Tag Archives: document

Paperless and the Mobile

Just recently I have spent some time reading various articles and comments stating that the mobile phone can assist and is also used as a paperless office.

I must admit this statement makes me “shudder with horror”

I know you might say that the development of the mobile phone has helped with the general progression of the paperless system and you would be correct to state this, but in the next sentence the mobile phone has assisted the development of all most general gadgetry products that we used on a day to day basis.

If we are stating that the mobile phone is been used as a paperless office in what contents do we mean, looking and reading the articles it’s seems to be in the areas of convenience with regards to booking tickets and also paying bills through paperless transactions, this I would agree, but this is nothing new and we have been using this technology for some time now.

So what else could we be using this for with regards to the paperless office we must remember these are stating that your mobile can be your office.

We have things like apps for scanning so your mobile can scan any documentation , we all so have apps which are claiming to be paperless management documentation systems that you can down load into your mobile, we also have scribed I paper, which lets you down load individual documents into your phone and stores them into a file we also have programmes like OCR  (Optical Character Recognition) or Read Iris Pro which you can down load into your mobile read and view documents as and when required.

I suppose all these things are heading into the right direction and are assisting the development of the paperless system, I just have concerns that the general public believe that you could run your office from your mobile phone.

If you had to put your hand on your hart, could you realistically say that this is possible and is a realistic solution to a paperless office.

What I do like about the mobile industry is that it has been a great benchmarking product for the future of the paperless system, and we have to be gratefully that the general public are so fickle that they must have the latest and fastest technology that paves the way for development and progressive solutions that can be adapted to adjoining technologies within the paperless system.

 I could state that the advertising study that I carried out some time ago with Bradford University was correct, in that the terminology of the wording “Paperless Office” should be used with caution.

My personal belief this that this does not help the progressive development of the paperless office, it may assist the progressive development of paperless solutions which can help us in general termsc and that is a good thing to have as I have so many times stated that we must perceive the customer users perception  and not the technologies perception.

E Paper Vs the Computer

Frage eines Standbesuchers "Läuft Wikiped...

Image via Wikipedia

There has been one thing that I have wondered about, when looking at the development of E Paper , will it replace the computer, does it want to replace the computer and will it be allowed to replace the computer.

 Looking at the development of E Paper one would assume that in the beginning this was to assist the resolution and readability of the computer screen back in the 1970s.

If we view the facts so far with regards to the development,  E Paper has been developed  as a viewing and reading tablet and a device that you can down load or transfer reading material , in general terms thats it.

In non technical terms E paper could be a tablet that has selected software parameters and is designed with a flexible material to give the feeling that it has paper properties.

 So with these observations will the E Paper be a competitor to the PC!!

I generally don’t think so, but with my next breath I hope they do not over engineer this fantastic opportunity, coming from an engineering back ground we try to make things simple and easy to design, it should be said that I hope it finds it place within this technological media and also the work place.

In my other posts I have blown caution to the wind and stated that this may have already happened, let’s keep it simple, design it for its purpose.

Would we be right to assume that the computer and E Paper will both have a rightful place weather it’s for social media or within the work place hopefully both will be able to work along side each other.

The basic legalities of scanned documents

Does a scanned document stand up in court?

In comparison to paper documents, the issues for electronic documents actually seem to rest on how much integrity they have in terms of ‘pedigree’ and authenticity rather than their admissibility. Courts and governing bodies now accept that electronic filing is normal procedure for many companies, and they fully accept electronic documents as evidence or supporting material so long as companies can prove that they’ve taken the appropriate measures to ensure their integrity.

The Basis in Law

The Civil Evidence Act 1995 is perhaps the most relevant point of law to address in relation to electronic documents. Its legacy is to take the onus off the question of physical admissibility, instead examining the actual weight carried by the electronic evidence submitted. The evidential value is then determined by the procedures followed by the company presenting the documents. To put is simply, if a company submits a document that has clearly been unaltered since its creation or which brings with it a clear audit trail that categorises any changes made to it along the way, then that holds for more evidential value than a document that could possibly have been amended in the interim. Simple procedures ensure document integrity for a company looking to move towards an electronic filing system.

Sections 8 and 9 of the Civil Evidence Act 1995 illustrate the legal guidelines for electronic documents as evidence:

8 (1) Where a statement contained in a document is admissible as evidence in civil proceedings, it may be proved;

(a) by the production of that document, or

(b) whether or not that document is still in existence, by the production of a copy of that document or of the material part of it, authenticated is such a manner as the court may approve.

