±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 1 Overall: 36750
New Yesterday: 4 Visitors: 161

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

ISO 17025

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4  Next 

Senior Member

Re: ISO 17025

Post Posted: Feb 02, 12 20:21



Re: ISO 17025

Post Posted: Sep 25, 12 19:36

I have been given the task of looking to get our digital forensic lab ready for ISO 17025 accreditation, and the only reason for doing so is that for the public sector tenders being advertised, this standard is either now a requirement, or proof that we are working towards accreditation is expected. I believe that from 2015, the standard will be required, certainly here in the UK if you are trying to get public sector work.

From what I have read, I have to agree with all of those who have expressed their concern regarding cost (both financial, and time spent getting up to the standard), and the effectiveness of being accredited.

Does any one know whether the main forensic tools providers, the Guidance's, Access Data etc are going to get their products accredited, or is it going to be down to us to find a way of proving that the tools we use meet the standard?

Has anyone gone through this and can offer any advise, as for now, I am having to learn about the standard, and then develop a plan to impliment it. I thought learning Computer Forensics was a steep learning curve, it is nothing compared to ISO 17025!!


(7Safe / PA Consulting)  

Senior Member

Re: ISO 17025

Post Posted: Sep 25, 12 20:11

- RobWatson
Has anyone gone through this and can offer any advise, ...

Do the absolute minimum you need. Make sure you always can override the rules your create (i.e. ensure you have some mechanism for exceptions): you will need to. (If you break your own rules, you accreditation will be endangered.) Evaluate your costs closely. Don't spend a penny more than you need until the threat you mention actually materializes. It may not do so ...

Look for people who do preparation work, for this particular standard or for related quality standards (like 9001, say) to help you. There's a lot of ... well, 'testmanship' involved, and they know much of it already, particularly the quality process and such.

I've been through a 9001 accreditation in response to a similar scare -- that in a year all jobs would go to only to accredited companies, and we needed to get on the train immediately to survive. But the threat never did materialize ... and by then we had spent more than twice the money we needed to, and had a company that had been quite upset by all 9001 work. In the long run, process quality levels rose, but ... we could have got there in a more orderly fashion.

If I had to be in that kind of process again, and with a company without any formal process quality experience, I'd push for a five year process, done slowly and carefully, one step at a time.

And that was 9001 in a consulting company, covering only project specification and administration. Which is not particularly difficult ...  


Re: ISO 17025

Post Posted: Sep 25, 12 20:22

Thanks for the advice. We are already 9001 / 27001 accredited (I was put in the position of having to maintain 27001, so I am aware of some of the complexities involved in these standards). We do have an advisor for these standards, so fully intend to make use of him.

All documentation we are receiving regarding public sector tenders does clearly indicate the 17025 requirement, so as much as we would like to avoid it, I somehow suspect, we will have to do this, although there are two years until it would seem it will become an absolute requirement. We can work gradually towards it, but it was just the tools we use that concerns me. But we will cross that bridge as and when we get there, if as you say, we actually do.

Thanks again  

Senior Member

Re: ISO 17025

Post Posted: Nov 14, 13 14:26

A consultation period has started that will decide if the forensic regulator will be given statutory powers to enforce standards in forensics in the UK.
The regulator, Andrew Rennison (@fsrscc), has been appointed to the criminal cases review team and will be replaced early next year.
It appears that the regulator has considered digital forensics as being suitable for ISO17025 standards and indeed CCL have recently acquired such accreditation by UKAS in the field.

It may be an important opportunity during this consultation period to express your opinions with regard to digital forensics. I think we need clarity with regard to digital forensics and the regulator's plans as I think there is a case to be made that the regulator may be making a mistake in bundling digital and traditional forensics together and this needs to be addressed.

Consultation form may be found here along with some info on the entire process.

CCL Accreditation
Forensic Computer Analyst (LE)
BSc (Hons)

Senior Member

Re: ISO 17025

Post Posted: Nov 14, 13 21:57


I currently work for an ISO 17205 accredited digital forensics lab. Everything everyone has said about the cost and the work involved is true. Maintaining accreditation requires continual review and maintenance so it is not an undertaking to be entered into lightly. Accreditation by itself doesn’t make one lab, firm, or business better than any other. As said before, it makes whatever the entity is consistent in what they do…at least that is the purpose. You can be consistent and still be flexible. Having said that:

For private firms and small businesses, it is a huge decision and should come down to cost benefit. Even still, many of the principles involved are applicable to digital forensics (proper documentation, the practice of validation, having policies and procedures, etc.). Even if you don’t become accredited, I feel it is helpful to obtain a copy of ISO 17250 or receive training from an accrediting body so that the useful components can be applied to what you do.

For public labs and law enforcement, I feel the burden of perception weighs heavily towards accreditation. Even if it adds little in practicality, especially if your policies and procedures are top notch, it is still something that goes to a lab’s credibility and public perception. Whether right or wrong, this is the truth. I am here in the US and practice within the realm of law enforcement and perception matters.

In my professional opinion, accreditation as a concept should be useful and highly desired, but there is yet to be an ISO type of standardization that fits digital forensics well. Here in the US, the American Society of Crime Lab Directors (ASCLD) and FQS of the American National Standards Institute & American Society for Quality (ANSI-ASQ) National Accreditation Board provide the best options for becoming accredited. I know things can be and are different in the UK.

To the original poster - sebastianorossi - Good luck on your endeavor. The advice given so far should be helpful.
Preston Coleman, MFS, GCFE, EnCE

"The only thing necessary for the triumph of evil is for good men to do nothing" - Edmund Burke 

Senior Member

Re: ISO 17025

Post Posted: Nov 15, 13 09:39

Unless someone literally puts a gun to my head I'd never seek ISO accreditation for my lab.....and even then I may just tell them to go ahead and pull the trigger Wink  

Page 3 of 4
Page Previous  1, 2, 3, 4  Next