ISO IEC 27038-2014 PDF

Full title and description

ISO/IEC 27038:2014 — Information technology — Security techniques — Specification for digital redaction. This International Standard specifies the characteristics of techniques for performing digital redaction on digital documents, sets requirements for software redaction tools and describes methods for testing that redaction has been securely completed.

Abstract

ISO/IEC 27038:2014 defines what constitutes secure, irreversible redaction of information within digital documents (for example PDF and office files). It covers functional requirements for redaction tools, processes to handle embedded and metadata traces, validation and testing approaches to demonstrate that redaction is complete and non-recoverable. The standard explicitly excludes redaction of information stored in databases.

General information

• Status: Published; reviewed and confirmed (see life‑cycle confirmation).
• Publication date: March 2014 (Edition 1).
• Publisher: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) — published under ISO/IEC JTC 1/SC 27.
• ICS / categories: 35.030 (Information security).
• Edition / version: 1 (2014).
• Number of pages: 9 pages (main publication).

Key bibliographic facts above are taken from the ISO bibliographic record for ISO/IEC 27038:2014.

Scope

The standard specifies characteristics and requirements for digital redaction of documents — how sensitive content is to be removed so it cannot be recovered by technical means. It covers functional expectations for redaction software, handling of visible content and hidden or embedded data (including metadata), recordkeeping of redaction actions, and basic methods to test and verify that redaction was performed securely. It does not cover redaction of database-held information.

Key topics and requirements

• Definitions and principles of digital redaction, including the objective of irreversibility.
• Functional requirements for software redaction tools (what a tool must do to be considered compliant).
• Techniques for removing visible content, embedded objects and metadata that could reveal redacted information.
• Recommended processes for recordkeeping and documenting redaction decisions and actions.
• Methods and simple tests to validate that redaction was successful and non-recoverable; an informative annex addresses redaction of PDFs.

These topic outlines and the structure of the standard are summarised from practical summaries and standard overviews.

Typical use and users

This standard is used by records managers, legal and disclosure teams, forensic practitioners, information security professionals, software developers of redaction tools, and organizations that must publish or disclose documents while protecting sensitive content (for example in legal discovery, freedom of information releases, or when sharing documents externally). It is typically referenced when specifying redaction tool requirements, designing redaction processes, or preparing evidence of secure redaction for auditors and regulators.

Related standards

ISO/IEC 27038 is part of the ISO/IEC 27000 family (information security techniques) and is commonly considered alongside standards such as ISO/IEC 27001 and ISO/IEC 27002 (ISMS and controls), ISO/IEC 27037 (guidelines for digital evidence handling), ISO/IEC 27040 (storage security) and other adjacent guidance in the 27000 series.

Keywords

digital redaction, redaction testing, irreversibility, document sanitization, metadata removal, redaction tools, ISO/IEC 27000 series, information security

FAQ

Q: What is this standard?

A: ISO/IEC 27038:2014 is an international standard that defines specifications and requirements for performing secure digital redaction of documents and for redaction software.

Q: What does it cover?

A: It covers characteristics of redaction techniques, functional requirements for redaction tools, handling of embedded data and metadata, recordkeeping of redaction actions, and simple testing methods to verify redaction completeness. It excludes database redaction.

Q: Who typically uses it?

A: Records managers, legal teams, forensic specialists, information security professionals, redaction software vendors, auditors and any organization that needs to release or share documents with sensitive content removed.

Q: Is it current or superseded?

A: The 2014 edition is the first edition. The ISO bibliographic record shows the publication date as March 2014 and indicates the standard has been reviewed/confirmed in subsequent periodic reviews; as of the latest ISO record it remains the current edition. Users should check the ISO catalogue for any amendments or newer editions when implementing.

Q: Is it part of a series?

A: Yes — it is part of the ISO/IEC 27000 family of standards (information security techniques) and is typically used alongside ISO/IEC 27001, ISO/IEC 27002 and other 27000-series standards that address related security controls and processes.

Q: What are the key keywords?

A: Digital redaction, irreversibility, document sanitization, metadata removal, redaction testing, redaction tools, information security.