(2) It is immaterial for this purpose how many removes there are between a copy and an original.

9 (1) A document that is shown to form a part of the records of a business or a public authority may be received in evidence in civil proceedings without an further proof

(2) A document should be taken to form part of the records of a business or public authority if there is produced to a court a certificate to that effect signed either by an officer of the business or authority to which the records belong.

Essentially, this law may be interpreted to show that an original document is not the only admissible evidence in civil courts. Electronic copies of documents are acceptable so long as their integrity can be proved. Criminal courts involve a more complex set of guidelines, and business with concerns about compliance in this area should check with a specialist lawyer.

Scanned documents and HM Customs & Excise

 What about the VAT

At present, the law makes no distinction between electronic or paper records. As a result, Customs & Excise simply refer to ‘records’ in their guidelines – whether a business keeps their records on paper or electronically makes little difference.

They do, however, insist that you inform them of the format you use for your records.

Section 5.4 of VAT Notice 700/21 reads as follows:

If you keep all or part of your records and accounts on a computer, you must make sure that you can meet your legal obligations to:

  • Account for VAT properly
  • Provide information to us whenever we visit you; and
  • Keep records in the required detail for the required length of time

In practical terms, a business should therefore advise their local VAT office that they wish to store scanned documents copies of all their records in ‘format X’ (either TIF or PDF format), and that those records will be held within ‘document management system

Customs & Excise do not recommend any particular software packages of file formats and at present an acceptable standard has not been precisely defined, but ‘may be taken to mean that all details on the reproduced documents are clear and legible’, which enables fairly broad interpretation.

By also following the Code of the British Standard BSI DISC PD0008 in addition to the requirements of Customs & Excise, a company can take the best precautions available to ensure that their records are acceptable for a VAT inspection.

Timescales for Record Keeping

The general requirement for record keeping is a period dating back at least 6 years. For many companies, keeping paper records for so long is fraught with difficulties. By agreement with the Commissioners, this time limit requirement may have a degree of flexibility. It could be noted, though, that if a company uses electronic filing, then the 6 year timescale is of little consequence.

One important consideration for Customs & Excise is their requirement that any original paper invoices must be retained for a period of no less than one VAT period. This would ensure that the current VAT return can be verified using original documentation. Depending on the nature of the company’s accounting pattern, this period is either 1 month, 3 months or 1 year in length.

After this time and submission of the return in question, the company can then consign those accounting records to electronic filing in confidence.

Scanned documents and the Inland Revenue

Not a world away from the requirements of Customs and Excise, the Inland Revenue has adopted a fairly flexible view of records stored electronically, based on the same grounds that the law does not at present differentiate between paper and electronic documents.

Set out in Tax Bulletin 37, the Revenue provides the following guidelines:

Records may be preserved on optical imaging systems, and the originals discarded, provided that what is retained in digital form represents a complete and unaltered image of the underlying paper document. We are now able to go further: Both in the case of companies and unincorporated businesses we can accept other methods which preserve the information in the record in a different form. This is so long as those methods capture all the information needed to demonstrate that a complete and correct tax return has been made and are capable of yielding up that information in a legible form.

They go on to confirm that some material, such as a company’s standard terms and conditions of sale, is not required to be retained for tax purposes. However, exactly what material should be retained and what can be discarded should be checked thoroughly with a tax adviser as regulations differ across industries.

In this Tax Bulletin, the Inland Revenue also makes the important acknowledgement that companies complying with the British Standard BSI DISC PD0008 will automatically satisfy the tax requirements for keeping electronic records.

At present, under the terms of the Companies Act, for most companies the timescales that the Revenue requires material to be retained is set at 6 years from the end of an accounting period. In cases of investigation or late return submission, then this period will extend accordingly. Once again, electronic records management is by for the easiest method of storage for convenience and space-saving benefits.

Paperless and the Civil Evidence Act 1995

We all can agree that the concept of the paperless office is becoming a reality as more systems and programs are been designed but do we have to consider the legal and compliance requirements when thinking about preparing for a paperless system.

The answer is yes we do, but unfortunately there is not a yes and no situation in how you design this, as you can appreciate companies and organizations will have different system and processes .The self employed person with a small company will not have to worry about this area, the main area is the items that we would recommend not to copy or transfer into a electronic document.

If we look at the Civil Evidence Act 1995, you could be right in assuming that this is really for the laws, courts and soliciting professions and in most cases this will be the case.

How can this Act assist the paperless system, the main area is that if you want to introduce a paperless system, transferring paper into a electronic document may have to follow certain guidelines. The problem with this is not that you can not copy paper documents in to electronic documents but it’s the area of integrity and authenticity, i.e. proof that it has not been tampered with and that it still retains its integrity as an original record.

We must also remember that at this point that they are so many ISO and BSI rules and guidelines that certain areas will cross over into each sections so therefore compliance can be covered from one guide line to another.

Most of the information will tell you that the guidelines are set out in BSI DISC PD0008, the British Standard (see older post) which relates to the Legal Admissibility of Evidential Information Stored Electronically. It provides a framework and guidelines that identify key areas of good practice

So in real terms what are the guide lines, Audit data requirements, Access control considerations, Interface requirements and backup obligations?

In very English terms it’s the Big Brother of the office, all documents are traced and tracked so if any printing, scanning and copying happens to a document it can be traceable and auditable.

So how is this connected to the paperless system and how does it assist this concept the main question you have to answer is? What is the original documents in the first place, is it an electronic transaction or a paper document that will have to be scanned.

To place this act in any category with the paperless system there are many areas to take into account and Audit trails are one of them. So if one of the answer is that the original document is presented in an electronic form then this has crossed over, to what you could say is a start of the paperless system to what degree do you conduct this audit system, This is really dependant to the type of business you control.

I do believe that every small business should have a basic audit program, we are not talking about the expensive and complicated bespoke systems, but to have a simple system within your structure is a good house keeping practice.

I have placed a few links, showing the basic systems which are designed for the smaller organization and Equitrac is probably a system that is used for the bigger and more professional organizations.





We still must remember that the audit trail is only a small part of the act and all other sections must be taken into account.

The other areas will be posted later in the same category.

ISO 27001

ISO/IEC 27001:2005 Information technology — Security techniques — Specification for an Information Security Management System

ISO/IEC 27001 is the formal set of specifications against which organizations may seek independent certification of their Information Security Management System (ISMS).

ISO/IEC 27001 specifies requirements for the establishment, implementation, monitoring and review, maintenance and improvement of a management system – an overall management and control framework – for managing an organization’s information security risks.  It does not mandate specific information security controls but stops at the level of the management system.

The standard covers all types of organizations (e.g. commercial enterprises, government agencies and non-profit organizations) and all sizes from micro-businesses to huge multinationals. 

This is clearly a very wide brief.

Bringing information security under management control is a prerequisite for sustainable, directed and continuous improvement.  An ISO/IEC 27001 ISMS therefore incorporates several Plan-Do-Check-Act (PDCA) cycles: for example, information security controls are not merely specified and implemented as a one-off activity but are continually reviewed and adjusted to take account of changes in the security threats, vulnerabilities and impacts of information security failures, using review and improvement activities specified within the management system. 

According to JTC1/SC27, the ISO/IEC committee responsible for ISO27k and related standards, ISO/IEC 27001 “is intended to be suitable for several different types of use, including:

  • Use within organizations to formulate security requirements and objectives;
  • Use within organizations as a way to ensure that security risks are cost-effectively managed;
  • Use within organizations to ensure compliance with laws and regulations;
  • Use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;
  • The definition of new information security management processes;
  • Identification and clarification of existing information security management processes;
  • Use by the management of organizations to determine the status of information security management activities;
  • Use by the internal and external auditors of organizations to demonstrate the information security policies, directives and standards adopted by an organization and determine the degree of compliance with those policies, directives and standards;
  • Use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations that they interact with for operational or commercial reasons;
  • Implementation of a business enabling information security; and
  • Use by organizations to provide relevant information about information security to customers.”

Structure and content of ISO/IEC 27001

ISO/IEC 27001:2005 has the following sections:

0 Introduction – the standard uses a process approach.

1 Scope – it specifies generic ISMS requirements suitable for organizations of any type, size or nature.

Normative references – only ISO/IEC 27002:2005 is considered absolutely essential to the use of ’27001.

 3 Terms and definitions – a brief, formalized glossary, soon to be superseded by ISO/IEC 27000.

4 Information security management system – the ‘guts’ of the standard, based on the Plan-Do-Check-Act cycle where Plan = define requirements, assess risks, decide which controls are applicable; Do = implement and operate the ISMS; Check = monitor and review the ISMS; Act = maintain and continuously improve the ISMS.  Also specifies certain specific documents that are required and must be controlled, and states that records must be generated and controlled to prove the operation of the ISMS (e.g. certification audit purposes).

5 Management responsibility – management must demonstrate their commitment to the ISMS, principally by allocating adequate resources to implement and operate it.

6 Internal ISMS audits – the organization must conduct periodic internal audits to ensure the ISMS incorporate adequate controls which operate effectively.

7 Management review of the ISMS – management must review the suitability, adequacy and effectiveness of the ISMS at least once a year, assessing opportunities for improvement and the need for changes.

8 ISMS improvements – the organization must continually improve the ISMS by assessing and where necessary making changes to ensure its suitability and effectiveness, addressing nonconformance (noncompliance) and where possible preventing recurrent issues.

Annex A – Control objectives and controls – little more in fact than a list of titles of the control sections in ISO/IEC 27002, down to the second level of numbering (e.g. 9.1, 9.2).

Annex B – OECD principles and this International Standard – a table briefly showing which parts of this standard satisfy 7 key principles laid out in the OECD Guidelines for the Security of Information Systems and Networks.

Annex C – Correspondence between ISO 9001:2000, ISO 14001:2004 and this International Standard – the standard shares the same basic structure of other management systems standards, meaning that an organization which implements any one should be familiar with concepts such as PDCA, records and audits.

Mandatory requirements for certification

ISO/IEC 27001 is written as a formalized specification such that accredited certification auditors are meant to be able to use the standard as a formal description of items that their clients must have in order to be certified compliant. It does indeed specify certain mandatory documents explicitly. 

However, in other areas it is vaguer and, in practice, other documents are commonly demanded, including certain items which provide the auditors with evidence or proof that the ISMS are operating. 

Organizations can specify the scope of their ISO/IEC 27001 certification as broadly or as narrowly as they wish.  Understanding the scoping documents plus Statements of Applicability (SoA) is therefore crucial if one intends to attach any meaning to the certificates.  If an organization’s ISO/IEC 27001 scope only notes “Acme Ltd. Department X”, for example, the associated certificate says nothing about the state of information security in “Acme Ltd. Department Y” or “Acme Ltd.” as a whole. 

Similarly, if the SoA asserts that antivirus controls are not necessary for some reason, the certification body will doubtless have checked that assertion but will not have certified the antivirus controls – in fact, they may not have assessed any technical controls since ISO/IEC 27001 is primarily a management system standard, so compliance requires the organization to have a suite of management controls in place but does not necessarily require specific information security controls.

Certification is entirely optional but is increasingly being demanded from suppliers and business partners by organizations that are concerned about information security. 

Certification against ISO/IEC 27001 brings a number of benefits above and beyond simple compliance, in much the same way that an ISO 9000-series certificate says more than “We are a quality organization”. Independent assessment necessarily brings some rigor and formality to the implementation process (implying improvements to information security and all the benefits that brings through risk reduction), and invariably requires management approval (which is an advantage in security awareness terms, at least!).

The certificate has marketing potential and should help assure most business partners of the organization’s status with respect to information security without the necessity of conducting their own security reviews.

ISO 17799 Background

Background and Overview of ISO 17799/27001(27001)

Sound information security is the cornerstone of sensible corporate governance. The emergence of an international standard to support this was perhaps, inevitable.

However, it took until the second half of the 1990’s for this process to really take shape.

ISO 17799 is often used as a generic term to describe what actually is two different documents they are: ISO17799 (aka ISO 27002), which is a set of security controls (a code of practice), and ISO 27001 (formerly BS7799-2), which is a standard ‘specification’ for an Information Security Management System (an ISMS).

Before the international information security standard known as ISO 17799, there was the preceding British Standard BS7799, published by the British Standards Institute (BSI).

The original BS 7799 had two parts. BS 7799 Part1 – Code of practice for informationsecurity management – established the overall requirements for an information securityprogram by breaking security into ten separate topic domains.           

BS 7799-1 was eventually adopted as the first international standard for information Security.

ISO 17799:2000. BS 7799 Part 2, entitled Information security management systems — Specification with guidance for use, was designed to allow an organization tobecome certified that it was following the techniques defined in Part 1 of the standard.        

Within Great Britain and around Europe hundreds of organizations became certifiedagainst BS7799. Up until last year, if an organization wished to become “certified” itcould only be done against the British Standard BS7799.

In 2005, the International Organization for Standardization (ISO) took two important steps relating to information security. First, it updated ISO 17799:2000 and called it ISO17799:2005”) Second, it adopted the part 2 of BS7799 and released it as ISO/IEC 27001:

Information technology — Security techniques— Information security management systems — Requirements.. For the first time, organizations can get certified against the ISO 17799:2005 standard.

By definition, ISO 17799:2005 and ISO 27001 are designed to be used by any organization in any industry. However, many smaller organizations may have troublemeeting some of the requirements of ISMS due to limited manpower and resources.

Basically, ISO 27001 sets out the requirements for how an organization can implement the security requirements of ISO 17799:2005. According to ISO 27001

“This International Standard has been prepared to provide a model for establishing,implementing, operating, monitoring, reviewing, maintaining and improving ,an Information Security Management System (ISMS).” According to the Standard, an ISMS is defined as

 “The management system includes organizational structure, policies, planningactivities, responsibilities, practices, procedures, processes and resources.”

In other words, the ISMS encompasses your entire information security program,including its relation to other parts of the organization.

While ISO 27001 does not provide a complete prescription for a proper information security program it does list the various organizational  ,functions required for certification.

eReader File,Format (Matrix)

Hardware Reader  Plain text PDF ePub HTML Mobi- Pocket Fiction- Book DjVu
Amazon Kindle 2, DX   Y   Y   N    N     Y      N   N
Amazon Kindle 3    Y   Y    N     Y     Y      N   N
Android Devices    Y   Y    Y    Y     Y     Y   Y
Apple iPad    Y   Y    Y    Y     Y     Y   Y
Azbooka WISEreader    Y  N    Y    Y     Y     Y   N
Barnes & Noble Nook    Y   Y    Y     N     N     N   N
Bookeen Cybook Gen3, Opus     Y   Y    Y      Y     Y     Y    N
COOL-ER Classic     Y   Y    Y       Y     Y      Y    N
Foxit eSlick     Y   Y    Y     N     N     N    N
Hanlin e-Reader V3    Y   Y    Y    Y      Y     Y    Y
Hanvon WISEreader    Y    Y    Y    Y     N     N   N
iRex iLiad    Y    Y    Y    N     Y     N   Y
Iriver Story    Y    Y   Y     N     N     N     Y
Kobo eReader    N   Y   Y    N     N     N    N
Nokia N900    Y   Y    Y    Y     Y     Y   Y
NUUTbook 2    Y   Y   Y   N    N    N   N
OLPC XO, Sugar    Y   Y    Y    Y    N    N   Y
Onyx Boox 60    Y   Y   Y    Y     Y    Y   Y
Pocketbook 301 Plus, 302, 360°    Y  Y   Y    Y    Y    Y   Y
Sony Reader    Y  Y   Y   N    N    N   N
Viewsonic VEB612     Y  Y    Y    Y    Y     N   N
Hardware Reader  Broadband eBook eReader Kindle WOLF Tome Raider Open eBook              
Amazon Kindle 2, DX N N Y N N N              
Amazon Kindle 3 N N Y N N N              
Android Devices N Y Y N Y Y              
Apple iPad N Y Y N Y Y              
Azbooka WISEreader N N N N N N              
Barnes & Noble Nook N Y N N N N              
Bookeen Cybook Gen3, Opus N N N N N Y              
COOL-ER N N N N N N              
Foxit eSlick N Y N N N N              
Hanlin e-Reader V3 N N N Y N N              
Hanvon WISEreader N N N N N N              
iRex iLiad N N N N N N              
Iriver Story N N N N N N              
Kobo eReader N N N N N N              
Nokia N900 N N N N N Y              
NUUTbook 2 N N N N N N              
OLPC XO, Sugar N N N N N N              
Onyx Boox 60 N N N N N N              
Pocketbook 301 Plus, 302, 360° N N N N N N              
Sony Reader Y N N N N N              
Viewsonic VEB612 N N N N N N              


The above is a simple matrix that will tell you which file, format is connected to which device, this is for reference only and it will give a guide to what is available at the time of print and I am sure it will change as things progress.

The main point is that if you look at the matrix there are so many different types for each device that it’s getting to appoint that we need to try to break it down to no more than 2 or 3 file types and a Platform can be designed to help all parties concerned.