Audit preparation

STEPS FOR PREPARING THE REPOSITORY

PREFACE:  The International Organization for Standardization published Audit and Certification of Trustworthy Digital Repositories as ISO 16363 in February 2012. The corresponding  Requirements for Bodies Providing Audit and Certification of Candidate Trustworthy Digital Repositories, ISO 16919, was delayed as the Primary Trustworthy Digital Repository Authorisation Body (PTAB), which drafted ISO 16363 and ISO 16919, worked with the ISO Committee for Conformity Assessment (CASCO) over its role in the audit and certification process for Trustworthy Digital Repositories.  ISO 16919 is now published, and so now ISO 16363 audit can be conducted and ISO 16363 certification issued.

In anticipation of the development of approved audit bodies in various countries, and the conduct of approved audits, PTAB offers the following suggested steps for digital repositories to prepare for ISO 16363 audits.

WHAT IS AN ISO 16363 AUDIT? An ISO 16363 audit should include a period of preparation by the digital repository and a site visit by an audit team, resulting in a formal report to the digital repository and, if appropriate, issuance of certification to the digital repository. The process should begin long before the actual audit with the repository assembling materials to address the ISO 16363 metrics. Following the initial certification audit, repositories will be subject to subsequent audits if they wish to maintain certification over time.

ADVANTAGES OF ISO 16363 CERTIFICATION:  ISO standards are part of a suite of standards at the repository, national, and international levels that demonstrate trustworthy and responsible data management and stewardship.  They provide digital repositories of all sizes with direction for demonstrating their adherence to quality and consistency, to respect for data integrity, and a commitment to the long-term preservation of and access to the information entrusted to their care. ISO 16363 certification demonstrates compliance with the requirements that are necessary for recognition as a trustworthy digital repository. The ISO 16363 metrics focus on combining the mechanics of computer systems and information technology security with the spirit and sensitivity of being a trustworthy digital repository entrusted with the care of digital information of long-term value for multiple communities and future generations.

STEPS TO TAKE:

  1. Obtain a copy of ISO 16363.  The Consultative Committee for Space Data Systems (CCSDS), which co-sponsored the development of ISO 16363, makes the text of the standard that was provided to ISO available on its website at: http://public.ccsds.org/publications/archive/652x0m1.pdf
  2. Review the document.
  3. Obtain a copy of the Self-Assessment Template for ISO 16363. or click here
  4. Conduct self-assessments to identify shortcomings and help identify any “surprises.”
  5. Determine which metrics apply to the repository. If the repository believes that any metrics do not apply, document why the metric does not apply.
  6. Determine which metrics are being met successfully and provide examples to document how the repository meets each metric.
  7. Determine which metrics are not being met and what measures need to be implemented to achieve and document success for that metric.
  8. Determine what resources (additional or reallocated) are required to achieve success.
  9. Refer to external resources, such as case studies and best practices, as desired and available.
  10. Incorporate findings from previous audits conducted of the repository or similar institutions if such results are available.  These could include information technology security audits, ISO 9000 suite audits, quality assurance audits, risk assessments, and similar evaluations.
  11. Populate and maintain the Self-Assessment Template for ISO 16363 to better organize and track progress on meeting the metrics and prepare for an ISO 16363 audit when they can be performed.

USING ISO 16363 TO COMPLETE THE REPOSITORY SELF-ASSESSMENT:

  1. After reviewing each of the metrics specified in ISO 16363, begin identifying the titles of existing documents that describe policies, procedures, and practices relevant to the standard.
  2. Open the spreadsheet, Self-Assessment Template for ISO 16363, and read each metric.
  3. For each metric, in the column labeled, “Brief Description of Evidence”, of the Self-Assessment Template for ISO 16363, record the id numbers/short titles of the documents that serve as evidence that the repository is complying with the requirement that is described within a particular row of the spreadsheet. Provide a more detailed description of the documents under the Reference tab of the spreadsheet
  4. For each metric, in the column labeled, “Repository Explanation”, of the Self-Assessment Template for ISO 16363, record a brief explanation of how the repository utilizes the evidence, previously described, to attain compliance with the metric. Please answer in complete sentences, with references to documentation as necessary.
  5. Present the completed Self-Assessment Template for ISO 16363 to members of the repository management team and key staff members to verify that the correct documents are listed as evidence for each metric and that the explanation, which describes how the repository utilizes the evidence to meet each metric, is correct. Please ensure that explanations and terminology are consistent when metrics have been answered by different departments and staff members.
  6. Request corrections and suggestions from the repository management team and from key staff members for improving the information recorded within the completed Self-Assessment Template for ISO 16363.
  7. Revise the Self-Assessment Template for ISO 16363 to record the corrections and improvements suggested by the repository management team and by key staff members.
  8. Review the entire Self-Assessment Template for ISO 16363 to identify any metrics that have not been completed.
  9. For each metric that has not been completed, review ISO 16363, to understand the metric, and discuss the metric with the repository management team and key staff to identify the titles of the evidence documenting how the metric is being met and describe how the repository is using the documents to meet the metric.
  10. Repeat the review process with the repository management team and key staff members to correct and improve the description of how each metric is being met in the Self-Assessment Template for ISO 16363.

HOW PTAB CAN HELP?  PTAB members have been organizing workshops and participating in other training opportunities and conferences to keep the digital preservation community informed about ISO 16919 and ISO 16363.  Please check back at http://www.iso16363.org/ for the latest updates on training courses and other resources.

This page is available as a PDF