efficient manner regardless of urgency of request
Use technology to manage and improve program
Integrate policies and procedures throughout organization
Establish ownership and accountability of records management program
Arrange for continuous training and communication throughout the organization
Project an image of good faith, responsiveness and consistency
Review, audit and improve program continuously

These features must all exist as part of a compliant records management program. Independently,
each represents a good practice; as a unit, they serve as a solid foundation of best practices for
records management.

Records Management Best Practices Guide | p. 7

Introduction

(cont.)

Why Is Consistency
So Important?
There is one phrase that resonates as a theme for simple and complex aspects of compliant records
management programs:

CONSISTENCY IS EVERYTHING
Develop a single Records Retention Schedule for your organization and implement
it consistently across your enterprise.
Write Records Management Policies and Procedures and apply them consistently.
Formalize records destruction practices and destroy records consistently and systematically.

These and many other Guiding Principles of Compliant Records Management are listed after each
of the five Best Practice areas. Keep your program elements simple and consistent. Your records
management program will be judged by the consistency of its implementation, not the details of
the programs design.

p. 8 | ironmountain.com

Where Do We Start?
The early creation of an executive steering committee comprised of senior management across all
departments is instrumental to the success and implementation of a compliant records management program. By creating an active steering committee, your organization will be positioned to
proactively address the changing business climate and the ever-increasing regulatory controls for
records and information management. The Compliance & Accountability Best Practice section of
this guide will provide more information on how to organize for success.
Once your executive steering committee members have been identified, we would suggest they
each read and make sure they fully understand the best practices in this guide. We have broken the
best practices down to the following five Best Practice areas:
RETENTION
POLICIES & PROCEDURES
ACCESS & INDEXING
COMPLIANCE & ACCOUNTABILITY
DISPOSAL

For each of these Best Practice areas we have included an overview and guiding principles.

Records Management Best Practices Guide | p. 9

RECORDS
MANAGEMENT
BEST PRACTICES

I. Retention

A sound and legally compliant records

retention policy, including a Records
Retention Schedule is the foundation of
a good records management program.
This is the platform for thorough protection of organizational assets and the surest method to
avoid risk and litigation.
A Records Retention Schedule is a document that an organization uses to ensure that records are
kept only as long as legally and operationally required, and that obsolete records are disposed of in
a systematic and controlled manner. A Records Retention Schedule supports an organizations effort
to manage intellectual property, control the costs of information storage, locate and retrieve documents for legal discovery, and dispose of records at the end of their business life. Instituting a
formal and legally credible Records Retention Schedule enables an organization to meet the legal
requirements of mandated retention periods.
The Records Retention Schedule represents all records created by an organization across divisions
and functions, regardless of media type (hardcopy or electronic). Retention periods are based on
legal, regulatory, and operational requirements. The development of a legally credible Records
Retention Schedule is broken down into four activities:
Identify major record groups
Create a universal classification scheme
Perform legal research
Overlay operational retention requirements

p. 12 | ironmountain.com

IDENTIFY MAJOR RECORD GROUPS

The first step in identifying major record groups is to inven-

CREATE A UNIVERSAL
RECORD CLASSIFICATION SCHEME

tory each type of record and record keeping system within

One of the most important tasks in organizing your records

your organization. A records inventory is a complete and

is to establish a record classification scheme. A record

accurate listing of the locations and contents of your orga-

classification scheme is a grouping of records by business

nizations records whether paper or electronic. The scope

function, record class, and record type as a way of dealing

of the records inventory should extend across business

more practically with high volumes of records. Record

units, formats and systems. Conducting a records inventory

classification schemes provide a basis for making correct

is a critical first step because it not only identifies, but also

decisions about records.

quantifies all of the records created and processed by the

organization. Ultimately, the records inventory becomes the
basis for preparing the retention schedule. Until you know
what you have, it is impossible to establish any type of
records program.
Your records inventory should group records into broad
categories called record classes. These classes will form
the basis of your Records Retention Schedule. It is also critical that the organization agree at an early stage on the

Many companies can establish ten (or fewer) broad record

functions, such as Operations, Accounting, Financial, Tax,
and Legal. These top-level record functions are broken
down into record classes, which are, in turn, broken down
into record types. The following is an example:
Record Function: Accounting
Record Class: Accounts Payable
Record Types: Accounts Payable Aging Reports, Accounts
Payable Distribution Reports, Cash Disbursement Reports

commonality of terms to be used. This will ensure consistent nomenclature and usage for all aspects of the records
and information management program.

Records Management Best Practices Guide | p. 13

I. Retention

(cont.)

PERFORM LEGAL RESEARCH

It is important to conduct legal research to determine what
the retention period for each record class must be. This work
often requires the assistance of legal counsel, consultants
or external records management experts.
At a minimum, these types of legal requirements must be
considered:
Federal
State
Local
International (if relevant)
Examples of groups that issue such regulations include:
Securities Exchange Commission (SEC)
Federal Trade Commission (FTC)
Federal Communications Commission (FCC)
Environmental Protection Agency (EPA)
National Labor Relations Board (NLRB)
Internal Revenue Service (IRS)
Equal Employment Opportunity Commission (EEOC)
Occupational Safety and Health Administration (OSHA)

OVERLAY OPERATIONAL
RETENTION REQUIREMENTS
In addition to legal requirements, operational retention
requirements must also be taken into account. This is the
length of time that a record must be retained to meet
departmental, operational or user group record needs. The
final retention period should be the longer of the two.

p. 14 | ironmountain.com

GUIDING PRINCIPLES OF RETENTION

Adopt one universal Records Retention Schedule
that is applied across all business units and that
captures all the records, regardless of media, that
are created or received by the organization in the
conduct of business.

Define for each record class, the triggering event

(such as a business acquisition, merger or closing);
that must occur for a record to become inactive,
thus signaling the beginning of the retention
period count.

Create an E-mail Appropriate Retention Schedule

subset that shrinks and consolidates the available
e-mail record classes. This E-mail Appropriate
Retention Schedule simplifies the e-mail classification and archiving process for employees.

Categorize business records as either official

records or convenience copy records. The Records
Retention Schedule governs the retention period for
the official records. Convenience copy records are
typically retained for 30 days, but not longer than
one year. Convenience copy records should be
destroyed when they no longer have business value.

Support the Records Retention Schedule with legal

research that encompasses the specific federal,
state and local retention requirements that are
applicable to the organization.
Re-examine the Records Retention Schedule for
possible updates and revisions at least every two
years, in order to ensure that the classification
scheme and legal research are current.
Review and take into consideration the statutes of
limitation and limitation of actions that dictate the
period of time in which a lawsuit may be filed or
fine assessed when establishing a final retention
period for the organizations records.
Review and apply to the final retention period,
all business or operational requirements for the
retention of records.
Create a Records Retention Schedule at a record
class level that identifies broad categories representing the business functions of the organization,
rather than all-encompassing departmental
listings of records.

Put into place a process that requires employees to

classify and retain e-mails that are official records.
As part of this process, implement an automated
e-mail warning system to force employees to
review and make a decision about e-mails in their
mailbox. All e-mails that are not classified should
be purged according to a predefined schedule.
Reduce the number of records that have no ongoing
business value or usefulness in order to reduce risk
and cost. Conduct corporate-wide annual reviews of
onsite records to determine those that are no longer
active. Inactive records may be sent to off-site storage.
Identify vital or mission critical records that
are essential to protect the financial, legal, and
operational functions of the organization and its
customers, employees, and shareholders.
Establish a process to rollout and implement the
Records Retention Schedule to include initial and
ongoing training programs for all employees
within the organization.

Preserve historical documents in media-appropriate

archival conditions.

