I have been given the task of looking to get our digital forensic lab ready for ISO 17025 accreditation, and the only reason for doing so is that for the public sector tenders being advertised, this standard is either now a requirement, or proof that we are working towards accreditation is expected. I believe that from 2015, the standard will be required, certainly here in the UK if you are trying to get public sector work.
From what I have read, I have to agree with all of those who have expressed their concern regarding cost (both financial, and time spent getting up to the standard), and the effectiveness of being accredited.
Does any one know whether the main forensic tools providers, the Guidance's, Access Data etc are going to get their products accredited, or is it going to be down to us to find a way of proving that the tools we use meet the standard?
Has anyone gone through this and can offer any advise, as for now, I am having to learn about the standard, and then develop a plan to impliment it. I thought learning Computer Forensics was a steep learning curve, it is nothing compared to ISO 17025!!
(7Safe / PA Consulting)
Has anyone gone through this and can offer any advise, …
Do the absolute minimum you need. Make sure you always can override the rules your create (i.e. ensure you have some mechanism for exceptions) you will need to. (If you break your own rules, you accreditation will be endangered.) Evaluate your costs closely. Don't spend a penny more than you need until the threat you mention actually materializes. It may not do so …
Look for people who do preparation work, for this particular standard or for related quality standards (like 9001, say) to help you. There's a lot of … well, 'testmanship' involved, and they know much of it already, particularly the quality process and such.
I've been through a 9001 accreditation in response to a similar scare – that in a year all jobs would go to only to accredited companies, and we needed to get on the train immediately to survive. But the threat never did materialize … and by then we had spent more than twice the money we needed to, and had a company that had been quite upset by all 9001 work. In the long run, process quality levels rose, but … we could have got there in a more orderly fashion.
If I had to be in that kind of process again, and with a company without any formal process quality experience, I'd push for a five year process, done slowly and carefully, one step at a time.
And that was 9001 in a consulting company, covering only project specification and administration. Which is not particularly difficult …
Thanks for the advice. We are already 9001 / 27001 accredited (I was put in the position of having to maintain 27001, so I am aware of some of the complexities involved in these standards). We do have an advisor for these standards, so fully intend to make use of him.
All documentation we are receiving regarding public sector tenders does clearly indicate the 17025 requirement, so as much as we would like to avoid it, I somehow suspect, we will have to do this, although there are two years until it would seem it will become an absolute requirement. We can work gradually towards it, but it was just the tools we use that concerns me. But we will cross that bridge as and when we get there, if as you say, we actually do.
A consultation period has started that will decide if the forensic regulator will be given statutory powers to enforce standards in forensics in the UK.
The regulator, Andrew Rennison (@fsrscc), has been appointed to the criminal cases review team and will be replaced early next year.
It appears that the regulator has considered digital forensics as being suitable for ISO17025 standards and indeed CCL have recently acquired such accreditation by UKAS in the field.
It may be an important opportunity during this consultation period to express your opinions with regard to digital forensics. I think we need clarity with regard to digital forensics and the regulator's plans as I think there is a case to be made that the regulator may be making a mistake in bundling digital and traditional forensics together and this needs to be addressed.
Consultation form may be found here along with some info on the entire process.
I currently work for an ISO 17205 accredited digital forensics lab. Everything everyone has said about the cost and the work involved is true. Maintaining accreditation requires continual review and maintenance so it is not an undertaking to be entered into lightly. Accreditation by itself doesn’t make one lab, firm, or business better than any other. As said before, it makes whatever the entity is consistent in what they do…at least that is the purpose. You can be consistent and still be flexible. Having said that
For private firms and small businesses, it is a huge decision and should come down to cost benefit. Even still, many of the principles involved are applicable to digital forensics (proper documentation, the practice of validation, having policies and procedures, etc.). Even if you don’t become accredited, I feel it is helpful to obtain a copy of ISO 17250 or receive training from an accrediting body so that the useful components can be applied to what you do.
For public labs and law enforcement, I feel the burden of perception weighs heavily towards accreditation. Even if it adds little in practicality, especially if your policies and procedures are top notch, it is still something that goes to a lab’s credibility and public perception. Whether right or wrong, this is the truth. I am here in the US and practice within the realm of law enforcement and perception matters.
