ISO/IEC 27050-4:2021

INTERNATIONAL ISO/IEC
STANDARD 27050-4
First edition
2021-04
Information technology — Electronic
discovery —
Part 4:
Technical readiness
Technologies de l'information — Découverte électronique —
Partie 4: Préparation technique
Reference number
©
ISO/IEC 2021
© ISO/IEC 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2021 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 2
5 Electronic discovery background . 2
6 Technical readiness . 4
7 Readiness for electronic discovery. 4
7.1 ESI identification . 4
7.1.1 General. 4
7.1.2 ESI landscape . 5
7.1.3 Data map . 5
7.1.4 Data classification . 5
7.1.5 Proactive ESI identification . 6
7.2 ESI preservation . 6
7.2.1 General. 6
7.2.2 Assessing preservation needs . 6
7.2.3 Preservation obligations . 6
7.2.4 Hold/preservation notices . 6
7.2.5 Proactive ESI preservation . 7
7.3 ESI collection . 7
7.3.1 General. 7
7.3.2 Methods of ESI collection . 7
7.3.3 Proactive ESI collection . 7
7.4 ESI processing . 8
7.4.1 General. 8
7.4.2 Tools for ESI processing . . 8
7.4.3 Reduction of ESI . 8
7.4.4 Proactive ESI processing . 8
7.5 ESI review . 9
7.5.1 General. 9
7.5.2 Technology-assisted review . 9
7.5.3 Proactive ESI review . 9
7.6 ESI analysis . 9
7.6.1 General. 9
7.6.2 Tools and tasks for ESI analysis . 9
7.6.3 Proactive ESI analysis .10
7.7 ESI production .10
7.7.1 General.10
7.7.2 Producing parties .10
7.7.3 Receiving parties.11
7.7.4 Proactive ESI production .11
8 Additional considerations .11
8.1 General .11
8.2 Privacy and data protection .11
8.3 Long-term retention of ESI .12
8.3.1 Retention and preservation .12
8.3.2 General data retention .12
8.3.3 Archive .13
8.4 Destruction of ESI .14
© ISO/IEC 2021 – All rights reserved iii

8.5 Business continuity management .15
9 Electronic discovery cross-cutting aspects .16
9.1 General .16
9.2 Planning .16
9.2.1 Configuration and preparation .16
9.2.2 Budgeting and cost control .16
9.2.3 Monitoring and reassessment .17
9.2.4 End of project considerations .17
9.3 Documentation .17
9.4 Expertise . .17
9.4.1 Support and maintenance .17
9.4.2 Assembling the team .17
9.4.3 Competency and training .19
9.4.4 Stakeholder engagement .19
9.5 Use of technology .19
9.5.1 Platform selection/system architecture .19
9.5.2 Retiral or migration of systems .19
Annex A (informative) ESI storage questionnaire .21
Bibliography .29
iv © ISO/IEC 2021 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC
list of patent declarations received (see patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
A list of all parts in the ISO/IEC 27050 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO/IEC 2021 – All rights reserved v

Introduction
Electronic discovery can expose organizations and their stakeholders within and outside those
organizations to collective and individual risks, including legal, financial and ethical.
This document is to be read in relation to ISO/IEC 27050-1, ISO/IEC 27050-2, and ISO/IEC 27050-3.
Electronic discovery often serves as a driver for investigations as well as evidence acquisition
and handling activities (covered in ISO/IEC 27037). In addition, the sensitivity and criticality of the
electronically stored information (ESI) sometime necessitate protections like storage security to guard
against data breaches (covered in ISO/IEC 27040).
vi © ISO/IEC 2021 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 27050-4:2021(E)
Information technology — Electronic discovery —
Part 4:
Technical readiness
1 Scope
This document provides guidance on the ways an organization can plan and prepare for, and implement,
electronic discovery from the perspective of both technology and processes. This document provides
guidance on proactive measures that can help enable effective and appropriate electronic discovery
and processes.
This document is relevant to both non-technical and technical personnel involved in some or all of the
electronic discovery activities.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 22123-1, Information technology — Cloud computing — Vocabulary
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27050-1:2019, Information technology — Electronic discovery — Part 1: Overview and concepts
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000, ISO/IEC 27050-1,
and ISO/IEC 22123-1 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at http:// www .iso .org .obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
compliance obligations
legal requirements and other requirements
legal requirements that an organization has to comply with and other requirements that an organization
has to or chooses to comply with
Note 1 to entry: Compliance obligations can arise from mandatory requirements, such as applicable laws and
regulations, or voluntary commitments, such as organizational and industry standards, contractual relationships,
codes of practice and agreements with community groups or non-governmental organizations.
[SOURCE: ISO 14001:2015, 3.2.9, modified — Note 1 to entry has been removed and Note 2 to entry
renumbered.]
© ISO/IEC 2021 – All rights reserved 1

3.2
technical readiness
state of having the knowledge, skills, processes and technologies needed to address a particular issue
or challenge
4 Symbols and abbreviated terms
BCM business continuity management
CCTV closed-circuit television
ESI electronically stored information
ICT information and communication technology
PBX private branch exchange
PII personally identifiable information
RIM records and information management
SaaS software as a service
TAR technology-assisted review
VPN virtual private network
WORM write once read many
5 Electronic discovery background
Electronic discovery is an element of traditional discovery or disclosure and it is a process that
typically involves identifying, preserving, collecting, processing, reviewing, analysing and producing
electronically stored information (ESI) that can be potentially relevant to a particular matter. The
requirements and recommendations provided in this document are in accordance with the electronic
discovery concepts described in:
— ISO/IEC 27050-1:2019, Clause 3: key electronic discovery terminology;
— ISO/IEC 27050-1:2019, 6.2: electronic discovery issues and primary cost drivers;
— ISO/IEC 27050-1:2019, 6.3: general electronic discovery objectives;
— ISO/IEC 27050-1:2019, Clause 7: common ESI types, common sources, and representations;
— ISO/IEC 27050-1:2019, Clause 8: description of the electronic discovery process and the process
elements.
ISO/IEC 27050-1 differentiates between generic actions such as "identifying" from the specific electronic
discovery process elements by preceding the names with "ESI" (e.g. ESI identification). Likewise, this
document follows this approach. Figure 1, repeated from ISO/IEC 27050-1:2019, shows all the electronic
discovery process elements and the interrelationships between them (see ISO/IEC 27050-1:2019, 8.1,
for a full description).
2 © ISO/IEC 2021 – All rights reserved

Figure 1 — Electronic discovery process elements
ISO/IEC 27050-2 provides guidance for decision makers and those holding responsible roles to ensure
that causes of failure are properly managed and, where possible, minimized while still complying
with policy and conformance requirements to enable effective and appropriate electronic discovery
and processes. ISO/IEC 27050-3 provides requirements and guidance associated with the electronic
discovery process elements shown in Figure 1. While the guidance and requirements provided in
ISO/IEC 27050-2 and ISO/IEC 27050-3 cover key aspects of electronic discovery, organization can
benefit from additional proactive measures that address a range of related challenges.
The ISO/IEC 27050 series addresses these challenges by:
— promoting common understanding of various concepts and terminology for electronic discovery;
— articulating objectives and risks inherent in the steps in the electronic discovery process;
— encouraging practical and cost-effective discovery by those tasked with managing ESI through the
process;
— providing guidance and best practices for those responsible for delivering electronic discovery
projects (e.g. legal practitioners, services providers, independent experts, courts, and any other
parties engaged in the process);
— identifying competency areas for those involved in electronic discovery;
— promoting the proactive use of technology to reduce costs and risks, while increasing efficiencies
throughout the discovery process;
— suggesting ways to avoid inadvertent disclosures of potentially privileged, confidential, or
sensitive ESI.
The overriding objective is to help organizations meet their electronic discovery goals (e.g. legal
obligations, business objectives, regulatory requirements).
While this document has been written with larger electronic discovery projects in mind, and therefore
covers aspects encountered in the majority of matters. It is not necessarily the case that all steps are
© ISO/IEC 2021 – All rights reserved 3

