ISO 16363

Audits are performed using the standard ISO16363:2012, which is available from ISO and also from the CCSDS web site

The standard was designed with auditors in mind, bearing in mind that the outcome will depend on the judgement of the auditors. In order to help auditors the standard was designed in a hierarchical way. For example the standard directs the auditors’ attention to three separate aspects of the repository:

  1. organizational infrastructure – which addresses the repository organisation can provide
  2. digital object management – which addresses the fundamentals of digital preservation, following the OAIS concepts
  3. infrastructure and security risk management – addressing security aspects, which may be taken care of by ISO 27000 certification

Within each of these further details are brought out in specific metrics which direct the auditors’ attention to specific areas; where appropriate the metrics are further broken down into sub-metrics in order to ensure that some even more specific aspects are inspected.

Repository managers must also be able to use the standard in order to prepare for audits.

For auditors, and even more so for repository managers, each metric has additional explanatory text:

  • supporting text – which provides a brief explanation of why the metric is important
  • examples of evidence the repository may present
  • a more detailed discussion of the metric – to provide a broader understanding of the metric

It is unlikely that any repository will be found to be perfect in all metrics. The aim of the audit is to identify areas which are in need of improvement – as part of a cycle of continuous improvement.

Typically a repository will seek help, through the use of tools, services and consultancy to implement its improvement plans.