Areas that may need attention in Requirements for Bodies Providing Audit and Certification

The current draft Requirements for Bodies Providing Audit and Certification is based on ISO 27006 for information security. There are a number of areas which, while they do not refer explicitly to information security, might be more oriented towards it than to Trusted Digital Repositories, and consequently the document might need amendment in these areas. They are identified in the Word document but also extracted here for ease of reference and editing.

This page is also now being used to track the edits to the text agreed at the weekly MegaMeetings, using deletion and insertion markers.


Mark's comments 20100308

Terry's comments 20100308

Section New / changed data
Purpose and Scope (p1-1/2, 1.1 - 1.4) Minor grammatical changes; attempted to clarify 17021 relationship
T1: Conformance and References (p1-3, 1.8 and 1.9) Grammar; Removed references to ISO 9000 which isn't referred to in text
T2: Overview (p. 2-1, 2.0) Reworded first para
T2: Good Practices Deleted
T3: Principles (new Section 3.0) added summary of 17021 section.
T4: General requirements (new Section 4.0) Added summaries of all 3, 17021 subsections
T5: Structural requirements (new Section 5.0) Added summaries of both, 17021 subsections


General points and issues to check

  • time between recertifications
  • surveillance - implications on frequency and ongoing contacts between audit body and repository

* definition of "initial audit committee": * The initial audit committee will consist of internationally recognised experts in digital preservation, the membership building on members of the authors of the <ISO XXXXX - RAC Document

ALERT! Check how the repository under audit is referred to throughout the document: should not yet be referred to as "TDR" but instead phrases like "the organisation's repository" or "the repository being audited" should be used. ALERT! ALERT! _ Except - last para of 1.4 notes that string TDR is used to identify sections/statements not found in 17021 -Longstreth20100307 _ ALERT! ALERT! Add add some words in an introductory sentence explaining that the auditor is like a "critical friend". ALERT!


7 Resource requirements

7.1 Competence of management and personnel

The requirements from ISO/IEC 17021:2006, Clause 7.1 apply. In addition, the following TDR-specific requirements and guidance apply.

7.1.1 TDR 7.1 Management competence

The essential elements of competence required to perform TDR certification are to select, provide and manage those individuals whose skills and collective competence is appropriate to the activities to be audited and the related digital preservation issues.

7.1.1.1 Competence analysis and contract review

The certification body shall ensure that it has knowledge of the technological and legal developments relevant to the TDR of the client organization, which it assesses. The certification body shall have an effective system for the analysis of the competencies in digital preservation management which it needs to have available, with respect to all the technical areas in which it operates.

For each client, the certification body shall be able to demonstrate that it has performed a competence analysis (assessment of skills in response to evaluated needs) of the requirements of each relevant sector prior to undertaking the contract review. The certification body shall then review the contract with the client organization, based on the results of this competence analysis. In particular, the certification body shall be able to demonstrate that it has the competence to complete the following activities:

a) understand the areas of activity of the client organization and the associated business risks;

b) define the competencies needed in the certification body to certify in relation to the identified activities, and digital preservation related threats to assets, vulnerabilities and impacts on the client organization ALERT! Might need to rephrase this ALERT!;

c) confirm the availability of the required competencies.

7.1.1.2 Resources

The management of the certification body shall have the necessary processes and resources to enable it to determine whether or not individual auditors are competent for the tasks they are required to perform within the scope of certification in which they are operating. The competence of auditors may be established by verified background experience and specific training or briefing (see also Annex B). The certification body shall be able to communicate effectively with all those clients it provides services to.


7.2 Personnel involved in the certification activities

The requirements from ISO/IEC 17021:2006, Clause 7.2 apply. In addition, the following TDR-specific requirements and guidance apply.

7.2.1 TDR 7.2 Competence of certification body personnel

Certification bodies shall have personnel competent to

a) select and verify the competence of TDR auditors for audit teams appropriate for the audit;

b) brief TDR auditors and arrange any necessary training;

c) decide on the granting, maintaining, withdrawing, suspending, extending, or reducing of certifications;

d) set up and operate an appeals and complaints process.

7.2.1.1 Training of audit teams

The following training requirements apply to all members of the audit team, with the exception of d), which can be shared among members of the audit team.

The certification body shall have criteria for the training of audit teamsaudit team members that ensures

a) knowledge of the TDR standard and other relevant normative documents;

b) understanding of digital preservation;

c) understanding of risk assessment and risk management from the business perspectiveof digitally encoded information;

d) technical knowledge of the digital preservation aspects which apply to the activity to be audited;

e) general knowledge of regulatory requirements relevant to TDRs;

f) knowledge of management systems;

g) understanding of the principles of auditing based on ISO 19011;

h) knowledge of TDR effectiveness review and measurement of control effectiveness.

These training requirements apply to all members of the audit team, with the exception of d), which can be shared among members of the audit team.

7.2.1.1.1 When selecting the audit team to be appointed for a specific certification audit the certification body shall ensure that the skills brought to each assignment are appropriate. The team shall

a) have appropriate technical knowledge of the specific activities within the scope of the TDR for which certification is sought and, where relevant, with associated procedures and their potential digital preservation risks (technical experts who are not auditors may fulfill this function);

b) have a sufficient degree of understanding of the client organization to conduct a reliable certification audit of its TDR in managing the digital preservation aspects of its activities, products and services;

c) have appropriate understanding of the regulatory requirements applicable to the client organizationís TDR.

7.2.1.1.2 When required, the audit team may be complemented by technical experts who can demonstrate specific competence in a field of technology appropriate to the audit. Note should be taken that technical experts cannot be used in place of TDR auditors but could advise auditors on matters of technical adequacy in the context of the management system being subjected to audit. The certification body shall have a procedure for

a) selecting auditors and technical experts on the basis of their competence, training, qualifications and experience;

b) initially assessing the conduct of auditors and technical experts during certification audits and subsequently monitoring the performance of auditors and technical experts.

7.2.1.2 Management of the decision taking process

The management function shall have the technical competence and ability in place to manage the process of decision-making regarding the granting, maintaining, extending, reducing, suspending and withdrawing of TDR certification to the requirements of .

7.2.1.3 Pre-requisite levels of education, work experience, auditor training and audit experience for auditors conducting TDR audits

7.2.1.3.1 The following criteria shall be applied for each auditor in the TDR audit team. The auditor shall

ALERT! Review these requirements ALERT!

ALERT! It will be necessary to specify somewhere familiarity with OAIS and the metrics document. ALERT!

ALERT! The "lead audit committee" has been proposed as a method to bootstrap the process; needs introducing formally into this document. ALERT!

a) have an education at secondary level ALERT! This may need revision ALERT!;

b) have at least four years full time practical workplace experience in information technology, of which at least two years are in a role or function relating to digital preservationdata management, libraries, archives, or information technology with a focus on digital preservation;

c) have successfully completed five days of training in a course approved by the lead audit committee ALERT! (TBD as to what constitutes this) ALERT!, the scope of which covers TDR audits and audit management shall be considered appropriate;

d) have gained experience in the entire process of assessing digital preservation prior to assuming responsibility for performing as an auditor. This experience should have been gained by participation in a minimum of fourtwo certification audits for a total of at least 20 days, including review of documentation and risk analysis, implementation assessment and audit reporting with at least the majority of the team on site, including the ones familiar with the particular area being audited (this condition does not apply to members of the *initial audit committee*;

e) have experience which is reasonably current, and some familiarity with current research in digital preservation;

f) be able to put complex operations in a broad perspective and to understand the role of individual units in larger client organizations;

g) keep their knowledge and skills in digital preservation and auditing up to date through continual professional development.

h) be accredited by the *lead audit committee*

Technical experts shall comply with criteria a), b), e) and f).

7.2.1.3.2 In addition to the requirements in 7.2.1.3.1, audit team leaders shall fulfill the following requirements, which shall be demonstrated in audits under guidance and supervision:

a) have knowledge and attributes to manage the certification audit process;

b) have been an auditor in at least threetwo complete TDR audits;

c) have demonstrated the capability to communicate effectively, both orally and in writing.


8 Information requirements

8.1 Publicly accessible information

The requirements from ISO/IEC 17021:2006, Clause 8.1 apply. In addition, the following TDR-specific requirements and guidance apply.

8.1.1 TDR 8.1 Procedures for granting, maintaining, extending, reducing, suspending and withdrawing certification

The certification body shall require the client organization to have a documented and implemented TDR which conforms to (ISO XXXXX - RAC Document) and other documents required for certification.

The certification body shall have documented procedures for

a) the initial certification audit of a client organization's TDR, in accordance with the provisions of ISO 19011, ISO/IEC 17021 and other relevant documents; b) surveillance and recertification audits of a client organization's TDR in accordance with ISO 19011 and ISO/IEC 17021 on a periodic basis with exceptions agreed with the initial audit committee for continuing conformity with relevant requirements and for verifying and recording that a client organization takes corrective action on a timely basis to correct all nonconformities.


9 Process requirements

9.2 Initial audit and certification

The requirements from ISO/IEC 17021:2006, Clause 9.2 apply. In addition, the following TDR-specific requirements and guidance apply.

9.2.1 TDR 9.2.1 Audit team competence

The following requirements apply to certification assessment, in addition to the requirements that are listed in Clause 7.2. For surveillance activities only those requirements which are relevant to the scheduled surveillance activity apply.

The following requirements apply to the audit team as a whole.

a) In each of the following areas at least one audit team member shall satisfy the certification body's criteria for taking responsibility within the team

ALERT! List needs amending for TDR context ALERT!

1. managing the team,

2. management systems and process applicable to TDR,

3. knowledge of the legislative and regulatory requirements in the particular digital preservation field,

4. identifying digital preservation related threats and incident trends,

5. identifying the vulnerabilities of the client organization and understanding the likelihood of their exploitation, their impact and their mitigation and control,

6. knowledge of TDR controls and their implementation,

7. knowledge of TDR effectiveness review and measurement of controls,

8. related and/or relevant TDR standards, industry best practices, preservation policies and procedures,

9. knowledge of incident handling methods and business continuity,

10. knowledge about tangible and intangible information assets and impact analysis,

11. knowledge of the current technology where preservation might be relevant or an issue,

12. knowledge of risk management processes and methods.


9.2.3.2 TDR 9.2.3.2 Stage 2 audit

9.2.3.2.1 The stage 2 audit always takes place at the site(s) of the client organization; at least two members of the audit team will be physically present, other members of the team may take part remotely as long as they can have access to the relevant materials. On the basis of findings documented in the stage 1 audit report, the certification body drafts an audit plan for the conduct of the stage 2 audit. The objectives of the stage 2 audit are

a) to confirm that the client organization adheres to its own policies, objectives and procedures;

b) to confirm that the TDR conforms to all the requirements of the normative TDR standard and is achieving the client organizationís policy objectives.

9.2.3.2.2 To do this, the audit shall focus on the client organization's

ALERT! List needs amending for TDR context ALERT!

a) assessment of digital preservation related risks, and that the assessments produce comparable and reproducible results;

b) documentation requirements listed in Clause ALERT!_PUT IN RELEVANT REF_ (was 4.3.1)ALERT! of ;

c) selection of control objectives and controls based on the risk assessment and risk treatment processes;

d) reviews of the effectiveness of the TDR and measurements of the effectiveness of the digital preservation controls, reporting and reviewing against the TDR objectives;

e) internal TDR audits and management reviews;

f) management responsibility for the digital preservation policy;

g) correspondence between the selected and implemented controls, the Statement of Applicability, and the results of the risk assessment and risk treatment process, and the TDR policy and objectives;

h) implementation of controls (see Annex D), taking into account the organization's measurements of effectiveness of controls [see d) above], to determine whether controls are implemented and effective to achieve the stated objectives;

i) programs, processes, procedures, records, internal audits, and reviews of the TDR effectiveness to ensure that these are traceable to management decisions and the TDR policy and objectives.


3 TDR 9.2.3.3 Specific elements of the TDR audit

The role of the certification body is to establish that client organizations are consistent in establishing and maintaining procedures for the identification, examination and evaluation of digital preservation related threats to assets, vulnerabilities and impacts on the client organization. Certification bodies shall

ALERT! Update for TDR context ALERT!

a) require the client organization to demonstrate that the analysis of preservation related threats is relevant and adequate for the operation of the client organization and its custodianship of its digital holdings;

NOTE The client organization is responsible for defining criteria by which digital preservation related risks of the client organization are identified as significant, and to develop procedure(s) for doing this.

b) establish whether the client organizationís procedures for the identification, examination and evaluation of digital preservation related threats to assets, vulnerabilities and impacts and the results of their application are consistent with the client organizationís policy, objectives and targets.

The certification body shall also establish whether the procedures employed in analysis of significance are sound and properly implemented. If a digital preservation related threat to assets, a vulnerability, or an impact on the client organization is identified as being significant, it shall be managed within the TDR.

9.2.3.3.1 Legal and regulatory compliance

The maintenance and evaluation of legal and regulatory compliance is the responsibility of the client organization. The certification body shall restrict itself to checks and samples in order to establish confidence that the TDR functions in this regard. The certification body shall verify that the client organization has a management system to achieve legal and regulatory compliance applicable to the digital preservation risks and impacts.

9.2.3.3.2 Integration of TDR documentation with that for other management systems

The client organization can combine the documentation for TDR and other management systems (such as quality, health and safety, and environment) as long as the TDR can be clearly identified together with the appropriate interfaces to the other systems.

9.2.3.3.3 Combining management system audits

A certification body may offer other management system certification linked with the TDR certification, or may offer TDR certification only. The TDR audit can be combined with audits of other management systems. This combination is possible provided it can be demonstrated that the audit satisfies all requirements for certification of the TDR. All the elements important to a TDR shall appear clearly, and be readily identifiable, in the audit reports. The quality of the audit shall not be adversely affected by the combination of the audits.

NOTE ISO 19011 provides guidance for carrying out combined management system audits.


9.3 Surveillance activities

The requirements from ISO/IEC 17021:2006, Clause 9.3 apply. In addition, the following TDR-specific requirements and guidance apply.

9.3.1 TDR 9.3 Surveillance audits

9.3.1.1 Surveillance audit procedures shall be consistent with those concerning the certification audit of the client organization's TDR as described in this standard.

The purpose of surveillance is to verify that the approved TDR continues to be implemented, to consider the implications of changes to that system initiated as a result of changes in the client organizationís operation and to confirm continued compliance with certification requirements. Surveillance programs should normally cover a) the system maintenance elements which are internal TDR audit, management review and preventive and corrective action; b) communications from external parties as required by the TDR standard and other documents required for certification; c) changes to the documented system; d) areas subject to change; e) selected elements of ; f) other selected areas as appropriate.

9.3.1.2 As a minimum, surveillance by the certification body shall review the following:

a) the effectiveness of the TDR with regard to achieving the objectives of the client organization's digital preservation policy; b) the functioning of procedures for the periodic evaluation and review of compliance with relevant digital preservation legislation and regulations; c) action taken on nonconformities identified during the last audit.

9.3.1.3 Surveillance by the certification body should at least cover the points required for surveillance audit in ISO/IEC 17021. In addition, the following issues should be considered.

a) The certification body should be able to adapt its surveillance program to the digital preservation issues related threats to assets, vulnerabilities and impacts on to the client organization and justify this program. b) The surveillance program of the certification body should be determined by the certification body. Specific dates for visits may be agreed with the certified client organization. c) Surveillance audits may be combined with audits of other management systems. The reporting shall clearly indicate the aspects relevant to each management system. d) The certification body is required to supervise the appropriate use of the certificate.

During surveillance audits, certification bodies shall check the records of appeals and complaints brought before the certification body and, where any nonconformity or failure to meet the requirements of certification is revealed, that the client organization has investigated its own TDR and procedures and taken appropriate corrective action.

A surveillance report shall contain, in particular, information on clearing of nonconformities revealed previously.

As a minimum, the reports arising from surveillance should build up to cover in totality the requirement of point a) above.

-- SimonLambert - 09 Sep 2009

Topic attachments
I Attachment History Action Size Date Who Comment
Microsoft Word filedoc AuditorGuidelines-CCSDS-format-2-without-boxes-longstreth.doc r1 manage 255.0 K 2010-03-15 - 09:20 DavidGiaretta Terry's comments
PDFpdf Mark-Comments-20100308.pdf r1 manage 291.7 K 2010-03-08 - 17:28 DavidGiaretta PDF of Mark's comments (and a few other edits made during megemeeting) 20100308
Edit | Attach | Watch | Print version | History: r16 < r15 < r14 < r13 < r12 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r16 - 2010-03-15 - DavidGiaretta
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback