Notifications
Clear all

ISO 17025

24 Posts
15 Users
0 Likes
3,017 Views
(@sebastianorossi)
Posts: 85
Trusted Member
Topic starter
 

I am interested in ISO 17025 accreditation and also ISO 27001.
Which are the steps to be accreditated as ISO 17025?
thanks

 
Posted : 30/01/2012 3:14 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I am interested in ISO 17025 accreditation and also ISO 27001.
Which are the steps to be accreditated as ISO 17025?
thanks

http//www.accredia.it/

jaclaz

 
Posted : 31/01/2012 11:35 pm
(@dficsi)
Posts: 283
Reputable Member
 

Usually the process is to bend over while UKAS screw you for everything you have, crippling your business in the process.

Oops, did I say that out loud?

 
Posted : 01/02/2012 1:14 am
(@mindsmith)
Posts: 174
Estimable Member
 

Begin by seriously asking - is it really necessarily for your unit to be 17025 accredited? What value will it bring, do you have the budget and the additional manpower to implement and maintain it?

If so the; I suggest you begin by buying copies of the 17025 and 27001 standards from ISO and familiarizing yourself with the standards and also research the accepted interpretations of some clauses. Next get training on implementing 17025 will give you some idea off the extent of work involved in getting your operation up to the standard. Do Not underestimate the level of effort required (by all your team members) to get and maintain your accreditation. Develop a plan for implementing an auditing 17025 including training of all staff. Once you feel you have addressed all the requirements - get your documents checked for compliance by 17025 assessors. Some areas (2) of 17025 do not all to digital forensics such as Measurement of uncertainty. Conduct internal audits as per the 17025 standard addressing all areas. Remember that if your process says you do something - you must be able to prove that it is done via your documentation and forms,etc. Take a careful look at validation of tools and methods to ensure that you have a detailed plan implemented to test every tool you intend to use and can prove that it has been tested. (use the NIST testing and Validation of Computer Forensic tools guidelines as a reference). Do not underestimate how 'pedantic' 17025 assessors can be about 'proper' validation of forensic tools and methods!

Good luck

 
Posted : 01/02/2012 9:46 am
steve862
(@steve862)
Posts: 194
Estimable Member
 

Hi,

I hope I'm not overstepping the mark with my own employers (for speaking my mind), but we're going for 17025 and I think it's a mistake.

Some of the issues revolve around these accreditations not translating well from traditional forensics into digital forensics. This is more of a teething issue but also a good reason to wait.

A long-term factor includes the overheads of gaining and maintaining accreditation. We are a large unit and I really don't see how small units/companies could pursue this accrediation and still do any work. This might mean only larger units will have accreditation but does that mean they are better? I wouldn't say that 17025 means better. It just means they are better documented.

The last issue I'd like to raise at this time is the changing face of digital forensics. Digital forensics is a 'man-made' science. It doesn't follow normal scientific laws and as such it changes so frequently. There's a danger we might see new procedures having to be written and agreed almost weekly, if we don't get the 'wording' right. We need to make sure procedures are more loosely worded in order to avoid this problem but validation of all the tools we use will continue to be required.

Previously we could have used an untried tool to strip data out but we would have to verify it manually. Now we won't be able to use any non-validated tools at all, even if they are accepted and widely used tools elsewhere. The danger here is a tool that is validated overall but isn't good at that particular task will be all we are allowed to use and it might do an inferior job than the tool we would like to have used.

So far I wouldn't say we're doing anything substantially different, we're just completing and signing forms on a case by case basis to say we did everything.

I think take-up of 17025 will be partly based on people feeling it is now expected of them. The more people that get it the more people will feel they also have to have it. I hope this wouldn't spell the end of small units/companies who simply don't have the manpower to do it.

Management have decided they want it and so we're in the process already. To some extent we are being the Guinea Pigs for UKAS.

Oh well time to go back to my hutch and hang out with the rabbits.

Regards,

Steve

 
Posted : 01/02/2012 2:55 pm
(@pbeardmore)
Posts: 289
Reputable Member
 

I think Steve is bang on the money. I think there are still issues to be hammered out and 17025 was never designed for this particualr scenario.

I think some have gone down this road purely as a marketing tool as some clients who know little about this area will think that they are getting a better service (this may be true) but some of the best IT forensic brains in the UK do not work for 17025 firms but that does not, for me, undermine their skill, experience,knowledge etc.

It is possible to improve quality within an organisation to take the salient points from the ISO and implement them where appropriate without going down the full ISI/UKAS route. Not only from the forum, but I get the distinct feeling the the UK forensic industry is not 100% convinced about this route. Either the regulator has to do better to sell it (especially to the smaller firms) or use the stick of formal powers which will take another couple of years at least to come in.

 
Posted : 01/02/2012 3:33 pm
benfindlay
(@benfindlay)
Posts: 142
Estimable Member
 

Some interesting points made there Steve. I share your concerns.

It seems to me that there is too much focus on tool validation. Validating the methods or results, not the individual tools, would seem to solve several of the issues you raise concerns over. Is this something your team have considered? If so what was the verdict?

Computer forensic science is indeed a changing discipline, but then so is every other science. Granted the more traditional sciences may not change quite as quickly as our field, but there exist methods to assess and then accept or reject new discoveries, as appropriate.

Using SOPs to set everything in stone seems overkill to me. Setting minimum standards rather than fixed ones would leave you more room to adapt to new situations, and still guarantee the quality and integrity of your final product.

Ben

 
Posted : 01/02/2012 3:44 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

It is possible to improve quality within an organisation to take the salient points from the ISO and implement them where appropriate without going down the full ISI/UKAS route.

If I may, generally speaking most ISO thingies are NOT about "improving" quality, but rather in having constant quality (after having explicited the exact expected "quality level").

An ISO certified firm/factory/laboratory/whatever not necessarily produces a "better" product, it only has to produce a "same as set standard" product.

jaclaz

 
Posted : 01/02/2012 8:08 pm
(@jonathan)
Posts: 878
Prominent Member
 

If I may, generally speaking most ISO thingies are NOT about "improving" quality, but rather in having constant quality (after having explicited the exact expected "quality level").

jaclaz

Unless you run a factory production line making identical products how is this realistically possible? Even it was possible (taking into account variations between examiners, the amount of hours you have to complete the job, the quality of the instructions received, and so on) is it worth the money, disruption and time involved to achieve 17025 for computer forensic units? Would like to hear from people who recommend 17025.

 
Posted : 01/02/2012 9:14 pm
(@athulin)
Posts: 1156
Noble Member
 

Unless you run a factory production line making identical products how is this realistically possible?

You are asking about product quality, but there is also such a thing as process quality.

You document your processes, the auditors verify that you follow that documentation, and also that any mandatory processes required by the standard are in place. (Typically they concentrate on what they know are problem spots – such as documentation.)

I don't recommend it, though – I know too little about it.

 
Posted : 01/02/2012 10:47 pm
Page 1 / 3
Share: