Has anybody achieved/are aiming to achieve compliance with ISOs 17020 and 17025 for their forensic outfits? I was wondering how difficult/onerous it is to comply if you're already conducting examinations to a general 'best accepted practice' level and also if there is anyone who doesn't think these standards are worth the time and resources required to meet them?
Greetings,
We're looking at them for the lab we expect to build this year. I've been through similar ISO certifications before and know that they consume a lot of resources to establish, but once they're up and running they're generally not invasive, the certification adds value to your marketing, and the established processes really save you time and money due to fewer mistakes in your processes that need to be corrected.
If you can build the required processes into your organization as you're getting started, it is much easier. If you're already following best practices, it isn't too hard. If you've been running fast and loose, it'll take a lot of work and time and money.
-David
Hi David,
Thanks for your reply. Some excellent points which echo my thoughts on ISO certifications. Am certainly looking at recommending it for my clients, although additionally I think as a 'community' we are in desperate need for something specific to digital forensics.
Jonathan
Jonathan,
Just to follow-up on David's comments, I work as an accreditation officer and when we're asked how long it takes to set up a ISO 17025 or 17020 accreditation program we typically say anywhere from 3 to 9 months.
If you have a system set up for best practices then it may take you less time. The best approach would be take whichever standard you wish to be assessed to (17025 for forensic testing) (17020 for crime scene) and put each clause on a line in an excel spread sheet. Then go through your quality manual and ask yourself, is this covered and where.
The best is if you already have an ISO 9000, 9001, 9002 etc compliant system, because section 4 of ISO 17025 is the same.
I hope this helps and good luck!
Sincerely,
Karin
We have already achieved compliance with ISO 17025 and were accredited. It is takes time around one year and also requires dedication in order to get yourself prepared for certification. Lots of procedures and paperwork and it is costly considering the requirement you have to renew it every year.
It is good for a private entity as it may bring you more work, however it is not that good for public institute as it brings you more work, too )
Yunus, I read Simon Biles (Azrael) Columnist article titled "ISO standards and computer forensics" http//www.forensicfocus.com/simon-biles
In it he refers to costs
"The whole process can cost up to GBP 25,000 (the first time at least, recertification is less expensive) and that's NOT including your staff or training costs - pretty steep for something that's being forced upon you!"
Are you able to identify your calculated costs for this accreditation?
Hi Yunus,
I work for an accreditation body and the average cost for a typical initial accreditation is about $8-10,000 American dollars. In addition, each year there is a $1300 annual fee. I've seen labs pay a lot less, but they perform a small number of tests. Obviously the more testing on your Scope of Accreditation or the number of Scopes, the higher the cost. As a non-profit, this is about as low as we can go and still pay our assessors and staff.
I do understand the dislike of having things 'forced upon you.' It's certainly one thing to want an edge in the market and accreditation offers that. But in regards to government forensic labs, you're not really marketing so what's the need?
I see it this way. Mandatory Accreditation is not meant to be a punishment to a good lab. It's meant to prevent your work from getting sullied by a bad lab. When you get in court, the jury and judge won't know that lab x is good and lab y is bad. They'll just remember that lab y produced bad results and it'll make them think all forensic labs produce bad results. If we make all labs follow a given set of rules, then we can worry less about lab y, which makes testifying in court easier.
Cheers,
Karin (A2LA)
Hi All,
For reference, my figures are taken from the actual cost of the accreditation of the Derbyshire Constabulary and are broken down as follows
Application Fee £1200
ISO Standard Copy £144
Pre-Assessment Visit £3938
Assessment £6370
Post Visit Actions £1593
Travel/Expenses £480
Second Assessment & Award £8442
Total £22167 (ex VAT)
£26046 (inc VAT at 17.5%)
Conceivably others might find longer/shorter Assessment Periods depending on complexity - but I think that the statement of "upto £25k" is pretty reasonable !
On the other hand - the "hidden" costs of training etc. in the above example work out as follows
Training of Quality Manager £1600
Staff time (200 hrs) £19000
6 month reassessment £5000
adding another £25k to the overall cost for the first year.
I do acknowledge that this particular example is for a "meatspace" lab, however the same procedures apply, the same documentation is required, the same standards have to be met etc. ( and I've left out the "meatspace" specific costs of environmental monitoring & batch testing - although arguably batch testing would incur a cost, as would proficiency testing in a digital lab - both of which incur a cost of £17500 a year combined in the above example ).
Kind Regards,
Azrael
(P.S. For those of you that want to have a really good cry about it, that works out, at today's exchange rate as about $33,250 for the ex-VAT figure cry )
Great info Azrael.
Do you happen to know if if these standards are applicable (or even necessary) for small operators? Those prices would be crippling for sole operators or for small providers - of which there are a lot in this field.
The cost depends on how many examination types you want be accredited, the number of experts to come, the travel costs and the number of days until all the experts are done.
In our case, the accreditation of all laboratory sections cost over 60.000 US$. But this cost includes not only computer forensics lab but also others like DNA, which wer also accredited in the same occasions.
So, if you consider only the computer forensics laboratory it should cost around 5.000 US$, and the renewals for each year should be around 2.000 US$. Just an average cost. It may change depending on where you live and how many examination types you want be accredited.