Records Management Best Practices Guide | p. 15

II. Policies and Procedures

An organizations records management

program should be supported by
policies and procedures that address
each component of the records management program in accordance with
operational and legal requirements.
An organization may have separate policies and procedures for records retention, active file
management, inactive file management, vital records, e-mail management, and any other area of
records management. Policies and procedures set standards and serve as evidence of managements support of and investment in a compliant records management program. They should
address ALL records regardless of media type, making sure to include positions on electronic records
and e-mail practices. Records management program guidelines must be consistently and universally applied. Roles and oversight responsibilities are to be
designated and defined. Policies and procedures should be
accessible and communicated clearly and consistently throughout an organization. When employed properly, they work in
conjunction with an organizations Business Continuity Plan and
Disaster Recovery Program.

p. 16 | ironmountain.com

GUIDING PRINCIPLES OF POLICIES AND PROCEDURES

Produce a single set of documented policies and
procedures governing the retention and destruction of business records and apply them
consistently.
Establish organization-wide records management
policies and procedures for records of all media types.
Establish business continuity and disaster recovery
procedures.
Determine procedures for the creation, retention,
destruction, access, and storage of electronic records.
Define and outline the handling of official versus
convenience records and active versus inactive
records.
Create and enforce a corporate-wide e-mail management policy that includes components such as:
A clear statement that e-mail content
belongs to the company
Defined limitations on personal use of e-mail
Expectations that there is no privacy of
corporate e-mail
Clear definitions of what is and is not
appropriate e-mail content
Password and encryption standards for
the company
Employee sign-off that they have read and
understood the policy
Outline records disposition policies and procedures
as an established pattern of systematic document
retention and destruction. This prohibits selective
destruction of records.
Align backup policies with e-mail retention policies.
Develop information security measures to ensure
compliance with privacy requirements.

In the event of litigation, audit, or governmental

investigation being commenced at some point in
the future, a system of holds should be assigned
to records subject to legal constraints. Records that
are under a hold order should not be destroyed
even when permitted by the organizations Records
Retention Schedule.
Institute annual organized purges of onsite records
with the intention of identifying and consequently
sending inactive records off-site to storage.
Establish an annual audit of the companys records
management program.
Define the records management related roles and
responsibilities within an organization including
those for the Steering Committee, department
managers, company employees, tax, legal, IT, and
internal audit departments, and create a position
that will be responsible for overall records management administration.
Institute storage procedures for onsite, off-site,
and electronic records.
Provide records management program employee
training on an ongoing basis and distribute the
records management program policies and
procedures to new employees.
Establish and enforce employee accountability
for the compliance of the records management
program. This can be done by including it as an
element in performance appraisals and instituting
disciplinary actions for violations.
Identify and protect vital records that are essential for the continued operation of an organization
in the event of a disaster or crisis.

Records Management Best Practices Guide | p. 17

III. Access and Indexing

The success of a records management

program hinges on the ability to access
information for business support, litigation response, or compliance reasons.
Organizations need the ability to access records by multiple indexing parameters such as subject
matter (content and context), record creator, intended recipient, date, etc. Proper indexing methods are
one of the easiest ways to recognize significant returns on investment. Well-indexed records ensure
easy access and reduced time and financial cost. Poor indexing methods will result in additional fees
and more labor expended. The inability to satisfy record retrieval requirements can result in major
fines, increased litigation, and the degradation of overall service quality within an organization.
Access and indexing are dependent on one another because records must be properly organized
to enable timely, accurate, and controlled access. Just as an index in a book directs the reader to a
specific page, a records index directs the record user to a particular place where the required
information is located. The location may be a paper or microfilm filing system or an electronic
storage location, such as a network directory or electronic document management system. Once
the record location is identified, access can be authorized by various security controls.
Storing e-mail and other electronic records on backup tapes will not meet regulatory, legal and
business access requirements. Backup tapes are designed for disaster recovery; they were never
designed for retention, legal discovery or low-cost, long term archiving of electronic records. E-mail
records should be migrated to a digital archive designed for low-cost, long term archiving. This
archive should have tools for easy searching, discovery organization and retention management.

p. 18 | ironmountain.com

GUIDING PRINCIPLES OF ACCESS AND INDEXING

All records should be indexed in a systematic
manner, by subject matter, regardless of the
storage medium or location.
Establish a consolidated records management
system that links the organizations records to its
Retention Schedule through a record classification
scheme.
Populate the record classification scheme (also
known as a taxonomy or file plan) with standard
indexing parameters to include record class code,
business function, record creator, dates, and other
applicable indexing parameters.
File paper records in filing systems and electronic
records in network directories that are categorized
by the same record classification scheme and
time period.
Identify records in all media by conducting
searches of the record classification scheme.
(See record classification scheme on page 13.)

Limit individual employee access to records unless

it is necessary in order to conduct authorized
business and is approved in accordance with established organizational practices and procedures.
Develop an annual formal review of the records
management system, record classification scheme
and centralized index to validate that structure is
consistent, accurate, appropriate and reflects any
changes in business.
Determine the suitable turnaround time for
retrieval of different categories of records for
onsite, off-site, and electronic records.
Ensure that storage of records onsite and off-site
guarantees security, consistency, accessibility,
and confidentiality.
Migrate electronic records to a digital archive that
can provide secure access to e-mails and instant
messages for regulatory, legal or future business
purposes.

Implement a proper authorization process to

ensure protection of the confidentiality of an
organizations records, maintain the confidentiality
of customers personal information, and prevent
unauthorized disclosure to third parties.

Records Management Best Practices Guide | p. 19

IV. Compliance
and Accountability

The benefits of a major investment in

an enterprise records management
program will be short-lived if employees
are not in compliance with the program
and its policies. The critical components
for compliance are organization-wide
accountability and auditing.
ORGANIZATION-WIDE ACCOUNTABILITY

AUDITING

Records ownership at every level of the organization is

To ensure compliance, the records management program

required to achieve compliance. Without senior-level spon-

should be integrated into the organizations internal

sorship and commitment, the program is bound to fail.

audit process. Key program components that should be

There must be a corporate records manager to administer

periodically audited include:

the program at a corporate level as well as a designee in

each business unit accountable for implementation in
their division. Finally, each employee should be required to
acknowledge that they have read and understood the
records management policies and procedures.

Destruction timeliness
Retention schedule accuracy with the latest
laws and regulations
Classification accuracy and completeness
Business unit compliance
Hold administration
Program training and communications delivery

p. 20 | ironmountain.com

GUIDING PRINCIPLES OF COMPLIANCE AND ACCOUNTABILITY

Establish a corporate records management program
Steering Committee comprised of a designated
records manager and representation from legal,
IT, finance, tax, human resources, and risk management, to be responsible for overseeing the records
management program, providing high-level
management, strategic insight, and oversight of
the program.
Schedule Steering Committee meetings at appropriate intervals to assess the current state of the
records management program. Specific responsibilities include providing high-level management and
oversight of the program; assuring that the records
management program is properly maintained and
updated; and recommending staff and system
resources.
Designate a Corporate Records Manager to administer the program at the business unit or department
level to facilitate accountability throughout the
entire organization.

Regularly communicate records management

program information to employees via a company
newsletter and use of an Intranet site.
Introduce measures of performance related to
consistent retention and destruction of records,
both paper and electronic.
Include records management as part of the
companys internal audit process to ensure that
consistency, compliance, and legal requirements
are met.
Audit compliance adherence to corporate electronic
records, e-mail retention and deletion policies by
involving the IT department.
Create a records management acknowledgement
program that requires employees to sign a document confirming their receipt of training and
understanding of records management policies
and procedures.

Support the records management function with

the appropriate resources and experts internally
and externally.

Records Management Best Practices Guide | p. 21

V. Disposal

Consistent disposal practices provide

retention and regulatory compliance
and decrease corporate risk when
conducted in accordance with an
approved Records Retention Schedule.
An established pattern of systematic records retention and disposition serves as evidence of an
organizations good faith in attempting to conform to the law. Haphazard patterns of records
disposal may appear suspicious and can suggest that unfavorable or embarrassing records were
destroyed intentionally.
Records disposition should be an inherent element of an organizations overall records management program and should cover both active and inactive records. Standard policies should be set at
the corporate not department level and be reviewed by legal and compliance professionals.
The implementation of the policies should be treated as a consistent process, not an event, because
they will need to keep pace with organization growth and regulatory changes.
Upon expiration of a records required retention period, all records identified as eligible should be
approved for destruction unless there is a legitimate business reason to postpone that destruction.
The official version or record copy of a particular record should be maintained for the longest
approved retention period subscribed in the Records Retention Schedule. Any unofficial or convenience copy of a record may be destroyed once it has met the business need for which it was kept.
For example, the official version of an expense report may be required for the completion of an
organizations tax audit. However, specific departments or individuals may keep copies within their
offices for convenience. Once the need for those convenience copies is complete, those versions of
the record may be destroyed.

p. 22 | ironmountain.com

Records that are subject to litigation, government investigation, or audit cannot be destroyed even when permitted
by the Records Retention Schedule. Procedures should be in
place stating that the destruction of relevant records must
be temporarily halted until such time as official notification
is provided that destruction can resume. Documentation of
records disposal should state the records information and
when such records were disposed. Proper and regular disposal of records reduces storage and labor costs associated
with unnecessary maintenance of records retained past
their retention requirements.
The proliferation of privacy laws, in the United States and in
other global jurisdictions, is impacting the way in which
companies conduct business, especially in how they protect
records. The protection of such records includes requirements for secure destruction. An organization should
develop and implement a special program for confidential
records destruction. This is especially critical regarding vital
organization information, such as sensitive internal documents, patents, proprietary and trade secrets. The program
Non-confidential records may be disposed of by using a
variety of recycling methods. However, confidential
records should always be securely shredded to ensure
that there is no risk to the organization from the possible release of confidential information.
should ensure that there are consistently applied procedures for properly identifying and disposing of confidential
records once they are no longer needed. The program
should be communicated and assessed throughout the
entire organization.

Records Management Best Practices Guide | p. 23

V. Disposal

(cont.)

GUIDING PRINCIPLES OF DISPOSAL

Determine appropriate method of disposal by
records class or media type.
Institute a consistent and secure system for the
disposal of records in accordance with an approved
Records Retention Schedule.
Develop disposal procedures that demonstrate
authorization, adherence to confidentiality and
security requirements, and recognition of suspended records or those on hold.
Distribute to necessary parties for their review all
records pending disposal according to the organizations Records Retention Schedule and ensure that
authorization for disposal is confirmed.
Classify as confidential and securely shred any
records that contain personally identifiable information about individual customers or employees.
Some examples of this data include social security
numbers, date of birth, bank account information,
Personal Identification Numbers, passwords, drug
prescription information, mothers maiden names,
etc. Any records that contain personal information
should be classified as confidential and shredded
to protect the privacy of employees, shareholders,
customers, patients and other individuals. This will
also protect the organization from liability.

p. 24 | ironmountain.com

Ensure that employees are aware that premature

destruction of records is expressly prohibited, and
if intentional, may result in disciplinary action, up
to and including termination of employment and
possible civil or criminal liability.
Review all official records that have fulfilled their
retention period to ensure that their destruction
complies with the standard policy and procedures
and that the records are free of all retention holds.
Discard, once they have fulfilled their purpose,
any unofficial records. Draft documents should be
disposed of as soon as they have been superseded
by an official version.
Under no circumstance should duplicates or drafts
(unofficial records) be retained longer than the
official versions of the records. When records are
approved for destruction, all copies in the possession of employees in all media and formats must
also be discarded.

 Suspend all regularly scheduled destruction of

relevant records (including e-mail records) when it
becomes clear that there is a possibility of litigation, audit, or governmental investigation being
commenced at some point in the future by or
against an organization. In order to prevent these
records from being inadvertently destroyed, a
system of holds should be assigned to records
subject to these legal constraints. Records that are
under a hold order cannot be destroyed even
when permitted by an organizations Records
Retention Schedule. Give departments review
deadlines from the date of receipt of the report of
records eligible for destruction and Department
Managers should provide justification why specific
records should not be destroyed.
Review destruction reports periodically that list
records at off-site storage vendors that are eligible
for destruction. Tax, Legal, Accounting, Internal
Audit, Risk Management, and Regulatory Compliance departments should also review the listings.
At a minimum, this should be done annually.

Maintain a final destruction listing report that lists

record identification number, destroy dates, and
who authorized the destruction.
Institute consistent and appropriate disposal
practices for records residing at both onsite and
off-site locations.
Migrate e-mail and instant message records to a
digital archive that is designed to apply the Records
Retention Schedule to the stored electronic records,
and purge them at the end of their retention period.
Review records documenting the organizations
past, its development, significant events, and
key personnel to determine if they should be
designated as historical records to be maintained
in an organizational archive rather than destroyed
when the legal and operational retention period
has expired.

Records Management Best Practices Guide | p. 25

Conclusion

The need for compliant records

management best practices is
demonstrated daily in all businesses.
The escalating fines to organizations cited for poor corporate record keeping are a testament
to the fact that compliant records management is no longer optional. A program must contain a
proactive approach for management of all of the five Best Practice areas Retention, Policies &
Procedures, Access & Indexing, Compliance & Accountability, and Disposal. These areas need to be
managed consistently and effectively. Organizations are now judged on the implementation of
their records management programs and they must strive to demonstrate good faith efforts
across all aspects of records management.
A compliant records management program must demonstrate the key elements of consistency,
accountability, adoption and accessibility. These elements must be audited and updated consistently over the lifespan of the business.
These best practices and guiding principles provide the foundation for driving existing programs
from sub-standard to stellar. Mediocre plans and processes do not constitute compliant
records management programs. By striving to achieve excellence one step at a time in each of
the five Best Practice areas of records management, a comprehensive and compliant program can
be implemented.
With over 50 years of experience in the field, Iron Mountain is the partner more companies trust
worldwide to design and implement a comprehensive and compliant records management program.

p. 26 | ironmountain.com

IRON MOUNTAIN SERVICES

RECORDS MANAGEMENT
Iron Mountain provides compliant records management
solutions to manage and protect your information assets.
Our records management programs ensure that your business
records are secure and easily accessible. We offer specialized
services tailored to your unique needs.
SECURE SHREDDING
Given the confidential nature of business records, its important
to ensure complete destruction. Our secure shredding services
help you to protect the privacy of your company, employees
and customers.
DIGITAL ARCHIVING
Our Digital Archive service group offers compliance and records
management solutions for todays leading organizations. We
provide SEC-compliant digital archiving, supervision and data
restoration and electronic discovery support services. With our
extensive records management expertise we can help institute
a comprehensive and compliant records management solution.
DATA PROTECTION
Whether physically transporting and vaulting your backup
tapes at one of our secure facilities or backing up your data
through a secure Internet connection with Electronic Vaulting,
our comprehensive data protection and disaster recovery services
place your information off-site, off-line and out-of-reach; yet the
data is accessible whenever and wherever you need it.
VITAL BUSINESS RECORDS
Our climate-controlled, secure facilities are designed to
protect irreplaceable documents like original deeds, wills,
trusts, contracts, patents, and other notarized and certified
records for you.
CONSULTING
Todays business world demands that companies follow sound,
consistently applied records management practices. Let our
consulting professionals review your current records management
program, help you determine which records you need to retain,
and create an appropriate retention schedule and records
classification program for each.

The Records Management Best Practices Guide is published by Iron Mountain. Copyright 2005 Iron Mountain. Iron Mountain and the design of
the mountain are registered trademarks of Iron Mountain Incorporated. All other trademarks and registered trademarks are the property of their

745 Atlantic Avenue

respective owners. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, in any form or by any

Boston, Massachusetts 02111

means. Advice is given in general. Readers should consult professional counsel for specific legal or ethical questions. 1/2005

(800) 899-IRON

Iron Mountain operates in major markets worldwide, serving thousands

of customers throughout the U.S., Europe, Canada, and Latin America.
For more information, visit our Web site at www.ironmountain.com
US-RM-CR-400-05-001

(800) 899-IRON www.ironmountain.com