Unless someone literally puts a gun to my head I'd never seek ISO accreditation for my lab…..and even then I may just tell them to go ahead and pull the trigger 😉
Just to add my thoughts to the mix.
My previous employer was an ISO 17025 certified lab, and having been heavily involved in the original accreditation process (and subsequent audits) I share the sentiments posted previously about the amount of effort involved.
If you are thinking of taking your organisation down this route, think long and hard, and then think some more. Do you really need to impose this on yourself? The benefits to your organisation may not immediately outweigh the amount of time and effort (and by implication, money) required to get the system in place and accredited.
If you are primarily doing this to 'tick a box' on a tender exercise, it is worth noting that most of these tenders only state 'working towards ISO17025' as a requirement, not full certification. If you still decide that you want to do this, then consider only placing part of your lab in scope. Something like Forensic Imaging, which sits closer to what the standard was originally designed for, can be a manageable exercise and give you some idea of how the accreditation process is going to work for other areas.
IMO, I would steer well clear of ISO17025 if at all possible (wouldn't quite go as far as asking them to pull the trigger though.. wink ). It can be done, as some have shown, but it adds a lot of overhead and requires a lot of management.
At the end of the day, does it make you a 'better' lab than anyone else? Not really…
Should it be of use, there is a freely available book
http//
(published by the United Nations) that, besides being an interesting introduction to the norm, contains what I think is an extremely well made "self-examination questionnaire" as appendix.
IMHO, while most part is clearly common with ISO9001, and a large part reflects what are already "standards" or "common practice" there are parts that I find either not entirely applicable (if not to a "real" calibration laboratory) or extremely difficult to apply.
I mean in a "normal" laboratory you bring in (say) a piece of rebar steel, and they perform a set of analysis to determine (still say) the composition, it's tensile strength, etc.. along a set of recognized national and international standards, using testing devices that are themselves certified and calibrated/verified.
But if you are making these analysis because you are investigating a structural collapse of a building, that is only (a very small) part of the story.
In digital forensics, you bring in (say) a hard disk and besides the imaging part (which should have no problems in being certified under ISO17025) you extract data (with *any* tool/software/self-written script/etc.) and then you interpret these data.
Possibly - and I presume with the greatest effort and with, I believe, a long list of limitations/complications, also this "extraction" part can be certified/accredited. ?
But when it comes to translating these data to "what actually happened" i.e. into making the actual report on the case and/or be the expert witness in Court, etc. the norm is very difficult - I believe impossible - to be applied integrally. 😯
Most probably with the actual ISO17025 it would make sense (if allowed by the Law and/or "enough" to fulfill the requirements) to get certified only the parts related to management of evidence (chain of custody, etc.) and imaging, and leave the rest of the processes/procedures under the more normal ISO9001, which also I believe being very difficult to implement integrally in this field.
jaclaz
Its pretty clear to me that ISO 17025 is not a good fit with computer forensics. The idea of a traditional lab with all the requirements for a clean environment and the risk of cross contamination etc is fine for physical evidence (DNA etc) but its just not appropriate for digital evidence. The risks involved in data jumping from one drive to another or data from my private drive contaminating an evidence drive is just not of the same level of, for example, a DNA lab etc.
If someone takes a laptop and image home and does some work on the kitchen table, does their kitchen become a lab? There's got to be some room for common sense and to match the appropriate procedures and checks against the risks. Within the arena of computer forensics, plenty of experts with more experience than myself are not convinced about 17025 but the regulator seems convinced to go down a one size fits all philosophy. Some of the best guys in the UK have not gone down this route and I would not hesitate with trusting them with work.
Will be drafting by feedback to the regulator over Xmas.