ISO 9001 and COMPUTER FORENSICS TOOLKIT??

This site has many postings about ISO 9001. Searching Forensic Focus will bring you many results that can help you.

http//www.forensicfocus.com/simon-biles

Came up as a top article when searched.

We are interested in certify a Computers Forensic Lab in ISO 9001, searching in Internet documentation that could somehow help me the job, I found the "COMPUTER FORENSICS TOOLKIT" ( http//www.computer-forensics.privacyresources.org ), someone who knows this documentation and ISO 9001, would say if I would help in the documentation for certification?

I was involved in a 9001 certification effort some years ago – not a forensic lab, though. If you don't know what you are getting into, find someone who does (or take a course). There are 9001 consultants out there, and the best of them have seen many, many companies go for the 9001, and do understand what it takes to succeed, and also what it takes to fail – for instance, how much work will it take? Can you allocate that work or not? And especially, what 9001 is designed for, and how it must be modified when it's applied to other types of organizations. (Things may have changed – when I did this, 9001 was targeted to manufacturing companies, not consulting companies, and this made things quite confusing at times – we were for example at first not able to decide if we had to provide records about processing of raw material, or what the equivalent might be in consulting terms.)

Or, in other words, you get what you pay for.

The best advise I can give you is to do as little as possible, make sure you do all things right, (no, it's not an 80/20 thing) , and allow for exceptions to all rules you make.

The worst thing we did was to assume everything could be done according to one formula, and not to allow any exceptions. The formula we chose for project management was based on the classical consulting job – you know, 100 persons, working full time over several years on a huge telecom project. The necessary documents per project required five working days to produce, but in those large projects that's nothing. We 'forgot' that many, many projects were very small, and very fast, and often less than a week in extent. Add those five extra days to such jobs for doing the formal documents, and you halve your availability time, while not being able to get paid for it. That's a big no-no. After some time we managed to correct things, so that the rules was applied only to large projects. But up to the moment we got things fixed, I was under orders to go far away when the revision team visited, as I worked mainly with such small projects, and there was no way I could do it accordng to the rules. You don't want to end up in that kind of situation.

We got certified, but we couldn't keep it up after two years we simply dropped it. We had grown as a company – we were taking quality issues more seriously, but we were not at a level where we operated at iso-9001 levels without an effort.

One of the things I got out of it was that if you write rules without knowing what you are doing, you going to fail. Introducing new rules into an organization takes much longer than you expect it's not a question of when the first person passes the goal posts, but when the last person does. Until that happens, that last person may prevent you from getting certified.

And do not expect to be able to an ISO-9001 framework up an running unless you can spend the time we were a fairly large company, and we had about five people working full time over a year with this, and several more part-time (I was one of those).

From looking over the web page you mentioned, I see there's relevant material for what might be called 'the forensic process'. But ISO 9001 applies to all key processes in the company. Although you may decide that that is the only one that matters (noone can contradict you, not even iso-9001 auditors, as you are the only experts on your own company), you may get a very unbalanced environment, where 'forensic' things are very strictly controlled, but marketing, sales, hiring, and other processes that are equally important to the business – and the quality process is one of those – are not. You don't want that.

You may be able to use parts of the kit. But it all depends on what your current framework looks like. If you already have a well established certification effort, no problem. If you don't, and hope you'll be able to become certified by adopting somone elses stuff, you're only fooling yourselves.