ISO 27038:2014

Specification for digital redaction

Book a demo

silhouette,of,startup,business,team.,meeting,on,the,couch.,big

What is ISO 27038?

ISO/IEC 27038 outlines the features of digital redaction approaches. ISO 27038, released in 2014, also defines criteria for software redaction tools and for completing testing procedures securely.

Sometimes, you may have to disclose information to third parties, or even to the public, for purposes such as disclosure of official records under Free Access Law or as evidence in legal matters or court proceedings. However, ISO 27038 does not provide data database revision. Databases count as ‘units of recorded information,’ but they are expressly exempt from the standard’s scope.

What is digital redaction?

Redaction is the method of removing material from a document before release. In the legal context, the use of redaction is to delete sensitive, proprietary or protected information from records before filing with the court, or otherwise, make it available for viewing outside the office. An organisation can also use redaction to delete metadata or material (e.g. images) imported into a document.

ISO 27038 describes redaction as the permanent removal of information inside a document where the document is officially defined as recorded information and considered as a unit. Definitions are essential since these words also mean other things in other contexts and general use. Later in the standard, redaction is extended to include not only removing sensitive information but also showing where the removed material is if required.

When considered unacceptable to reveal sensitive details inside a document, the organisation must safely delete the information before publication. Examples of this include the names or locations of individuals that must stay anonymous and various other personal or proprietary records that must remain strictly confidential.

Considering redaction is typically vital in protecting highly sensitive information. Errors in the process leading to unauthorised disclosure of data are serious. Redaction deficiencies led to events such as identity theft, exposure of sensitive security concerns, violations of privacy and, in some extreme cases, exposing the identity of undercover agents and informants. In contrast, disclosure of trade secrets may be highly costly in a commercial context. To those considered liable, at least, redaction errors can be humiliating.

It helps drive our behaviour in a positive way that works for us
& our culture.

Emmie Cooney
Operations Manager, Amigo

Book your demo

We started off using spreadsheets and it was a nightmare. With the ISMS.online solution, all the hard work was made easy.
Perry Bowles
Technical Director ZIPTECH
100% of our users pass certification first time
Book your demo

What are the information security risks associated with digital redaction?

There are several data security risks related to digital redaction. One of these threats is the failure to make the redacted information irreversible. This may be due to a variety of factors, such as neglecting to rewrite sensitive data or removing sensitive information only in part. By leaving the data remnants, it can enable redacted information to be retrieved. The use of incorrect or inadequate technological redaction methods, such as the unsubtle alteration of records, also poses data risks. Rather than permanently removing sensitive data, using techniques which can be or otherwise reversed, defeats the purpose of redacting the sensitive information as it can still be discovered.

Another vulnerability involving redaction is over-reliance on retouching, pixelating or using other similar techniques of obfuscation to mask sections of images. These techniques are often used to protect personal privacy. By using deconvolution and different, less sophisticated transformation approaches, enough of the original information can be restored to allow recognition. But in the other extreme, excessive or improper editing may also increase the security risk for an organisation. Removing more than just particular sensitive things that were supposed to have been written or done so clumsily could unintentionally change the meaning of the residual data as a consequence of contextual issues.

Incorrectly rewriting information may lead to leakage or an unintentional breach of data. Examples of this behaviour include:

  • Failure to correctly specify all confidential data that needs to be redacted
  • Mistakenly leaving any versions of the personal data wholly or partly exposed
  • Inability to differentiate all redacted data against non-redacted information
  • Leaving ample data in the file to allow recipients to deduce sensitive data

An over-reliance on redaction may also pose an information security risk. Believing that it is sufficient to keep sensitive data fully confidential under all cases, while technological and process errors are inevitable and accidents often occur. Conversely, putting zero dependencies on writing, thinking that it is incapable of defending sensitive information, can also increase your risk.

Redaction may also contribute to information security problems that are unintentional or peripheral to the process itself. Instances of this are:

  • Sending the original files, the editing notes, the unedited contents or even the unedited documents to the incorrect recipients.
  • Disclosure of unwritten versions of the file, both at the same time and by the same method of disclosure or separately.
  • Exposing or leaking unreleased documents without authorisation.
  • Disclosure, unintentionally or knowingly, of redacted data by other than the release of digital information.

These instances can cause harm to the credibility of an organisation or the initial unwritten files.

See our platform features in action

A tailored hands-on session based on your needs and goals

Book your demo

How does ISO 27038 mitigate these risks?

Although the ISO 27038 standard has a limited scope, the risks it addresses are significant, and many of the controls are technically as well as procedurally sophisticated. Like other ISO27k standards, ISO 27038 does not seek to cover in-depth all the vagaries of the editorial process but offers sound generic and high-level guidance.

What are the benefits of digital redaction?

Digital redaction technology has been around for many years now to revise confidential text from any document in PDF format electronically. A variety of software programmes have this feature. Despite this and as organisations are creating and transmitting a growing amount of digitally produced documents, some are still using manual paper redaction methods.

In many cases, this involves printing a document, manually removing confidential information with ink or tape, photocopying the record, and then downloading the document back to the system. With these tools available, why are some companies still using manual redaction?

Some companies are not aware that redaction technologies exist because they’ve been too busy to keep updated with technical developments. Some companies believe they don’t have time to explore their application options, so they keep doing what they’re used to doing. Other companies assume that the software is inaccurate and that written knowledge and metadata would somehow be uncoverable and increase their risk appetite. Whereas others are aware of this software, but they don’t think they can afford it.

The resulting redactions are more accurate because they do not rely on human beings to locate sensitive and privileged information. Digital redactions are usually quicker than manually editing a text.

It’s easier to label and erase text with simple mouse strokes than to put tape or black ink covering classified data. They can change hundreds of pages of writing in a fraction of the time required to rewrite the same amount manually.

As well as this, digital redaction is a substantial cost-saving method. It saves money from a firm in resources and in staff time. Instead of wasting hours performing a very administrative job, digital redaction can free workers up to perform more substantive work.

In several ways, this digital process is superior to any paper procedure. Digital editing is much more effective. Since all PDF applications with a Redaction feature have search capabilities, users can search for sensitive details, such as account numbers, and particular phrases.

ISMS.online makes setting up and managing your ISMS as easy as it can get.

Peter Risdon
CISO, Viital

Book your demo

Find out just how affordable your ISMS could be

Who can implement ISO 27038?

ISO 27038 applies to every organisation exchanging sensitive information externally. For example, when sharing an information security policy outside the company, any confidential information that it contains should be redacted before release. The standard incorporates two editorial levels:

  • Basic redaction — context isn’t considered
  • Enhanced redaction — context is considered

This distinction makes ISO 27038 crucial to many organisations in all sectors.

Demonstrating Good Practice for ISO 27038

Whereas the ISO specification guidelines usually use “shall” solely to denote mandatory conditions, ISO 27038 often uses “should” in places and offers clarification above and beyond the formal specifications. In practice, this makes it easier for users to grasp and implement the standard, but more challenging to verify and enforce compliance, if ever anticipated.

The standard, however, doesn’t say anything about the overall management of the redaction process. Instead, ISO 27038 defines what needs to be written, why, how and by whom, or assessing and how to handle risks in a given redaction situation. The standard also discusses security measures that need to be applied to or connected with the process, for example preventing the improper release or clarification of unwritten contents.

ISO/IEC 27038 requirements

ISO 27038 is composed of 9 clauses and one annex.

Clause 1: Scope

Clause 2: Terms and definitions

Clause 3: Symbols and abbreviated terms

Clause 4: General principles of digital redaction

  • 4.1 Introduction
  • 4.2 Anonymization

Clause 5: Requirements

  • 5.1 Overview
  • 5.2 Redaction principles

Clause 6: Redaction processes

  • 6.1 Introduction
  • 6.2 Paper intermediaries
  • 6.3 Digital image intermediaries
  • 6.4 Simple digital redaction
  • 6.5 Complex digital redaction
  • 6.6 Contextual information

Clause 7: Keeping records of redaction work

Clause 8: Characteristics of software redaction tools

Clause 9: Requirements for redaction testing

Annex A: Redacting of PDF documents

Book your demo

See how simple
it is with
ISMS.online

Book a tailored hands-on session based on your needs and goals.

Book your demo

See how our simple, powerful platform works

Explore other standards within the ISO 27k family

  • 1The ISO 27000 family
  • 2ISO 27002
  • 3ISO 27003
  • 4ISO 27004
  • 5ISO 27005
  • 6ISO 27008
  • 7ISO 27009
  • 8ISO 27010
  • 9ISO 27014
  • 11ISO 27013
  • 12ISO 27016
  • 13ISO 27017
  • 14ISO 27018
  • 15ISO 27019
  • 16ISO 27038
  • 17ISO 27039
  • 18ISO 27040
  • 19ISO 27050
  • 20ISO 27102

100% of our users achieve ISO 27001 certification first time

Start your journey today
See how we can help you

Explore ISMS.online's platform with a self-guided tour - Start Now