Notes from Megameeting 23rd November 2009

Attendees

BruceAmbacher UM
DavidGiaretta STFC
JohnGarrett GSFC
MarkConrad NARA
SimonLambert STFC
TerryLongstreth  

Summary

There was a lengthy discussion of how to specify surveillance and recertification activities, particularly with relation to the requirements of ISO 17021, and whether it is permissible to vary that standard to suit the needs of the emergent TDR standards.

Actions

  • All to think about how to determine whether it is permissible to vary the requirements of ISO 17021.
  • DavidGiaretta to propose some wording on the wiki showing how to specify a variation from the parent standard.

Transcript of chat

BruceAmbacher >> (All): Hello Simon
SimonLambert >> (All): Hi Bruce
BruceAmbacher >> (All): Does your email posting mean that we cannot set our own 
time spans for "surveillance" and periodic reports and subsequent 
reaudit/recertification?
SimonLambert >> (All): Good question - I actually don't know whether we can vary 
the statements in the parent doc, or simply refine/add to them.
BruceAmbacher >> (All): I don't know the "enforceability"  of one ISO standard 
upon another.  Perhaps John knows.
SimonLambert >> (All): I suppose we have to have some flexibility in this area.
SimonLambert >> (All): Did you have a chance to look at the links sent by david?
BruceAmbacher >> (All): No
SimonLambert >> (All): Nor me
Mark Conrad >> (All): Hello.
Mark Conrad >> (All): Simon, I found your analysis of surveillance very 
informative and daunting!
Mark Conrad >> (All): Who's going to want to pay for all of this?
SimonLambert >> (All): We were just wondering how much discretion we have to 
vary these requirements
SimonLambert >> (All): It seems to be describing a mature market with 
established providers of services
Mark Conrad >> (All): Could we drop the references to the other standards and 
implement our own timetable?
BruceAmbacher >> (All): Mark, do you have any sense of the enforceability of one 
ISO standard on another?
Mark Conrad >> (All): Maybe we could get contracts with Microsoft, Amazon, IBM, 
Google etc to certify their cloud services.
Mark Conrad >> (All): Bruce, I do not.
BruceAmbacher >> (All): Mark, You are riding in the clouds without an airplane 
or parachute if you think that is possible!
SimonLambert >> (All): We need to know if we can say instead of "The 
requirements from ... apply. In addition ..." we can say "However ..."
BruceAmbacher >> (All): Who would be best to know that or be able to seek out 
the answer - CCSDS technical editor, CCSDS liaison to ISO, John Garrett, or?
Mark Conrad >> (All): Bruce, Actually one of the biggest hurdles that the cloud 
vendors are running into are compliance issues. They are already undergoing SAS 
70 audits to try to address their credibility in being trustworthy repositories.
JohnGarrett >> (All): Hi all.
Mark Conrad >> (All): Hello. Just the person we were talking about!
JohnGarrett >> (All): We can vary time periods for our standard, but then we 
won't be totally compliant with the parent standard.
BruceAmbacher >> (All): Mark, you did not list Iron Mountain or OCLC Digital 
Archive.  Either might be a good audit candidate and see both a business value 
and a promotional value.
Mark Conrad >> (All): Bruce, They are not in the same league. We need folks with 
deep pockets to support the kind of surveillance we are talking about here.
BruceAmbacher >> (All): OCLC now is the parent of RLG which has been a major 
proponent of trustworthy repositories
BruceAmbacher >> (All): Iron Mountain is  $1 billion company
Mark Conrad >> (All): That's chump change for these other folks.
BruceAmbacher >> (All): What is our target group? A rounding error?
Mark Conrad >> (All): Do you want to stay in Motel 6 or the Plaza when you do 
your site visits?
BruceAmbacher >> (All): The Y might be all we actually could afford.
JohnGarrett >> (All): I think we need to do what we think our industry will 
accept, but I would also prefer to keep in step with the parent standard if 
possible.
BruceAmbacher >> (All): John,
BruceAmbacher >> (All): Can we define/simplify the requirements of the annual 
surveillance and report?
JohnGarrett >> (All): Yes, I think we can.   But that does mean that our 
standard won't be fully compliant with the parent standard.  
JohnGarrett >> (All): We could get comments on that when we go through ISO 
review, but we can answer them by indicating that we lightened the requirements 
to get industry buy-in for the standard and get at least some level of auditing 
started.
Mark Conrad >> (All): Just reading through one of the links that David sent. The 
scribe notes for MSFC ISO 9000 surveillance audit make it look like this is a 
pretty extensive process.
BruceAmbacher >> (All): The burden in the annual surveillance is the onsite 
requirement.  Perhaps we can address that by ensuring that one of the auditors 
is located near the repository for followup surveillances.
JohnGarrett >> (All): I'm sure for many archives, any cost is too much.  On the 
other hand for any of the big boys where certification might be important for 
marketing or business reasons, a cost fo a couple $K/year would not be too much.
Mark Conrad >> (All): A couple of these certifications and follow-ups could turn 
into a full time job - assuming you could find parties willing to pay for them. 
Who is going to have the time to do these audits?
BruceAmbacher >> (All): Another aspect would be to narrowly define the areas for 
interim surveillances to focus on the long term preservation mission.
JohnGarrett >> (All): Yes, I didn't have a chance to look at those yet.  Is 
there any indication of who was being audited (how big, etc) and how much time 
was required?
Mark Conrad >> (All): John, I don't think a few K$/yr will be enough.
BruceAmbacher >> (All): Mark, Didn't you know this is the post retirement job 
for many CCSDS members - Don Sawyer, David, Bruce, Claude Huc
JohnGarrett >> (All): For a small archive operation, I was envisioning 1 person 
flying in and looking at a few things and flying out either that day or the 
next.
Mark Conrad >> (All): Bruce, More power to you.
BruceAmbacher >> (All): John, even that could be a serious expense these days
Mark Conrad >> (All): John, Take a look at Simon's notes on surveillance. It 
will take more than a simple one day visit.
Mark Conrad >> (All): I think we need to seriously consider unhooking our audit 
standard from the existing ISO standards or we need to take a hard look at who 
our potential customers are and what they will be willing to pay for this 
certification.
JohnGarrett >> (All): I did sort of skim over them, but I think the amount of 
time auditing will vary quite a bit based on size of the operation.  Even a 
recertification audit is less work that the initial one.  The annual audit 
should be even less.
BruceAmbacher >> (All): Simon's notes show: 8.6.3 Notice of changes by a 
clientThe certification body shall have legally enforceable arrangements to 
ensure that the certified client informs the certification body, without delay, 
of matters that may affect the capability of the management system to continue 
to fulfil the requirements of the standard used for certification." Is this 
national legislation? state legislation? or what?
Mark Conrad >> (All): John, It says the auditors will visit the site(s). Travel 
alone is going to be pricey.
David Giaretta >> (All): Hi folks - sorry I'm late
SimonLambert >> (All): Is the main issue that we really need an initial period 
during which the requirements for surveillance etc are much reduced, so as to 
establish a functioning market in services? And during that period the lead 
audit cttee would have a major role?
BruceAmbacher >> (All): David, welcome.  We have been discussing the 
implications of the surveillance and annual audit
David Giaretta >> (All): I guess there are several related questions. (1) what 
is actually needed to have confidence in a repository and (2) how much would it 
cost/how much could the market bear
JohnGarrett >> (All): Bruce, I think the legally enforceable piece should not 
need to include legislation.  I think the right words in a contract between the 
archives and auditor would suffice at the start.  Later if people really get on 
board, then legislation may follow with Congress for example insisting that NARA 
for example be certified.
BruceAmbacher >> (All): Could funding annual audits (initially) be a grant 
funded activity?  Grant funds would pay the repository's costs for the initial 
audit and the annual updates for say two cycles?
Mark Conrad >> (All): Bruce, To be legally enforceable the responsibility's 
would have to be spelled out in the contract. The jurisdiction where the law 
would apply would be spelled out in the contract.
JohnGarrett >> (All): Mark, yes I agree site visits are required and would be 
costly depending on how many people need to traval and for how long.
BruceAmbacher >> (All): I like John's idea of making it a clause of the audit 
contract - the repository commits to an audit and two annual followups
David Giaretta >> (All): I assume that we can specify what we need in the 
standard, but I don't know that we have the answer to (1), and certainly not (2) 
therefore I suggest that we add some of the "depends on the lead audit 
committee" type of wording to give some flexibility.
JohnGarrett >> (All): But it is likely that archives with limited budgets will 
hire more local auditing organization with lower costs.
David Giaretta >> (All): John - yes and I guess our job is to make sure the 
local audit organisation does a good job
BruceAmbacher >> (All): John, That works as long as the team has been trained 
and accepted by the central body
JohnGarrett >> (All): Bruce, I would also have words in contract that archives 
need to notify certifier of any "major changes".  And if the annual updates 
aren't scheduled the certification lapses.
BruceAmbacher >> (All): Can we form a team with a local member/  The full audit 
team does the full audit, the local member also does the two followup site 
visits?
Mark Conrad >> (All): David, The referenced ISO audit standards require 
substantial follow-up on the initial audit to maintain certification. Can we 
just say that part of the audit standard does not apply in this case?
David Giaretta >> (All): Looking back at the discussion I suggest we cannot 
force anyone to have an audit. Nore can we legally bind them to follow on 
audits. All we can do is to say that someone is NOT certified i.e. has not been 
audited/certified or has lost their certification.
BruceAmbacher >> (All): or make much of this a checklist and focus on the 
preservation aspects?
JohnGarrett >> (All): Yes any auditor would need to be approved by the central 
body.
Mark Conrad >> (All): David, "Nore can we legally bind them to follow on 
audits." I do not believe this statement is in line with the referenced ISO 
audit standards.
BruceAmbacher >> (All): John, David, do either of you know how we can 
determinethe relationship of the parent standard to our version?  How 
enforceable are the parent clauses?
David Giaretta >> (All): Mark, Bruce, I guess I go back to the points (1) and 
(2). I personally would like to set up a standard/process such that we would 
have confidence in a certified repository. 
David Giaretta >> (All): ...otherwise we could end up with some kind of stamp 
which does not mean anything
Mark Conrad >> (All): David, According to Simon's analysis of the existing ISO 
audit standards 1 and 2 are at odds with those standards.
David Giaretta >> (All): Bruce - I assume that the standard specifies what holds 
i.e. it can refer to other standards so not, or override certain things or not.
David Giaretta >> (All): Mark - not sure what you mean
BruceAmbacher >> (All): Agreed, but it also must be affordable.  I see a need 
for bodies like the UK Heritage Commission and/or grant making organizations to 
take this under their wings and finance.
David Giaretta >> (All): Mark - what do you mean by "those standards"
David Giaretta >> (All): Bruce - yes, but if we mix up the two points then we 
will end up with something that lots of people will have but it will be more or 
less meaningless.
Mark Conrad >> (All): ISO 17021 for starters.
JohnGarrett >> (All): And following the parent standard indicates our compliance 
with a standard that is used in general for all types of auditing.  I don't they 
can require us to follow it, but it is valuable for our claim that this is a 
good standard to follow for auditing archives.
David Giaretta >> (All): Mark why is (1) at oddsd with ISO 17021. ANd what does 
ISO 17021 have to say about (2)?
JohnGarrett >> (All): But we need to balance what we can sell to get archives to 
start getting certified and that we can sell to funders to get them to fund 
something that is useful to them.
Mark Conrad >> (All): At this point we have incorporated ISO 17021 by reference 
into our document have we not?
David Giaretta >> (All): Mark - yes in so far as we say "section x.x" of 17021 
applies"
David Giaretta >> (All): John - yes I think that is right, but in addition we 
need to be happy about it.
Mark Conrad >> (All): David, ISO 17021 lays out minimums for audits, re-audits, 
and re-certification. This has an impact on both 1 and 2.
JohnGarrett >> (All): Is the only issue with following 17021 dealing with the 
annual audits?  Is that is the right time period?  Is on-site required?  What is 
the cost?
Mark Conrad >> (All): 1. because it sets a floor on what is good enough.
2. because the costs of meeting that floor will be costly.
David Giaretta >> (All): Mark - I assume that it lays out minimum periods 
because there is a beliefe that longer periods would put the information at risk 
- hence is consistent with (1) - without costsings in ISO 17021 then we don't 
know about (2)
David Giaretta >> (All): SO one could take the view that we need about the same 
periods as ISO 17021 since security is a mimimum concern. We may need shorter 
periods.
Mark Conrad >> (All): David, Assuming just the travel costs to meet the minimum 
requirements of ISO 17021, I believe it will be more expensive than many 
repositories will be willing/able to pay.
TerryLongstreth >> (All): I think the central body should decide the periods.  
We should describe Full audits, Recertification audits and Surveillance audits 
(or whatever audit classes we want)
David Giaretta >> (All): ...then one could ask about costs. If no-one is able to 
pay then we have nothing. On the other hand we can do things like allow more 
virtual inspections etc to reduce the costs - as long as we think it would still 
be OK e.g. because there are at least 1 or 2 people physically present.
Mark Conrad >> (All): Terry, Then should we de-couple our document from ISO 
17021?
Mark Conrad >> (All): David, Have you cloned yourself?
David Giaretta2 >> (All): I would argue there is no need to decouple - because 
we can put in some wording saying "its up to the initial audit committee" and 
also because we would have to start from scratch and invent a whole lot of audit 
theory anew
David Giaretta2 >> (All): Mark - got kicked out and had to create a new name
JohnGarrett >> (All): I think for the start, for a small archives organization, 
having 1 person present  for a day could be enough.  Costs would still rule out 
very small archives get certified, but larger ones should be able to absorb the 
few $K that would involve and would be worth it to be a certified archives.
Mark Conrad >> (All): David, Then we would have to say the following sections of 
17021 do NOT apply.
David Giaretta2 >> (All): John - maybe the smaller archive should not be trying 
to be certified.
TerryLongstreth >> (All): I don't understand 17021 well enough, but I think we 
might want to account for a broader definition of digital repository, including 
moribund repositories whose fons are stable and static.
David Giaretta2 >> (All): Mark - not sure what you say that - each section says 
(I think) "sections x.x apply - with the addition of". Any section of ISO17021 
not mentioned in that way surely does not apply
JohnGarrett >> (All): David, yes I think there will be small archives that do 
not get other organizations to certify them.  Same as with ISO 9000.  The costs 
for very small organizations is too much.
JohnGarrett >> (All): On the other hand, a fair number of companies with only 
100 empolyees or so consider it a business opportunity to have the 
certification.
Mark Conrad >> (All): Take a look at Simon's e-mail with the analysis of 
surveillance.
David Giaretta2 >> (All): John - yes - that's why I argue that we should aim for 
an adequate standard and only then do we look at costs. If we mix up the 
processes then I fear we will have something that does not do the job.
Mark Conrad >> (All): I don't know of too many archives with 100 employees.
JohnGarrett >> (All): Is the only issue with 17021, the annual auditing 
requirement?  If so, let's keep the rest and just redefine, if necessary, the 
annual audit.
BruceAmbacher >> (All): How many large digital repositories are there?  They are 
not enough to sustain a standard.  They are not enough to prompt medium and 
small repositories to participate.  We also have no mechanism to "punish" non 
participating, non compliant repoaitories.
Mark Conrad >> (All): David, John, Please take a look at Simon's e-mail.
David Giaretta2 >> (All): ...so I would argue taht since we don't know what 
periods are actually necessary we follow 17021 but with a get-out saying the 
initial audit committee can change those periods. And of course (2)  we can have 
different types of certification - as we discussed previously
JohnGarrett >> (All): I don't think we will ever have a way to punish non-
certified archives.  It's only by the force of the industry expecting that 
archives are certified that we will have any influence at all.
BruceAmbacher >> (All): we have to focus on the carrot.  What will passing an 
audit give to a repository of any size?  Can we persuade national funding bodies 
and grant agencies to require certification of any repository applying for funds 
or a grant?
JohnGarrett >> (All): Mark, I'm looking at Simon's email.  What parts are you 
concerned about?
Mark Conrad >> (All): John, I don't know what "industry" you are talking about. 
I don't think we will see too many consumers of archives demanding certification 
of the repositories they use.
BruceAmbacher >> (All): Can we use irods to help the repository prepare for the 
audit and/or provide the data for the annual followup report?
TerryLongstreth >> (All): Punishment (Back to the Continuing Presence problem?); 
a standing authority that can advertise when an archives have lost their 
credentials
BruceAmbacher >> (All): We are starting an exclusive club and then publicizing 
when we kick out one of the few applicants who passed the entrance exam!
Mark Conrad >> (All): Bruce, iRODS is infrastructure for building a digital 
repository. How does this help a repository prepare for an audit?
BruceAmbacher >> (All): Mark, I thought I heard it described as a way to test 
compliance with the audit requirements stated as "rules" for the operating 
system/preservation system.
David Giaretta2 >> (All): Let's go back to the face to face meeting in 
Washington. We agreed that there were lots of reasons which would cause us to 
fail in our aim of setting up an audit and certification process based on an ISO 
standard.
Mark Conrad >> (All): Bruce, A repository can set up a rule set for an iRODS 
repository that would help them meet the TRAC requirements.
JohnGarrett >> (All): Mark, I can see eventually lawmakers requiring 
certification of National Archives and Libraries.  I see NSF writing 
certification requirements into grants etc. down the line.  At the start, I 
don't see anyone caring.  But I could see major archives wanting to say, "See we 
are certified."
David Giaretta2 >> (All): ........ One reason for failure was that people would 
not think it was worth it. But if we dilute the standard/process then it 
certainly will not be worth it.
BruceAmbacher >> (All): Mark, I see this document as improving on TRAC, making 
it easier to create rules
BruceAmbacher >> (All): John, NARA helped us quite a bit along those lines when 
it required companies competing for the Electronic Records Archives contract to 
show how they complied with both OAIS and the early TRAC drafts.
Mark Conrad >> (All): John. Look at NSF's current requirements for deposit of 
grant-funded data. I do not share your confidence that there is going to be a 
government mandate for certification.
JohnGarrett >> (All): There have been iRODS rules written that help to show that 
 a majority of the items in the Metrics document have been met.   At least that 
is the claim.
David Giaretta2 >> (All): Getting back to the doc - is there any reason that we 
cannot simply say that all the ISO 17021 etc applies except where the 
surveillance and re-certification period may be changed by the initial audit 
cttee.?
Mark Conrad >> (All): David, That is essentially where this conversation 
started. Can we do that?
BruceAmbacher >> (All): David, I support that but how can we determine if ISO 
would support that?
David Giaretta2 >> (All): It's up to the review
David Giaretta2 >> (All): We can only do what we think is right
BruceAmbacher >> (All): It would be good to know before thereview
TerryLongstreth >> (All): Maybe it's time to update 17021 
BruceAmbacher >> (All): John, David, Is there anyone you can contact to get a 
sense on this?
JohnGarrett >> (All): Mark, who do you see as wanting to be certified then?
David Giaretta2 >> (All): Again - we agreed in Washington taht one possible 
failure was that too many people would black-ball the standard
Mark Conrad >> (All): Terry, In our spare time?
David Giaretta2 >> (All): Bruce - sense on which thing?
BruceAmbacher >> (All): Maybe we can find out the re-review cycle for 17021 and 
provide comments at the right time
Mark Conrad >> (All): John, Archives who can get the certification at little-to
-no-cost to them.
David Giaretta2 >> (All): Bruce - why would we want to alter 17021?
BruceAmbacher >> (All): Sense on whether we can modify the audit cycle
TerryLongstreth >> (All): If we enumerate our concerns with 17021, we could 
submit them as a side-effect of our work.  
JohnGarrett >> (All): Bruce, we can certainly adapt the 17021 standard's 
provisions.  It is also possible that someone from the 17021 camp will object 
and it is possible that people from the archives community will object to not 
following that standard. 
David Giaretta2 >> (All): Bruce -  we can talk to people but the bottom line is 
taht we don't know how long the period should be and so we have to have some 
variability
BruceAmbacher >> (All): David, if we want to be in compliane with the parent 
17021 and we know the cycle and requirements are too rigorous/extensive/costly 
for our community we should try to change 17021 and introduce variable cycles 
depending on the discipline and the maturity of that community
JohnGarrett >> (All): When we get review comments, then we will need to respond 
to them.  If we have a valid response, we don't need to make the change.
TerryLongstreth >> (All): What Bruce said
David Giaretta2 >> (All): Bruce - changing 17021 would take goodness knows how 
long and is as far as I can tell, unnecessary.
David Giaretta2 >> (All): John - yes
Mark Conrad >> (All): What Bruce said
BruceAmbacher >> (All): The bottom line here is that NONE of us know what 17021 
imposes on a derivative audit standard that wants to implement a less rigorous 
timetable and scope of interim activities.  Someone needs to determine the 
answer.
David Giaretta2 >> (All): Bruce/Mark - the refer to 17021 merely as a short-cut 
to save writing. It also shows we adopt well accepted ways of doing things. 
Mark Conrad >> (All): It is pretty clear that we don't have a shared 
understanding of who our potential clients are and what their expectations would 
be.
JohnGarrett >> (All): I think we all agree that we are adopting must of 17021, 
but may want to change time periods/cycles of re-audits in 17021.  Now we are 
back to deciding amongst ourselves what is the proper periods?
David Giaretta2 >> (All): Bruce - again, I don't think we are a derivative 
standard - we have just been lazy and have borrowed wording
David Giaretta2 >> (All): John - I don't thinkn we know yet - hence "leave it to 
the initial audit cttee..."
BruceAmbacher >> (All): But will ISO allow us to establish an audit standard 
that is less rigorous than 17021?
Mark Conrad >> (All): David, The short-cut has lead to the adoption of audit 
requirements from 17021 that in all likelihood will place certification out of 
the reach of most archives.
David Giaretta2 >> (All): Mark - you cannot say taht bvecause we have not made 
the modifications we need.
David Giaretta2 >> (All): Bruce -  does length of time between audits define the 
rigor of the audit?
Mark Conrad >> (All): David, The question is can we make such modifications and 
credibly say we are following 17021?
David Giaretta2 >> (All): I think the position is that we claim to be experts - 
we should decide - just as we have done for the metrics. But we also said that 
we cannot tie everything down - we leave it to the judgement of the auditor - 
and the metrics guide that judgement
SimonLambert >> (All): I guess someone should check exactly how the info 
security standard (on which our draft is based) says it relates to 17021.
JohnGarrett >> (All): I think we can make changes and say that we are following 
17021 except that we are not compliant with 17021 in terms of the time periods 
for the audits.
BruceAmbacher >> (All): Our operating premise is that we want to audit the 
requirements, that we want a 3 or 5 year cycle, we want interim annual reports 
with no onsite visits unless extraordinary circumstances require it, and that 
followup audits would not be full audits but examine setsof criteria on a 
rotating basis - correct?  Can we "sell" that and still "complement" 17021?
David Giaretta2 >> (All): ...similarly we don't need to tie the hands of the 
audit process but we leave it to the judgement of the initial audit cttee - but 
with guidance
David Giaretta2 >> (All): Bruce - I don't think we can say we want a 3 or 5 year 
cycle. I think we certainly need surveillance audits. The question is about the 
level of guidance we believe we need to specify.
David Giaretta2 >> (All): The "selling" is not going to be on price - otherwise 
people could use DANS ($30)
BruceAmbacher >> (All): David, what then is the cycle?
BruceAmbacher >> (All): David, I am not familiar with DANS.  What is that?
David Giaretta2 >> (All): The "selling", it seems to me, is that the initial 
audit committee is respected and that the costs are not excessive. The archive 
almost certainly will not pay - their funders will pay.
David Giaretta2 >> (All): Bruce - I may have the acronym wrong - one of the 
European efforts 
David Giaretta2 >> (All): Bruce - the most convincing option would be to stick 
with the 17021 timings but allow the initial audit committee to vary them.
TerryLongstreth >> (All): Followup timings could be an outcome of the initial 
audit
David Giaretta2 >> (All): Guys - I must leave in a few minutes
BruceAmbacher >> (All): So, with little changed since we began 90 minutes ago, 
where do we start next week?
David Giaretta2 >> (All): Terry - yes, quite possibly - and maybe the level of 
funding and the surveillance reports
David Giaretta2 >> (All): Bruce - did you make the changes to the Wiki from last 
week?
Mark Conrad >> (All): "This International Standard specifies requirements and 
provides guidance for bodies providing audit and certification of a trusted 
digital repository (TDR), in addition to the requirements contained within 
ISO/IEC 17021 and <ISO XXXXX - RAC Document>. It is primarily intended to 
support the accreditation of certification bodies providing TDR certification."
BruceAmbacher >> (All): Yes
David Giaretta2 >> (All): Mark - if tat statement can be misread then we  should 
change it
Mark Conrad >> (All): That is the current statement in the Scope section of our 
document.
JohnGarrett >> (All): ISO 27006 in its Introduction and in its Scope has words 
that indicate it is adding additional requirements to the ISO 17021 and ISO 
27001 (its metric standard).  My interpretation is that they are fully compliant 
with ISO 17021.  On the other hand Security Auditing is a mature industry 
already and one with a lot of potential liability so having a certification is 
helpful.
David Giaretta2 >> (All): for example "in addition to the requirements contained 
within ISO/IEC 17021 " [perhaps should be "in addition to requirements contained 
within ISO/IEC 17021, where specified "
Mark Conrad >> (All): David, It says "in addition to the requirements contained 
within ISO/IEC 17021". I don't know how you misread that.
BruceAmbacher >> (All): I must sign off, someone please send a message of the 
agenda/focus for next week.
David Giaretta2 >> (All): Mark - if it does not say what we mean then we should 
change it
David Giaretta2 >> (All): I'll try to suggest some wording on the WIki later 
this week about what I meant about allowing variations
David Giaretta2 >> (All): Bye folks

-- SimonLambert - 23 Nov 2009

Topic revision: r1 - 2009-11-23 - SimonLambert
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback