Requirements for Bodies Providing Audit and Certification of Digital Repositories

Draft guidelines for auditors as Word doc:

  • AuditorGuidelines-rev2009Sep09w17021InBoxes.doc: This is the current 2009-Sep-09 version of the Auditor document with the referenced ISO 17021 text included in text boxes in each section. This will allow reviewers to see exactly what each section is requiring without flipping between the review documents. When document is complete, the text boxes will be removed.

  • Version of September 9, 2009 Based on the version below but with areas identified that may need revising for the TDR context. See AuditorGuidelinesIssues for these same areas extracted and put into wiki form for ease of reference; this page is also now being used to track the agreements (and unresolved issues) from the weekly MegaMeeting discussions. Also dummy annex for security issues added.

  • Version of February 19, 2009 This version uses the phrase "Trusted Digital Repositories" throughout (rather than "Digital Preservation Systems" and the like), and has been checked for stray references to information security remaining from the ISO 27006 on which it was based. The annexes have been removed (or rather left empty) as these were highly specific to ISO 27006, and at the meeting in College Park it was not clear that we really need them.

We may also need to provide content for a number of appendices.

See this document for some notes on the relation between the main requirements and the requirements for auditors.

Comparison with corresponding document for ISO 27006

Example areas of auditor competence

General competence considerations

There are several ways by which an auditor can prove their knowledge and experience. Knowledge and experience can be demonstrated, for example, by using recognised qualifications. Registration, e.g. under IRCA or any other recognised form of auditor registration, can also be used to demonstrate the required knowledge and experience. The required competence level for the audit team should be established, corresponding with the organization%u2019s industry/technological field and complexity factor.

Specific competence considerations

Knowledge of Metrics

The following describes the typical knowledge in relation to DPMS auditing. In addition to the control areas from the Requirements document (XXX), which are listed in the following table, auditors should also be aware of the other standards...

Guidance for review of implemented metrics

This annex provides guidance for the review of the implementation of controls listed in IXXXX, and the gathering of audit evidence as to their performance during the initial audit and subsequent surveillance visits. The implementation of all controls selected by the client organization for the DPMS (as per the Statement of Applicability) needs to be reviewed during stage 2 of the initial audit and during surveillance or recertification activities.

The audit evidence that the certification body collects needs to be sufficient to draw a conclusion as to whether the controls are effective. How a control is expected to perform will be specified in procedures or policies of the client organization stated in or referenced from the Statement of Applicability. Obviously those controls outside the scope of the DPMS will not be audited.

Audit evidence
The best quality audit evidence is gathered from observation by the auditor (e.g. that a locked door is locked, people do sign confidentiality agreements, the asset register exists and contains assets observed, system settings are adequate, etc). Evidence can be gathered from seeing the results of performance of a control (e.g. printouts of access rights given to people signed by the correct authorizing official, records of incident resolution, processing authorities signed by the correct authorizing official, minutes of management (or other) meetings etc.). Evidence can be the result of direct testing (or re-performance) of controls by the auditor (e.g. attempts to perform tasks said to be prohibited by the controls, determination whether software to protect against malicious code is installed and up-to-date on machines, access rights granted (after checking to authorities), etc.). Evidence can be gathered by interviewing employees/contractors about processes and controls and determining whether this is factually correct.

How to use Table XXXX

Columns %u201COrganizational control%u201D and %u201CTechnical control%u201D
An %u201CX%u201D in the respective column indicates whether the control is an organizational or a technical control. As some controls are both organizational and technical, entries are in both columns for such controls. Evidence of the performance of organizational controls can be gathered through review of the records of performance of controls, interviews, observation and physical inspection. Evidence of the performance of technical controls can often be gathered through system testing (see below) or through use of specialized audit/reporting tools.
Column %u201CSystem testing%u201D
%u201CSystem testing%u201D means direct review of systems (e.g. review of system settings or configuration). The auditor%u2019s questions could be answered at the system console or by evaluation of the results of testing tools. If the client organization has a computer-based tool in use that is known to the auditor, this can be used to support the audit, or the results of an evaluation performed by the client organization (or their sub-contractors) can be reviewed.

There are two categories for the review of technical controls:

  • %u201Cpossible%u201D: system testing is possible for the evaluation of control implementation, but usually not necessary;
  • recommended%u201D: system testing is usually necessary.

Column %u201CVisual inspection%u201D
%u201CVisual inspection%u201D means that these controls usually require a visual inspection at the location to evaluate their effectiveness. This means that it is not sufficient to review the respective documentation on paper or through interviews %u2013 the auditor needs to verify the control at the location where it is implemented.

Column %u201CAudit review guidance%u201D
Where it might be helpful to have guidance for the audit of a particular control, the %u201CComments%u201D column provides possible focus areas for the evaluation of the control, as further guidance for the auditor.

Classification of controls

-- DavidGiaretta - 17 Oct 2008


PLEASE mark AuditorGuidelinesIssues to indicate where you think further discussion is needed; I believe we have covered all the sections up to section 9 already.

Draft Annexes - from TRAC - do we need these?

Topic attachments
I Attachment History Action Size Date Who Comment
Microsoft Word filedoc AuditorGuidelines-CCSDS-format-1-without-boxes.doc r1 manage 246.5 K 2010-01-04 - 17:13 DavidGiaretta CCSDS format -1 - without boxes
Microsoft Word filedoc AuditorGuidelines-CCSDS-format-1.doc r1 manage 345.0 K 2010-01-04 - 11:20 DavidGiaretta Document in CCSDS format and layout
Microsoft Word filedoc AuditorGuidelines-CCSDS-format-2-without-boxes-longstreth.doc r1 manage 255.0 K 2010-03-08 - 15:45 DavidGiaretta Terry's markup
Microsoft Word filedoc AuditorGuidelines-CCSDS-format-2-without-boxes.doc r1 manage 250.0 K 2010-02-25 - 15:08 SimonLambert  
Microsoft Word filedoc AuditorGuidelines-CCSDS-format-2-without-boxesmc.doc r1 manage 383.0 K 2010-03-08 - 15:39 MarkConrad Mark Conrad's comments as of 20100308
Microsoft Word filedoc AuditorGuidelines-CCSDS-format-2.doc r1 manage 348.0 K 2010-02-25 - 15:06 SimonLambert  
Microsoft Word filedoc AuditorGuidelines-CCSDS-format-3.doc r1 manage 348.5 K 2010-03-21 - 22:48 DavidGiaretta Incorporating discussion about Mark's comments
Microsoft Word filedoc AuditorGuidelines-CCSDS-format-4-20100329.doc r1 manage 348.5 K 2010-04-05 - 14:28 DavidGiaretta Edits from meeting 29 Mar 2010
Microsoft Word filedoc AuditorGuidelines-CCSDS-format-5-20100405.doc r1 manage 219.5 K 2010-04-05 - 15:57 DavidGiaretta All previous changes accepted and edits tracked for changes made 5 April 2010
Microsoft Word filedoc AuditorGuidelines-CCSDS-format-5-20100412.doc r1 manage 222.5 K 2010-04-15 - 16:03 SimonLambert Based on 5 April 2010 version below, with attempt to make terminology consistent (TDR vs. digital repository etc.)
Microsoft Word filedoc AuditorGuidelines-CCSDS-format-6-20100426.doc r1 manage 225.5 K 2010-04-26 - 12:13 DavidGiaretta Comments on section 9
Microsoft Word filedoc AuditorGuidelines-CCSDS-format-7-20100517.doc r1 manage 243.0 K 2010-05-18 - 16:45 DavidGiaretta Version following "when in doubt cut it out" philosophy - as agreed
Microsoft Word filedoc AuditorGuidelines-rev2009Sep09w17021InBoxes.doc r1 manage 345.5 K 2009-10-06 - 03:19 JohnGarrett This is the current 2009-Sep-09 version of the Auditor document with the referenced ISO 17021 text included in text boxes in each section. This wil allow reviewers to see exactly what each section is requiring without flipping between the review documents. When document is complete, the text boxes will be removed.
Microsoft Word filedoc RequirementsForBodiesProvidingAuditAndCertification-candidate-final.doc r1 manage 198.5 K 2010-05-28 - 12:13 DavidGiaretta Candidate final document
Microsoft Word filedoc RequirementsForBodiesProvidingAuditAndCertification-candidate-final2-Longstreth.doc r1 manage 184.5 K 2010-06-09 - 05:03 TerryLongstreth Giarretta's Final 2 with replacement section12 (Security)
Microsoft Word filedoc RequirementsForBodiesProvidingAuditAndCertification-candidate-final2.doc r1 manage 177.5 K 2010-06-07 - 10:53 DavidGiaretta Revised with comments from JGG and MC
Microsoft Word filedoc Selected_Mandatory_Requirements_in_ISO17021.doc r1 manage 54.0 K 2009-12-14 - 16:57 DavidGiaretta Mark's mark up of mandatory requirements
Edit | Attach | Watch | Print version | History: r27 < r26 < r25 < r24 < r23 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r27 - 2010-06-09 - TerryLongstreth
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback