Testing & certification of digitization solutions (providers & users)
In the context of digitization, the question is repeatedly raised as to whether the planned solution is legally compliant. The Business Records Ordinance ( GeBüV ) is the authoritative framework for keeping and storing electronic information in Switzerland. Almost all laws in Switzerland refer to them for implementation. But when does a system actually meet the legal requirements ? To answer this question, krm has been conducting structured audits since 2017 and produces a report with or without a certificate.
Example of tests ( certified products are published on the krm homepage ) :
- ECM / DMS products ( On Premise, Cloud )
- Scanning processes / digitization
- Scan Products
- Archive systems
- Accounts Payable Workflow
- ECM / DMS / archive systems, regulated industries
- ECM / DMS / archive systems, non-regulated industries
There are a large number of cases in which a GeBüV audit may be considered. A distinction must be made between the user and the supplier perspective :
The basis of the assessment is formed by the fundamentals collected by krm and updated over the years from the laws such as OR, GeBüV, VAT laws, data protection laws as well as from our reference books. The long experience
of the krm experts helps to identify the right test basis. Depending on the customer’s needs, we obtain additional frameworks ( e.g. ISO standards, industry-specific specifications ) and contracts
with third parties ( cloud, outsourcing ). Of course, corporate governance principles and security requirements as well as the ICS are also taken into account.
Revision security does not exist
The rationale for this can be found in 4.12. The legal basis in Switzerland differs from other countries such as Germany in the following points :
The Business Records Ordinance ( GeBüV ) contains detailed requirements on technical
Level. For example, the requirements for immutability are described in detail. There are also requirements for logging access, data migration and data separation (management vs. storage).
pursuant to Art. 958 f of the Swiss Code of Obligations ).
Continue reading in book chapter 6.4 on p.278