required or proportionate to every matter. For example, in small matters, it is possible that a single
person manages and completes every aspect of the project, whereas larger matters can warrant the use
of separate individuals or even teams for each element of the electronic discovery project.
6 Technical readiness
Technical readiness means having the knowledge, skills, processes and technologies needed to address
a particular issue or challenge. For an organization, this does not mean that it is all-knowing and able to
do everything, but rather it is fit for purpose and ready for the task at hand, including any contingency
that can occur.
Within the context of electronic discovery, technical readiness means an organization is well positioned
to address the tasks associated with the appropriate electronic discovery process elements. This
readiness is also dependent on the type of organization (e.g. legal versus records management) as
well as the role the organization plays in the electronic discovery process (e.g. producing party versus
receiving party).
The electronic discovery readiness objectives can include the following:
— comply with confidentiality, data privacy and other restrictions on data access, use, handling or
transfer imposed by applicable laws, regulations, rules and expectations;
— identify potentially relevant sources of ESI;
— properly preserve and retain potentially relevant ESI;
— produce responsive ESI in a form that is useable by the requesting party;
— conduct the electronic discovery process within the time constraints.
Technical readiness in the context of electronic discovery should be based on the information
architecture, business processes, and data classification and retention policies of the organization.
Technical readiness is the achievement of the appropriate level of capability by an organization in
order for it to be able to identify, preserve, collect, process, review, analyse and produce ESI. It is also
important the ESI is protected (for example, backup, business continuity management, or security) and
organized so that this material can be used effectively.
Technical readiness implies a proactive effort to better address electronic discovery projects in the
future. This effort can require ESI to be organized, participants to be properly trained, protocols to be
developed and data retention and disposal practices to be formalized.
This should form part of the electronic discovery plan (see ISO/IEC 27050-2:2018, 6.5).
7 Readiness for electronic discovery
7.1 ESI identification
7.1.1 General
ISO/IEC 27050-3:2020, 6.2, provides both requirements and guidance for ESI identification. Of these,
the following can benefit from readiness or proactive activities:
— basic planning associated with determining who executes ESI identification and how it is expected
to be performed;
— understanding the organization's ESI landscape, including operational aspects that could impact
preservation;
— development of standard templates for interview questions and survey forms;
4 © ISO/IEC 2021 – All rights reserved

— create a list or inventory of systems, or possibly a data map to provide a centralized listing of what
types of ESI the organization has and where it is stored;
— understand the implications associated with issuing legal holds or preservation orders.
7.1.2 ESI landscape
ISO/IEC 27050-1:2019, Clause 7, provides useful information on the common types of ESI, common
sources of ESI, ESI representations and non-ESI as part of the electronic discovery process. This
information, when combined with the matter specific requirements, can serve as a useful starting point
in identifying potential sources of relevant ESI. These sources can include business units, people, ICT
systems and hardcopy.
Identification should be as thorough and comprehensive as possible. The scope of ESI potentially
subject to preservation and disclosure can be uncertain in the early phases of a matter. The nature of
the matter itself and the individuals involved can change as the matter progresses. The identification
team should anticipate change and have a procedure in place for capturing any newly identified ESI.
Identification requires diligent investigation and analytical thinking.
7.1.3 Data map
A data map is a comprehensive and defensible inventory of an organization’s ICT systems that store ESI.
It is important to create a data map to provide a centralized listing of which types of ESI exist within
the organization (see ISO/IEC 27050-3:2020, 6.2.5). This should also include details of specific locations
of data sets and can include the route data takes when in transit alongside, for example, who has control
over a mailbox and where the servers sit including any hardcopy material requirements.
This data map should be designed and managed with the assistance of ICT personnel and should
identify all relevant policies (e.g. retention policy, preservation policy, BCM policy) applicable to each
item of ESI. Ideally, the data map can also include the locations of hardcopy material. Resource should
be assigned to the task and on-going responsibility of creating and managing the data map.
After the triggering event, the electronic discovery team can use the data map to identify where the
relevant material is stored (ESI map).
The ESI map can provide sufficient detail around what data repositories are potentially discoverable
and how the data within them can be produced to help inform decisions around the electronic discovery
system selection process.
Where hardcopy material forms are identified, there should be a decision and process in place to
manage the scanning and coding. This should include coding specifications that can be specific to the
organizational and project requirements.
See Annex A for assistance with creation of the data map.
The level of security necessary for the ESI, all associated metadata and work product is dependent on
business needs and compliance obligations as applicable to the purposes of the electronic discovery
process. The security should be commensurate with the controls determined in accordance with 8.2.
7.1.4 Data classification
All ESI should be subject to data classification. This can be according to government standards, market
sensitivity, internal governance, privilege, control of data under data protection or privacy legislation,
or for the purposes of any matter requiring discovery.
This classification can affect the decisions around the management, traffic and encryption that should
be created via the architecture and system design.
© ISO/IEC 2021 – All rights reserved 5

7.1.5 Proactive ESI identification
Since ESI identification is crucial to the overall electronic discovery process, proactive measures that
help with the ESI identification activities should include, but are not limited to:
— developing a plan template that can be used to guide the identification effort;
— developing and using standard templates for interview questions and survey forms that can be used
in multiple matters;
— developing and maintaining report templates for the organization's ESI identification.
7.2 ESI preservation
7.2.1 General
ISO/IEC 27050-3:2020, 6.3, provides both requirements and guidance for ESI preservation. Of these, the
following can benefit from readiness or proactive activities:
— ensuring that appropriate preservation notices are issued;
— procedures for suspending destruction of ESI or ESI resources;
— testing of technical preservation controls to verify the effectiveness of the controls.
7.2.2 Assessing preservation needs
It is important to establish preservation procedures covering employees, ICT, legal and former
and departing employees. Based on the procedures, the team can assess the needs for preservation
with regard to where the relevant ESI is stored and technical implications of collection. The scope of
preservation should be determined. The number of subjects affected, who are required to act, who
can control ESI, and the time period for preservation are among the first decisions. The team should
consider the potential for third-party preservation requirements. A preservation notice should be
issued to all relevant parties, including steps to be taken to ensure appropriate preservation. The team
should put in place a process for continued preservation throughout the relevant time period, i.e. the
life of the case or project.
7.2.3 Preservation obligations
The duty to preserve ESI, sometimes referred to as the trigger to preserve, can begin when a party
knows of or has a reasonable anticipation of future litigation or action associated with a matter. The
important thing to remember here is that the duty to preserve can be triggered before a lawsuit has
been filed or preservation notice has been received. Consequently, organizations should understand
preservation triggers within their jurisdictions.
The duty to preserve ESI for electronic discovery is often not described in a law or even explicitly
defined in other requirements that are relevant to a matter. In addition, preservation expectations can
vary significantly in different jurisdictions.
Another important aspect of preservation is the scope of what needs to be preserved. Again, specific
requirements can be vague and be described in terms of "reasonableness" and "proportionality". When
preservation has been triggered, the organization should take appropriate information security steps
to ensure the integrity of relevant ESI.
7.2.4 Hold/preservation notices
A preservation notice is an internal instruction issued by an organization to its employees directing
them to identify, locate and preserve hardcopy and ESI that are potentially relevant to a particular
matter. In addition to preventing the deletion, destruction or modification of ESI and information
6 © ISO/IEC 2021 – All rights reserved

by individuals, a preservation notice should also include the suspension of any routine document
destruction pursuant to an organization’s document retention policies or otherwise.
An important step in the legal hold process is deciding who should receive the instruction to preserve
ESI. This should include someone in charge of data storage or technology issues to ensure the
organization’s routine destruction procedures are suspended.
After issuing a preservation notice, responsible individuals should periodically follow up with the
individuals and organizations who received the notice to make sure they implemented it as instructed.
As the matter progresses, consideration should be given as to whether additional individuals or
organizations should receive the litigation hold and whether the scope of the original preservation
notice is still sufficient. If claims or issues are added or the nature of the matter changes, it can be
necessary to issue a new or amended preservation notice to ensure all potentially relevant ESI is
preserved. In addition, as personnel decisions are made, organizations should consider whether new
employees should be added to the legal hold and whether departing employees’ ESI should be preserved.
7.2.5 Proactive ESI preservation
Since ESI preservation is crucial to the overall electronic discovery process, proactive measures that
help with the ESI preservation activities should include, but are not limited to:
— retention policies;
— understanding preservation triggers;
— developing and maintaining legal hold materials and processes for the organization.
7.3 ESI collection
7.3.1 General
ISO/IEC 27050-3:2020, 6.4, provides both requirements and guidance for ESI collection. Of these, the
following can benefit from readiness or proactive activities:
— selection of tools and methods appropriate to ESI collection;
— complying with data protection, privacy, or security obligations (see 8.2).
7.3.2 Methods of ESI collection
The specific reasons for collection can affect the method used to obtain the ESI. For example, if the ESI
is for discovery in a criminal matter, the methods for obtaining the material should maintain integrity
of the metadata so the material can be used as evidence where required.
It is strongly recommended that the guidance given in ISO/IEC 27037, ISO/IEC 27041 and ISO/IEC 27042
is followed when creating and deploying ESI collection processes.
7.3.3 Proactive ESI collection
ESI collection is critical in preparing the preserved ESI as a data set for further electronic discovery
operations, so proactive measures that help with the ESI collection activities should include, but are not
limited to:
— understanding the technologies the organization uses to protect sensitive data (e.g. encryption);
— identifying defensibility measures (e.g. chain of custody, hashing, audit trails) that can be used is
situations where there is contention or controversy;
— having provisions for outside resources that include agreements/contracts with preferred vendors.
© ISO/IEC 2021 – All rights reserved 7

7.4 ESI processing
7.4.1 General
ISO/IEC 27050-3:2020, 6.5, states that ESI processing is further broken into four main sub-processes,
namely: assessment, preparation, selection and output. Assessment can allow for a determination
that certain ESI need not move forward. Preparation involves performing activities against the ESI
which can later allow for specific item-level selection to occur (extraction, indexing, hashing, etc.).
Selection involves de-duplication, searching and analytical methods for choosing specific items which
can be moved forward. Output allows for transport of reviewable items to the subsequent elements
of the electronic discovery process. Of the ISO/IEC 27050-3:2020, 6.5, requirements and guidance, the
following can benefit from readiness or proactive activities:
— ESI processing tools should be tested for the data types expected to be handled;
— data reductions techniques should be appropriately vetted.
7.4.2 Tools for ESI processing
ESI can arrive at the ESI processing stage in various formats which then need to be restored before
subsequent work can be done (tapes, backups, etc.). It is possible that individual files and e-mail need to
be extracted from container files (PST, NSF, zip, rar, etc.). If the ESI cannot be used in its native format,
it can be necessary to convert certain types of ESI to facilitate further processing (legacy mail formats,
legacy file formats). This means that tools are typically needed to retrieve the ESI from the collected
sources (e.g. tapes), to ingest the various formats, and to convert the native ESI to a more usable form.
Organizations should:
— catalogue the ESI, capturing details on the sources and formats;
— record the accessibility details (e.g. passwords, encryption keys, etc.) that are necessary to use the ESI;
— address any requirements to capture metadata that can be loss in a format conversion;
— explicitly identify the target format to be used, so that multiple conversions can be avoided (it is
possible that this target format can be an element of negotiation as part of ESI production).
7.4.3 Reduction of ESI
Rarely is it necessary to review all items that are submitted for ESI processing, so some form of data
reduction is employed. The tools and techniques used to accomplish such reductions should not be a
source of issue.
Organizations should:
— document the specific tools and techniques used for all reductions;
— use processes that are repeatable and provide consistent results.
7.4.4 Proactive ESI processing
ESI processing is instrumental in preparing the ESI for further electronic discover operations, so
proactive measures that help with the ESI processing activities should include, but are not limited to:
— as an ESI producing party, having a clear understanding of the potential sources and formats of ESI
used within the organization;
— as an ESI receiving party, having a clear understanding of types of ESI sources and formats that can
be handled and document this information so that it can be used in requests;
— documenting the tools that are available for using during ESI processing;
8 © ISO/IEC 2021 – All rights reserved

— identifying ICT resources that can be used for restorations and culling of ESI.
7.5 ESI review
7.5.1 General
ISO/IEC 27050-3:2020, 6.6, provides both requirements and guidance for ESI review. Of these, the
following can benefit from readiness or proactive activities:
— the organization should have provisions to use manual review, the use of technology-assisted
review and the use of combination methods which use both human review and automated tools to
accomplish the ESI review;
— the organization should canvas the availability of the various technologies for technology-assisted
review, bearing in mind that each tool can have its own strengths and weaknesses.
7.5.2 Technology-assisted review
Technology-assisted review (TAR) is a process for prioritizing or coding a collection of ESI using a
computerized system that harnesses human judgments of one or more subject matter experts on a
smaller set of documents and then extrapolates those judgments to the remaining document collection.
The objective is to distinguish relevant from non-relevant ESI.
Organizations should:
— understand the TAR statistical models or sampling techniques and the implications associated with
the approach;
— ensure the seed set or initial training set is appropriate for the matter.
7.5.3 Proactive ESI review
ESI review is the aspect of the electronic discovery process that determines relevant from non-relevant
ESI, so proactive measures that help with the ESI review activities should include, but are not limited to:
— documenting the tools that are available for using during ESI review;
— identifying the review platform that can be used for determining responsive ESI.
7.6 ESI analysis
7.6.1 General
ISO/IEC 27050-3:2020, 6.7, provides both requirements and guidance for ESI analysis. Of these, the
following can benefit from readiness or proactive activities:
— identify tools or methods that are appropriate to the ESI to potentially be analysed;
— identify common tasks relevant to ESI analysis to determine relationships and patterns among the
data, make predictions, present visualizations of the data, or create reports to exercise judgement
regarding the data.
7.6.2 Tools and tasks for ESI analysis
There are many tools that can be used during the initial analysis and identification of documents to be
collected that can track the types and locations of ESI within an organization. In addition, many tools
today provide content and visual analytic capabilities that can help identify gaps through sampling and
review of collected or preserved data sets. For example, social networking visualizations can quickly
provide an overview of other custodians of interest based on interactions with key custodians in a
© ISO/IEC 2021 – All rights reserved 9

given matter. Important information about the case can also be obtained at an early stage from e-mail
string analysis, duplication and near-duplication analysis and concept clustering and related tools.
Organizations should use analysis to:
— determine the provenance of the ESI (e.g. harvesting embedded metadata);
— make it easier to cull documents.
7.6.3 Proactive ESI analysis
ESI analysis is used throughout the electronic discovery process, so proactive measures that help with
the ESI analysis activities should include, but are not limited to:
— information management systems should be designed to accommodate legal holds or preservation
orders, as well as identification, preservation and collection requirements;
— content analytics, traditionally used during discovery, should be used as a filter when cataloguing
ESI for destruction, inclusion in or exclusion from archive systems in an effort to reduce the number
of retained business records that are to subject electronic discovery;
— electronic discovery planning and implementation should be followed by vigorous and periodic
auditing
...