In my professional opinion, accreditation as a concept should be useful and highly desired, but there is yet to be an ISO type of standardization that fits digital forensics well. Here in the US, the American Society of Crime Lab Directors (ASCLD) and FQS of the American National Standards Institute & American Society for Quality (ANSI-ASQ) National Accreditation Board provide the best options for becoming accredited. I know things can be and are different in the UK.
To the original poster - sebastianorossi - Good luck on your endeavor. The advice given so far should be helpful.
Unless someone literally puts a gun to my head I'd never seek ISO accreditation for my lab…..and even then I may just tell them to go ahead and pull the trigger 😉
Just to add my thoughts to the mix.
My previous employer was an ISO 17025 certified lab, and having been heavily involved in the original accreditation process (and subsequent audits) I share the sentiments posted previously about the amount of effort involved.
If you are thinking of taking your organisation down this route, think long and hard, and then think some more. Do you really need to impose this on yourself? The benefits to your organisation may not immediately outweigh the amount of time and effort (and by implication, money) required to get the system in place and accredited.
If you are primarily doing this to 'tick a box' on a tender exercise, it is worth noting that most of these tenders only state 'working towards ISO17025' as a requirement, not full certification. If you still decide that you want to do this, then consider only placing part of your lab in scope. Something like Forensic Imaging, which sits closer to what the standard was originally designed for, can be a manageable exercise and give you some idea of how the accreditation process is going to work for other areas.
IMO, I would steer well clear of ISO17025 if at all possible (wouldn't quite go as far as asking them to pull the trigger though.. wink ). It can be done, as some have shown, but it adds a lot of overhead and requires a lot of management.
At the end of the day, does it make you a 'better' lab than anyone else? Not really…
Should it be of use, there is a freely available book
(published by the United Nations) that, besides being an interesting introduction to the norm, contains what I think is an extremely well made "self-examination questionnaire" as appendix.
IMHO, while most part is clearly common with ISO9001, and a large part reflects what are already "standards" or "common practice" there are parts that I find either not entirely applicable (if not to a "real" calibration laboratory) or extremely difficult to apply.
I mean in a "normal" laboratory you bring in (say) a piece of rebar steel, and they perform a set of analysis to determine (still say) the composition, it's tensile strength, etc.. along a set of recognized national and international standards, using testing devices that are themselves certified and calibrated/verified.
But if you are making these analysis because you are investigating a structural collapse of a building, that is only (a very small) part of the story.
In digital forensics, you bring in (say) a hard disk and besides the imaging part (which should have no problems in being certified under ISO17025) you extract data (with *any* tool/software/self-written script/etc.) and then you interpret these data.
Possibly - and I presume with the greatest effort and with, I believe, a long list of limitations/complications, also this "extraction" part can be certified/accredited. ?
But when it comes to translating these data to "what actually happened" i.e. into making the actual report on the case and/or be the expert witness in Court, etc. the norm is very difficult - I believe impossible - to be applied integrally. 😯
Most probably with the actual ISO17025 it would make sense (if allowed by the Law and/or "enough" to fulfill the requirements) to get certified only the parts related to management of evidence (chain of custody, etc.) and imaging, and leave the rest of the processes/procedures under the more normal ISO9001, which also I believe being very difficult to implement integrally in this field.
Its pretty clear to me that ISO 17025 is not a good fit with computer forensics. The idea of a traditional lab with all the requirements for a clean environment and the risk of cross contamination etc is fine for physical evidence (DNA etc) but its just not appropriate for digital evidence. The risks involved in data jumping from one drive to another or data from my private drive contaminating an evidence drive is just not of the same level of, for example, a DNA lab etc.
If someone takes a laptop and image home and does some work on the kitchen table, does their kitchen become a lab? There's got to be some room for common sense and to match the appropriate procedures and checks against the risks. Within the arena of computer forensics, plenty of experts with more experience than myself are not convinced about 17025 but the regulator seems convinced to go down a one size fits all philosophy. Some of the best guys in the UK have not gone down this route and I would not hesitate with trusting them with work.
Will be drafting by feedback to the regulator over Xmas.