Join Us!

Notifications
Clear all

ISO 17025  

Page 1 / 2
  RSS
sebastianorossi
(@sebastianorossi)
Member

I am interested in ISO 17025 accreditation and also ISO 27001.
Which are the steps to be accreditated as ISO 17025?
thanks

Quote
Posted : 30/01/2012 3:14 pm
jaclaz
(@jaclaz)
Community Legend

I am interested in ISO 17025 accreditation and also ISO 27001.
Which are the steps to be accreditated as ISO 17025?
thanks

http//www.accredia.it/

jaclaz

ReplyQuote
Posted : 31/01/2012 11:35 pm
DFICSI
(@dficsi)
Active Member

Usually the process is to bend over while UKAS screw you for everything you have, crippling your business in the process.

Oops, did I say that out loud?

ReplyQuote
Posted : 01/02/2012 1:14 am
MindSmith
(@mindsmith)
Active Member

Begin by seriously asking - is it really necessarily for your unit to be 17025 accredited? What value will it bring, do you have the budget and the additional manpower to implement and maintain it?

If so the; I suggest you begin by buying copies of the 17025 and 27001 standards from ISO and familiarizing yourself with the standards and also research the accepted interpretations of some clauses. Next get training on implementing 17025 will give you some idea off the extent of work involved in getting your operation up to the standard. Do Not underestimate the level of effort required (by all your team members) to get and maintain your accreditation. Develop a plan for implementing an auditing 17025 including training of all staff. Once you feel you have addressed all the requirements - get your documents checked for compliance by 17025 assessors. Some areas (2) of 17025 do not all to digital forensics such as Measurement of uncertainty. Conduct internal audits as per the 17025 standard addressing all areas. Remember that if your process says you do something - you must be able to prove that it is done via your documentation and forms,etc. Take a careful look at validation of tools and methods to ensure that you have a detailed plan implemented to test every tool you intend to use and can prove that it has been tested. (use the NIST testing and Validation of Computer Forensic tools guidelines as a reference). Do not underestimate how 'pedantic' 17025 assessors can be about 'proper' validation of forensic tools and methods!

Good luck

ReplyQuote
Posted : 01/02/2012 9:46 am
steve862
(@steve862)
Active Member

Hi,

I hope I'm not overstepping the mark with my own employers (for speaking my mind), but we're going for 17025 and I think it's a mistake.

Some of the issues revolve around these accreditations not translating well from traditional forensics into digital forensics. This is more of a teething issue but also a good reason to wait.

A long-term factor includes the overheads of gaining and maintaining accreditation. We are a large unit and I really don't see how small units/companies could pursue this accrediation and still do any work. This might mean only larger units will have accreditation but does that mean they are better? I wouldn't say that 17025 means better. It just means they are better documented.

The last issue I'd like to raise at this time is the changing face of digital forensics. Digital forensics is a 'man-made' science. It doesn't follow normal scientific laws and as such it changes so frequently. There's a danger we might see new procedures having to be written and agreed almost weekly, if we don't get the 'wording' right. We need to make sure procedures are more loosely worded in order to avoid this problem but validation of all the tools we use will continue to be required.

Previously we could have used an untried tool to strip data out but we would have to verify it manually. Now we won't be able to use any non-validated tools at all, even if they are accepted and widely used tools elsewhere. The danger here is a tool that is validated overall but isn't good at that particular task will be all we are allowed to use and it might do an inferior job than the tool we would like to have used.

So far I wouldn't say we're doing anything substantially different, we're just completing and signing forms on a case by case basis to say we did everything.

I think take-up of 17025 will be partly based on people feeling it is now expected of them. The more people that get it the more people will feel they also have to have it. I hope this wouldn't spell the end of small units/companies who simply don't have the manpower to do it.

Management have decided they want it and so we're in the process already. To some extent we are being the Guinea Pigs for UKAS.

Oh well time to go back to my hutch and hang out with the rabbits.

Regards,

Steve

ReplyQuote
Posted : 01/02/2012 2:55 pm
pbeardmore
(@pbeardmore)
Active Member

I think Steve is bang on the money. I think there are still issues to be hammered out and 17025 was never designed for this particualr scenario.

I think some have gone down this road purely as a marketing tool as some clients who know little about this area will think that they are getting a better service (this may be true) but some of the best IT forensic brains in the UK do not work for 17025 firms but that does not, for me, undermine their skill, experience,knowledge etc.

It is possible to improve quality within an organisation to take the salient points from the ISO and implement them where appropriate without going down the full ISI/UKAS route. Not only from the forum, but I get the distinct feeling the the UK forensic industry is not 100% convinced about this route. Either the regulator has to do better to sell it (especially to the smaller firms) or use the stick of formal powers which will take another couple of years at least to come in.

ReplyQuote
Posted : 01/02/2012 3:33 pm
benfindlay
(@benfindlay)
Active Member

Some interesting points made there Steve. I share your concerns.

It seems to me that there is too much focus on tool validation. Validating the methods or results, not the individual tools, would seem to solve several of the issues you raise concerns over. Is this something your team have considered? If so what was the verdict?

Computer forensic science is indeed a changing discipline, but then so is every other science. Granted the more traditional sciences may not change quite as quickly as our field, but there exist methods to assess and then accept or reject new discoveries, as appropriate.

Using SOPs to set everything in stone seems overkill to me. Setting minimum standards rather than fixed ones would leave you more room to adapt to new situations, and still guarantee the quality and integrity of your final product.

Ben

ReplyQuote
Posted : 01/02/2012 3:44 pm
jaclaz
(@jaclaz)
Community Legend

It is possible to improve quality within an organisation to take the salient points from the ISO and implement them where appropriate without going down the full ISI/UKAS route.

If I may, generally speaking most ISO thingies are NOT about "improving" quality, but rather in having constant quality (after having explicited the exact expected "quality level").

An ISO certified firm/factory/laboratory/whatever not necessarily produces a "better" product, it only has to produce a "same as set standard" product.

jaclaz

ReplyQuote
Posted : 01/02/2012 8:08 pm
Jonathan
(@jonathan)
Senior Member

If I may, generally speaking most ISO thingies are NOT about "improving" quality, but rather in having constant quality (after having explicited the exact expected "quality level").

jaclaz

Unless you run a factory production line making identical products how is this realistically possible? Even it was possible (taking into account variations between examiners, the amount of hours you have to complete the job, the quality of the instructions received, and so on) is it worth the money, disruption and time involved to achieve 17025 for computer forensic units? Would like to hear from people who recommend 17025.

ReplyQuote
Posted : 01/02/2012 9:14 pm
athulin
(@athulin)
Community Legend

Unless you run a factory production line making identical products how is this realistically possible?

You are asking about product quality, but there is also such a thing as process quality.

You document your processes, the auditors verify that you follow that documentation, and also that any mandatory processes required by the standard are in place. (Typically they concentrate on what they know are problem spots – such as documentation.)

I don't recommend it, though – I know too little about it.

ReplyQuote
Posted : 01/02/2012 10:47 pm
PaulSanderson
(@paulsanderson)
Senior Member

I won't be going for it even if it was worth it as a small business it would kill me.

I am more concerned with getting standards up rather than producing processes that will allow a unit/company to consistently churn out crap work and then "sell" themselves on the fact that they are is0xxxx approved.

I see something akin to solictors/barristers standards as a better way to go with approved training counting towards a minimum amount of CPD required to practice. But I am sure that there would be some who disagree and I can see a few downsides to this route but at least it adresses knowledge of the work we do rather than the ability ot tick a box.

ReplyQuote
Posted : 01/02/2012 11:04 pm
jaclaz
(@jaclaz)
Community Legend

Unless you run a factory production line making identical products how is this realistically possible? Even it was possible (taking into account variations between examiners, the amount of hours you have to complete the job, the quality of the instructions received, and so on) …

Exactly my opinion, ISO standards are (some more than others) good for industry, and mass production, much less so for

  • artisan work
  • intellectual work
  • research

and it seems to me like digital forensics is MAINLY and ALL three above.

Or if you prefer, extending the use of industry standards over artisan work often dumps down the quality instead of bettering it.

Quality may become constant, but at a lower level.

Of course this applies to people that anyway, and no matter if ISO certified or not, use a good "base" process standard.

jaclaz

ReplyQuote
Posted : 01/02/2012 11:07 pm
sebastianorossi
(@sebastianorossi)
Member

Thank you all for yur kind answers. I know well ISO 27001, actually I am not certified, but my system is aligned.
I will study ISO 17025, I will let you know
thanks

ReplyQuote
Posted : 02/02/2012 5:05 pm
pbeardmore
(@pbeardmore)
Active Member
sebastianorossi
(@sebastianorossi)
Member

thanks

ReplyQuote
Posted : 02/02/2012 7:21 pm
Page 1 / 2
Share: