Notes from Megameeting 26th October 2009

Attendees

Summary

There wwre discussions of:

• how to audit repositories that rely on cloud storage of data
• how to judge pass/fail, or use the audit process for recommendations for improvement
• the role of the primary audit committee and how to specify it in the document

Specific agreements:

• End note on 7.2.1.1 (d) to be moved higher up

• 7.2.1.3.1 (d) should be changed two two audits rather than four

• There should be a clarification of how much of the process is on site: something like "at least the majority of the team on site - including the ones familiar with the particular area being audited."

The next meeting will be on Wednesday October 28 at 10:30 Washington, 14:30 UK, 15:30 Holland.

Transcript of chat

Terry Longstreth >> (All): Do we have an agenda?
Mark Conrad >> (All): I believe we are to continue editing the document. Had an 
e-mail from Simon saying he had captured our comments in wiki form. I am still 
trying to locate that wiki page.
Terry Longstreth >> (All): This is a better one: http://wiki.digitalrepositoryauditandcertification.org/bin/view/Main/AuditorGuidelinesIssues
Mark Conrad >> (All): The latter is the one Simon lists in his e-mail.
RobertDowns >> (All): We usually see a larger group. Was there a time change?
Mark Conrad >> (All): It doesn't include the boxes with the relevant text from 
ISO 17021. Guess we will still need to look at two documents.
Mark Conrad >> (All): I don't know if the EU went off Summer Time this last 
weekend.
Terry Longstreth >> (All): @Robert: I've never found the calendar for these 
meetings
Mark Conrad >> (All): Not sure where our other colleagues from this side of the 
pond are.
Mark Conrad >> (All): I just sent an e-mail to the list to see if we are 
supposed to be meeting now.
RobertDowns >> (All): Thanks, Mark! That might help.
Mark Conrad >> (All): I just checked. Summer Time ended in the EU yesterday.
Mark Conrad >> (All): That's probably why no one is here from that side of the 
pond.
Terry Longstreth >> (All): What's the delta?
SimonLambert >> (All): Just catching up on the chat
SimonLambert >> (All): Yes, we need to have the Word doc to consult as well as 
the updated wiki page.
David Giaretta >> (All): The WIki is being a bit slow for some reason
David Giaretta >> (All): I was in the rpocess of starting to edit it but I 
stopped when I got MArk's email
David Giaretta >> (All): I guess it depends who turns up on Wednesday - Don and
John will be there, as well as me
David Giaretta >> (All): ..not sure who else.
Mark Conrad >> (All): Bruce, We were meeting on Wednesdays, but then there was 
another call for availability and the regular meeting was shifted back to 
Monday.
David Giaretta >> (All): The agenda is basically to talk about strategy on 
Wednesday morning - face to face and then try to hold a megameeting in the 
afternoon
David Giaretta >> (All): Also try to check on the position wrt the ISO review - 
start date
BruceAmbacher >> (All): 7.2.11.d still seems too discipline specific
David Giaretta >> (All): Bruce - 7.2.11.d??
BruceAmbacher >> (All): 7.2.1.1d.  Also does the language after the list (a-h) 
apply to 7.2.1.1 or to 7.2.1.1.1.?
BruceAmbacher >> (All): If it applies to the former I can withdraw/reduce my 
concern.
David Giaretta >> (All): Bruce - which (d) - can you paste the text?
BruceAmbacher >> (All): d) technical knowledge of the digital preservation 
aspects which apply to the activity to be audited;  and the end note: These 
training requirements apply to all members of the audit team, with the exception 
of d), which can be shared among members of the audit team
David Giaretta >> (All): Bruce, I read the note as applying to the items in 
7.2.1.1 (a-h except d)
David Giaretta >> (All): ... because that is the only place where there is a (d)
BruceAmbacher >> (All): Perhaps the end note on d should be at the beginning 
rather than the end.
David Giaretta >> (All): Sounds reasonable
BruceAmbacher >> (All): or with d itself
BruceAmbacher >> (All): 7.2.1.3.1d (in part) reads: experience should have been 
gained by participation in a minimum of four certification audits for a total of 
at least 20 days, including review of documentation and risk analysis, 
implementation assessment and audit reporting; 
BruceAmbacher >> (All): What if the four audits do not total 20 days?
David Giaretta >> (All): Did'nt we say that it should be 2 audits initially?
SimonLambert >> (All): Yes, 7.2.1.3.2 was amended to two audits.
BruceAmbacher >> (All): That change is not in the posted text I am reading.
David Giaretta >> (All): I guess it says a minimum of X - ...at least XX days so 
it it's as many audits and days to satisfy both condiftions
Mark Conrad >> (All): Bruce, It specifies a minimum number of audits and a 
minimum number of days. If 4 audits doesn't add up to 20 days then presumably 
they would have to participate in more audits to reach 20 days.
Marie Waltz >> (All): When you say 20 days do you mean onsight or 20 days of 
total time devoted to the audits?
David Giaretta >> (All): Bruce - I guess SImon either forgot or more likely left 
it until we discussed things further. But we should edit that before we forget
BruceAmbacher >> (All): If we talking prep time, onsite audit, post audit 
analysis and report writing, that should be doable.
Marie Waltz >> (All): Yes 20 days is not even enough time for one audit if all 
the time taken to prepare and write up an analysis are included
David Giaretta >> (All): In fact I was wondering whether anything is specified 
as on-site? Can much of this be done virtually - at least for some participants?
Marie Waltz >> (All): I think it would depend on the reposotory and how much can 
be done remotely as far as looking at the content.
David Giaretta >> (All): Yes - case by case
John Garrett >> (All): Somewhere it says that Phase 2 of audit has to be done 
onsite to check that orgs are doing what they say they are doing.
RobertDowns >> (All): David, that is a good point, since if it specified as 20 
days, then the 20 days must be documented to ensure that the requirement is met.
John Garrett >> (All): If we cut down 4 audits to 2 audits, do we also cut 20 
days to 10 days?
SimonLambert >> (All): There was a distinction made last time between 
"participation in an audit" and "being an auditor" - the latter for the team 
leader.  Do we want to draw out that distinction?
Mark Conrad >> (All): There are some bullets in the TDR that would require 
onsite inspection.
David Giaretta >> (All): John - Yes - guess so
BruceAmbacher >> (All): I would not be comfortable if the entire audit was 
virtual, especially the first few audits.  I can see much of the prep work  and 
post audit reporting being done virtually
Marie Waltz >> (All): Onsite is good for talking to people, offsite for 
examining policies, procedures, etc.
David Giaretta >> (All): Bruce - I agree taht it cannot be entirely virtual - 
and maybe John's point would prevent that. But I wondered if everyone has to be 
physically present.
BruceAmbacher >> (All): The end of the requirement (including review of 
documentation and risk analysis, implementation assessment and audit reporting;) 
gives us the answer
BruceAmbacher >> (All): David, I could envision some audits where a part of the 
team could participate virtually.
Marie Waltz >> (All): Virtually is fine, but it won't find things like doors 
left unlocked and dead machine rooms
David Giaretta >> (All): Bruce - not sure what you mean by "The end of the 
requirement (including review of documentation and risk analysis, implementation 
assessment and audit reporting;) gives us the answer"
David Giaretta >> (All): Marie - good point - some people have to be physically 
present at least some of the time
BruceAmbacher >> (All): The end of requirement 7.2.1.3.1 d
David Giaretta >> (All): OK 
BruceAmbacher >> (All): Reading ahed solves this question.  See: 9.2.3.2.1 "The 
stage 2 audit always takes place at the site(s) of the client organization
David Giaretta >> (All): Yes indeed - I guess I was just wondering if that meant 
the whole team should be there
David Giaretta >> (All): I suppose the answer is probably yes - unless we say 
otherwise
David Giaretta >> (All): ..or perhaps it depends what "take part in" means these 
days
BruceAmbacher >> (All): David, Marie, Does this auditors' handbook benefit from 
what you all learned in doing the TRAC test audits in 2007?
David Giaretta >> (All): ANyway it's may be a minor point but it might make our 
lives easier in doing audits to start with
Terry Longstreth >> (All): Have we considered geographically dispersed archives?
Marie Waltz >> (All): Not really
David Giaretta >> (All): Marie - not sure I saw enough of the details of those 
TRAC audits
RobertDowns >> (All): It could become quite expensive for an entire audit team 
to visit some repositories, unless the team is local.
Marie Waltz >> (All): What do you need to know
David Giaretta >> (All): Terry - good point 9.2.3.2.1says *site(s)"
Marie Waltz >> (All): Expense needs to be considered as we calculated in the 
test audits it cost about $60,000 in time and travel costs to do an audit
BruceAmbacher >> (All): Is there a way to get those TRAC test audit findings 
incorporated?  They may inform the multiple lists of requirements and the 
processes and timetables to use.
David Giaretta >> (All): ...does that measn all sites or just some selection?
JohnGarrett >> (All): The team as a whole has to have the total set of coverages 
for all the abilities needed, so I assume that at least some of the team would 
need to visit the archives in person, but perhaps not the whole team, especially 
if there were experts in just some aspects that could be checked remotely.
Marie Waltz >> (All): so I'm hearing time tables based on our three test audits, 
anything else?
David Giaretta >> (All): Bruce - the things I saw were mostly descriptive - a 
nice read - but did not have the details of what was seen and what was difficult
Terry Longstreth >> (All): We may want to make some accommodation or 
acknowledgement of distributed repositories, where the actual storage devices 
aren't fixed or knowable.
David Giaretta >> (All): ...so any "raw" notes would be good
Marie Waltz >> (All): Raw notes on what was seen and what was difficult about 
auditing the three repository's?
Mark Conrad >> (All): What does onsite mean if the TDR is using cloud computing 
services? Can a cloud-based repository be a TDR?
Terry Longstreth >> (All): I think the short answer is no'
David Giaretta >> (All): Mark - just my question - Terry - just my answer!
Mark Conrad >> (All): What is the basis for the "no"?
BruceAmbacher >> (All): That certainly is not the position of the vendors and 
proponents of cloud computing
David Giaretta >> (All): However it should be auditable in some way - 
RobertDowns >> (All): Even the cloud computing environment is physically located 
somewhere.
David Giaretta >> (All): Bruce - not sure if any vendors promise  preservation.
BruceAmbacher >> (All): If we accept distributed storage, why can'r we accept 
cloud computing?
David Giaretta >> (All): ...something like Duraspace might help
JohnGarrett >> (All): I think the loss of all the backed up data for the 
Microsoft backed service shows how reliable cloud backup is.
David Giaretta >> (All): In otherwords it depends on the Service Level Agreement
Terry Longstreth >> (All): IF the audit includes verifying the physical nature 
of the repository, it's not going to be possible with most current definitions 
of the cloud.
David Giaretta >> (All): Terry - in which case we might not be able to do that 
bit but we'd need to audit the rest
BruceAmbacher >> (All): And who tells a TDR that cloud computing is not 
permitted?
David Giaretta >> (All): ...and perhaps (or perhaps not) recommend an 
improvement of moving away from cload storage - anyway some improvement
JohnGarrett >> (All): How does the archives prove that the information in the 
cloud is preserved?
David Giaretta >> (All): As I say, some SLA with DuraSpace may be enough
David Giaretta >> (All): ...have not examined it in detail
David Giaretta >> (All): ...my understanding is that it spreads the risk between 
vendors/clouds
Mark Conrad >> (All): Duraspace does not answer the question of location 
transparency. It only adds another level of complexity.
Terry Longstreth >> (All): I'm all in favor of cloud computing, but I'm not sure 
how we get past the "trust me" attitude that's prevalent.   NCOIC is working on 
a pattern for cloud computing that might be convergent. with our requirements 
for trustworthiness, but right now, almost everything is proprietary
RobertDowns >> (All): The criteria should be the same for all repositories, 
regardless of how they labeled.
David Giaretta >> (All): Mark - but at least DuraSpace are I think attempting to 
address the issue of longevity of storage
Mark Conrad >> (All): So let the cloud vendors get their services 
audited/certified for TDR.
JohnGarrett >> (All): So what other services of a TDR can be fulfilled simply by 
having a SLA with another organization that says they will do it?
David Giaretta >> (All): Mark - yes .......but maybe a little later. But it does 
raise some other interesting questions
JohnGarrett >> (All): I think that we would probably have to say that any 
services that are 'hired out' need to be hired out to a trusted/audited group.  
Otherwise the other group needs to be audited.
RobertDowns >> (All): I agree, John
Mark Conrad >> (All): Can't easily audit the physical security of a cloud.
SimonLambert >> (All): Interesting issues for certifying TDRs that are not in a 
particular domain.
BruceAmbacher >> (All): Can the audit team require the TDR to demonstrate how it 
has verified that the cloud will do the preservation just as the team would 
require the TDR to demonstrate that it is complying with its own internal 
storage and preservation solution?
JohnGarrett >> (All): If you can't audit it does that imply that it is not 
secure?
David Giaretta >> (All): I'm not sure if it is possible to get a YES/NO 
certification
Terry Longstreth >> (All): @Mark:... or the security of the transmission paths
Mark Conrad >> (All): Good luck getting Amazon, Google, IBM, etc to sign up for 
that.
Marie Waltz >> (All): Don't forget iron Mountain
BruceAmbacher >> (All): Mark and Marie just listed the first four audits (ha, 
ha)
David Giaretta >> (All): Marie - my example of a big problem was that we do NOT 
certify Iron Mountain and they send 100 lawyers after us.
David Giaretta >> (All): That would cause any organisation we set up to 
collapse.
Marie Waltz >> (All): Yes I can see this happening. But if we are auditing a 
repository that uses their services (Pays for them) then that repository can 
require it as a contingent of buying their services.
David Giaretta >> (All): ....that's why I say we do not give a YES/NO - it 
essentially pointing up areas where there can be improvement
BruceAmbacher >> (All): David, so do we gaive all such a free pass?  Do we say 
any TDR with more than one lawyer available automatically passes?
Mark Conrad >> (All): There is another ISO? standard that cloud services are 
signing up for certification. I can't remember which one it is at the moment. I 
will try to dig it up.
Marie Waltz >> (All): Yeah the big guys get the big certifications, don't they?
David Giaretta >> (All): Bruce - not a free pass - we just say where we can 
audit and are satisfied and where we cannot be sure they pass
David Giaretta >> (All): ...that sounds too weak...
David Giaretta >> (All): .....we specify where they could improve
David Giaretta >> (All): I think I said in the past that I don't think any 
repository could pass right now
BruceAmbacher >> (All): David, how many "we can't be sure" items tip the scale 
against certification?
Marie Waltz >> (All):  I think this is needless worrying, we need to get the ISO 
first
BruceAmbacher >> (All): David, success of the audit concept is linked to some 
number of TDRs being certified
David Giaretta >> (All): Bruce - this goes back to the discussions about how 
many ticks or groups of ticks. It is the same question that must arise in every 
type of audit
David Giaretta >> (All): Marie - yes but I thought we had talked before about 
not having a simple pass/fail system
RobertDowns >> (All): The ticks should be considered within each category.
Mark Conrad >> (All): Marie, Duraspace has a big marketing campaign underway. I 
think this is a very real issue that we will need to address now.
Marie Waltz >> (All): OK, address away
JohnGarrett >> (All): I think the pass/fail comes down to the judgement of the 
auditing team.  They look at how many ticks they have and how they are grouped 
and decide as a team if they 'trust' the repository.
BruceAmbacher >> (All): I see no sense in creating a standard that no one can 
meet.  Early audits should focus on obviously good TDRs and show their strengths 
and areas for improvement
David Giaretta >> (All): Robert - whenever we discussed this we got bogged down. 
The way out is to recognise that it depends upon the auditor's judgement
JohnGarrett >> (All): I agree with Bruce.  We need repositories to pass.
David Giaretta >> (All): Bruce - excactly - identifyt areas of improvement
David Giaretta >> (All): It talks about this in one of the "parent" documents - 
about general audit concepts
David Giaretta >> (All): In ISO 19011 it says "Audit findings can indicate 
either conformity or nonconformity with audit criteria or opportunities for 
improvement."
BruceAmbacher >> (All): All of this discussion points to the need to make this 
auditor guide as TDR specific as we can.  That is why I asked if we can get TRAC 
2007 audit information to better inform this auditor guide.  I am coming from 
the perspective that any TDR undergoing audit will read this guide as well as 
the CCSDS/ISO standard
David Giaretta >> (All): ...and under "Audit conclusions "If specified by the 
audit objectives, audit conclusions can lead to recommendations regarding 
improvements, business relationships, certification/registration or future 
auditing activities."
David Giaretta >> (All): Bruce - I assume they would read it they would read any 
ther ISO standard
David Giaretta >> (All): ...but the judgement of the auditor is crucial
JohnGarrett >> (All): Another out for getting certifications is 9.2.1 where it 
is determined the scope of the  certification.  So we should be able to certify 
certain parts of an archives such as only certifying local archives activities 
and not certify what happens out in the cloud?
David Giaretta >> (All): ....we discussed this in Washington
David Giaretta >> (All): The metrics are guidelines for the auditor - to make 
sure he/she looks at this or that aspect
BruceAmbacher >> (All): We should expand this to show timeframes based on size 
of TDR, what materials are due to the team before the audit, specifically what 
the minimum audit areas will be, what information must be available to team 
while onsite, etc.
BruceAmbacher >> (All): Or is this type of thing up to the audit team and its 
negotiations with the TDR?
David Giaretta >> (All): Timeframes would be difficult until we get more 
experience but I would have thought the other things are in the Metrics doc
David Giaretta >> (All): ..although we could make reference to the "Examples..." 
and "Supporting text..." parts
RobertDowns >> (All): An inventory of facilities and their locations would help 
to determine the time required for a particular audit.
Marie Waltz >> (All): Bruce-If you tell me specifically what types of 
information from the test audits will help with this process I can see what we 
have and send it to the group, however as it is I'm not sure what is needed.
JohnGarrett >> (All): I think most of those things are subject of negotiations 
with auditors and TDR.  Auditors show have defined proceedures that say to show 
that RAC checklist item x.y is OK, we must see this type of documentation.
Mark Conrad >> (All): David, if the data is stored in a cloud does it matter 
about the local archives activities.
BruceAmbacher >> (All): Marie,
David Giaretta >> (All): Mark - I assume the repository cannot leave everything 
to the cload - probably only the bit storage
Mark Conrad >> (All): David, What is the basis for that assumption? Cloud 
services include computing platforms that could be used for ingestion of the 
SIPs, creation of the AIPS and DIPs, etc.
BruceAmbacher >> (All): INarie,  am not sure what info would be hepful in the 
auditor guide.  I assume much of it would really relate to 
issues/findings/problems that aroes during the test audit that would inform this 
guide as to timing, procedures, most/least importnat information based on 
presumptions vs, reality.
RobertDowns >> (All): One scenario is that the cloud could offers services for 
each activity that a repository offers.
David Giaretta >> (All): Mark - but who specifies the Designated Community and 
ensures the AIP is OK? 
David Giaretta >> (All): Mark - so the repository must do something locally - 
even if it's just right instructiosn for the cload
Mark Conrad >> (All): David, The repository, but most of the activity could be 
taking place in the cloud.
David Giaretta >> (All): Mark - sure - all I'm saying is that not all of it 
happens in the cloud
BruceAmbacher >> (All): Exactly when is the next virtual meeting?  I have to sig n
off now.
Mark Conrad >> (All): David, But the majority of it easily could.
Terry Longstreth >> (All): Remember, the cloud is an abstraction.   There are 
still real computing resources behind it.  
RobertDowns >> (All): If a repository is using cloud services and requests 
certification, then the cloud services would need to be audited.
David Giaretta >> (All): ..Mark - I'm just answering your question about "does 
it matter about the local archives activities." - and I'm saying yes
David Giaretta >> (All): .....of course that still begs the question about how 
to audit anything in the cloud
BruceAmbacher >> (All): Please send a notice about the next meeting.  Goodbye
Mark Conrad >> (All): David, If the majority of the activities are taking place 
in the cloud and you are saying, we should be able to certify certain parts of 
an archives such as only certifying local archives activities and not certify 
what happens out in the cloud? How useful is that certification?
David Giaretta >> (All): Marie - it might be useful to have alist of the 
documentation inspected
JohnGarrett >> (All): If I were an auditor for a repository using a cloud 
application, I would probably have to document the local activities of the 
repository and then also note that this other piece is farmed out to the cloud 
and that that part of the activity was not audited and the certification doesn't 
cover it.
RobertDowns >> (All): John, then that repository would not really be certified.
David Giaretta >> (All): Mark - I see what you are saying - but John has 
answered it
Mark Conrad >> (All): Robert, Terry, If the repository has not included 
audits/inspections in their contract with their service provider it would be 
very difficult to carry out that part of the audit.
JohnGarrett >> (All): I agree that I wouldn't trust that type of certification, 
but users need to decide on their own
Terry Longstreth >> (All): ditto
David Giaretta >> (All): I guess the question is - are there any circumstances 
in which we absolutely and flatly reject any repository
Marie Waltz >> (All): If its run by monkeys?
Terry Longstreth >> (All): Although part of our  value add might be to certify 
that the cloud is backed by rtrustworthy facilities
David Giaretta >> (All): Yes - that type of thing
JohnGarrett >> (All): If certifications are to be worthwhile, there must be a 
way they can be failed.
Mark Conrad >> (All): David, If there aren't, then what is the point of being 
certified?
David Giaretta >> (All): John - yes
David Giaretta >> (All): Mark - I agree
Mark Conrad >> (All): Terry, Many organizations are setting up private clouds 
because the cloud providers won't let anyone do a real inspection.
David Giaretta >> (All): Parhaps the real issue is one of where the fail point 
is - I would guess that no-one would pass everything and all reasonable 
repositories would need some sort of improvement plan
JohnGarrett >> (All): I suspect that are many things calling themselves archives 
that would fail certification (including many NASA project archives that aren't 
interested in long-term preservation and are really just access centers)
Mark Conrad >> (All): John, So we audit a bunch of them so we have examples of 
failing certification.
JohnGarrett >> (All): In NASA's case, failures to certify such archives could be 
valuable in making management decide how and when long-term preservation needs 
to be taken into account.
Terry Longstreth >> (All): Mark - There are many reasons for not letting people 
look under your skirts.   I don't think clould computing has a lot to do with 
that.
Mark Conrad >> (All): I doubt that those repositorues would be interested in 
paying for the privilege.
David Giaretta >> (All): John - yes - but in OAIS we talked about a repository 
being part of a chain of preservation - and in the metrics the assumption is 
that all archives should be prepared to hand over to successors
JohnGarrett >> (All): I think it would be a valuable exercise to audit failing
JohnGarrett >> (All): 'archives', but I'm not sure they would agree to be 
audited.
David Giaretta >> (All): John - it depends whether they have a plan to hand over 
their materials and whether hose materials are adequate
David Giaretta >> (All): John - depends what their funders demand!
JohnGarrett >> (All): Exactly, 
David Giaretta >> (All): SO coming back to the doc - is there anything we need 
to add/correct in the light of this dicsussion?
JohnGarrett >> (All): And an audit may give funders an idea of what they should 
demand.
Mark Conrad >> (All): David, I think we need to define what "on site" means.
Terry Longstreth >> (All): I agree with Mark
Marie Waltz >> (All): Me too.
David Giaretta >> (All): And edit the number of audits/days needed for auditor 
training
David Giaretta >> (All): Does anyone care to put something on the wiki about
on-site?
Terry Longstreth >> (All): on training days; I'm still uncomfortable making the 
time a requirement.  Can it be function based?
Mark Conrad >> (All): Terry, What functions would be covered?
David Giaretta >> (All): I would argue that we need to say - at least the 
majority of the team on site - including the ones familiar with the particular 
area being audited. - ANyone agree with taht?
David Giaretta >> (All): ...the rest could be virtual
David Giaretta >> (All): Terry - not sure what you mean
Terry Longstreth >> (All): Whatever the training was supposed to accomplish.   
If I can do tthat in less than x days, good for me
David Giaretta >> (All): But this was training by taking part in the audit - we 
have not really talked about the formal qualifications e.g. University course
Mark Conrad >> (All): What the training is supposed to accomplish is still 
listed as TBD. That will be an important to nail down.
RobertDowns >> (All): David, perhaps we should specify that the auditor's 
experience should have included at least one site visit.
Terry Longstreth >> (All): So , it's an apprenticeship? There should b e a 
master's test.
Mark Conrad >> (All): 7.2.1.3.1c) have successfully completed five days of 
training ALERT! (TBD as to what constitutes this) the scope of which covers TDR 
audits and audit management shall be considered appropriate; 
David Giaretta >> (All): Mark, Terry - we talked around this last time - what 
qualifications are needed. 
David Giaretta >> (All): ...e.g. could we specify a particular University short 
course
JohnGarrett >> (All): I would require a lead auditor to have been on a site 
visit before, not any auditor on the team.
David Giaretta >> (All): ...or say the primary audit cttee will specify what 
course are OK
Mark Conrad >> (All): This is getting so watered down as to be meaningless.
David Giaretta >> (All): John - perhaps the trainee auditor should go on 2 site 
visits at least
Marie Waltz >> (All): David-I think anything which names particular institutions 
or courses should be supplemental, becuase they change
Terry Longstreth >> (All): John - we'd still need bootstrap criteria to start 
somewhere
David Giaretta >> (All): Mark - not meaningless - without specifying the course 
or the training then that would be meaningless.
David Giaretta >> (All): ...but I wanted to pin it down somehow
David Giaretta >> (All): ....because this doc cannot list things in detail
David Giaretta >> (All): ....so placing the authority with the primary audit 
cttee, at least until this doc is revised, might be adequate
Mark Conrad >> (All): David, I wasn't referring to the training specifically. I 
just mean the trend of the discussion has been how can we soften the 
requirements.
JohnGarrett >> (All): I think we need to be practical.  When need to be able to 
have auditors in the near term.  We can specify lighter requirements for our 
first issue and 3 years from now when we need to recertify the ISO spec, we can 
add more stringent criteria at a time when more people can meet them.
Mark Conrad >> (All): Reduce the number of days, reduce the number of audits, 
reduce the number on-site, etc.
Mark Conrad >> (All): John, Has this approach been used with other ISO 
standards?
Terry Longstreth >> (All): ...Identify the skills and competencies required, and 
how to verify assertions of such
David Giaretta >> (All): I agree with John - but to my mind it keeps coming back 
to the prime audit cttee - perhaps we shuld in this initial version state that 
they accredit the auditors
RobertDowns >> (All): We still need criteria for that certification, David
David Giaretta >> (All): Mark - I think we all had an action to look at other 
ISO cttee workings
David Giaretta >> (All): Robert - we can have what is in the doc now but add 
that extra condition - I just cannot see how else to bootstrap this
JohnGarrett >> (All): I don't know specifics for ISO, but I know certification 
requirements for a many industries change over time.  I know that engineering 
certification today is very different from when I graduated these many years 
ago.
Mark Conrad >> (All): I need to sign off now. What time are we meeting on 
Wednesday?
JohnGarrett >> (All): My wife has been involved with changing requirements for 
certificaton and licensure of counselors and coaches.
David Giaretta >> (All): John - we need to know how the systems bootstrap
Terry Longstreth >> (All): I have to leave too.  I'll check back on Wednesday
Marie Waltz >> (All): Bye all.
RobertDowns >> (All): I also need to leave. Bye
David Giaretta >> (All): 10:30 Washington, 2:30 UK, 3:30 Holland!!

-- SimonLambert - 26 Oct 2009