ISO 16363 certification guide

What is certification and Why is it Important?

When one buys a house one normally wants to make sure that what we are buying is adequate for its purpose, and that we are not being cheated in some way. No matter what the claims of the seller, one normally employs an independent building inspector, not connected to the seller, to perform an inspection and certify that the house is OK, is safe to live in and will not fall down.

The same is true for many things we depend on in life and work, whether it is the airplanes we fly on, the banks to which we entrust our money, the medical instruments which our surgeon may use to operate on us or our loved ones or the food we eat. However in these cases we do not employ the inspector ourselves, instead we rely on the organisation or manufacturer to have checks done by some trusted, knowledgeable, third party who will provide a certificate which we and others can check. This type of inspection is called an third-party audit, carried out by an audit organisation.

In principle we can look at the certificate and then also check the audit organisation who provided it and even the organisation which accredit them i.e. tell us that the audit organisation is trustworthy and knowledgeable in the relevant field.

If the certificate is 10 years old then we might be somewhat suspicious because many things can change over that time. Organisations can lose key staff or the staff may not keep up with the latest techniques in that field and may not understand the risks that need to be checked. Therefore we would really expect the certificate to be a recent one - maybe a year or so old, and the same would apply to the organisation which had provided the certificate - somehow they must also be certified, by some other organisation.

These same considerations apply to our digitally encoded information which is valuable to us and that we want to be preserved. Any archive to which we entrust our digital capital will no doubt tell us that they are perfectly able to preserve the information over years or decades or centuries. How can we be sure? How can they be sure?

The answer is that we would expect the archive to be certified.

Self-certification, where the archive audits itself is a necessary first step. However this is normally done for the benefit of the archive itself, just as the seller of a house is likely to inspect the house before selling, correcting any problems he/she finds, before putting the house on the market. However just as that self-certification is not likely to be accepted by a prospective house purchaser, neither should self-certification of an archive be accepted by funders or those who deposit their valuable holdings into the archive.

There are several "standards" available against which an archive may be judged. Some are community documents such as CoreTrustSeal which are essentially self-governing.

The other type is ISO 16363, which is an ISO standard and for which the full ISO process of accreditation and certification applies. The point is that the ISO process aims at ensuring consistency of audits across organisations and countries by making sure that everyone and every organisation is inspected every year, using a tried and tested process set out in ISO 17021.

Any third-party audit requires the archive to collect evidence to present to the auditors. Much of this evidence may be collected in a self-audit. The ISO process requires a Stage 1, in which this evidence is inspected off-site, followed by an on-site Stage 2.

A well organised repository should have most of the material needed to present as evidence. The main effort will be to find and organise that material. Some aspects of the repository may be tacitly agreed within the repository and so a small number of new documents may need to be written for example to document procedures and make specific policies, or definitions such as that for the Designated Communities, explicit.

A summary of the preparations for an ISO 16363 audit is included in the next section, with full details in the following section.

Summary of documents and procedures required

• Evidence of commitment to preservation e.g. mission statement of repository

• Preservation Strategic Plan and Collection policy with Preservation policies and review schedule, including Collection and individual objects Integrity checks

• Funding projections with Business/funding plans and Succession plan

• Staff duties, job descriptions training record and plans

• Definition of the Designated Community(ies) and documentation of Transformational Information Properties and Preservation aims.

• Change history of repository operations, procedures, software and hardware

• Transparency, with explanations where restrictions are applicable

• Audit history – internal and external audits

• Risk register(s) covering finances, hardware, software, staffing

• Contracts and agreements which apply to the repository’s holdings, including IPR and access restrictions

• Descriptions of the SIPs it expects and how these are checked, including their origin, and how they are processed

• Descriptions of the AIPs it creates (which are likely to be logical) including the way in which these may be shown to be adequate for preservation

• Description of the identifier system used, any limitations on the number of identifiers, and how identifiers are maintained

• Description of Preservation Strategies for the collections including how Representation Information is maintained and how the repository ensures that it has enough Representation Information

• Description of how Provenance is collected

• Description of search capabilities with discussion of the requirements for these

• Disaster recovery plans

Detailed table of preparatory work