Tuesday, June 06, 2017

Not Comfortable Fit for Digital Forensics - ISO17025

Within the digital forensics arena there is discomfort amongst labs, academia, businesses and practitioners that ISO/IEC 17025 'General requirements for the competence of testing and calibration laboratories' is not a comfortable fit for digital forensics. Very few digital forensics laboratories and businesses have been accredited so far. To get an understanding of concerns obtained from a pretty good base-data of opinion from replies to UK ISO 17025 Digital Forensics Survey 4/24/2017 created by Professor Peter Sommer, the results have been published and are available here http://goo.gl/KP0HOn .

Not to second guess the Forensic Science Regulator (FSR) there is , of course, the October 2017 deadline looming and the outcomes of that deadline might impact on the way forward. However, I regularly keep an eye on Lab Accreditation and Best Practice Guides (as you can see from some of the pdf tabs open in the above screen shot) in context with digital forensics in order to note the changing approach to digital forensics. The new breeze appears to suggest digital forensics blowing towards ISO standards e.g.

ISO/IEC 27042: 2015. Information Technology - Security Techniques - Guidelines for the Analysis and Interpretation of Digital Evidence.

ISO/IEC 27037: 2012. Information Technology - Security Techniques - Guidelines for Identification, Collection, Acquisition and Preservation of Digital Evidence.

Currently, but this may change, these standards are not substitutes for accreditation. That does not mean though digital forensics may not branch off and have its own unique accreditation and standards. It may well be the British Standards Institute (BSI) may need to produce an equivalent standard for the UK based upon an example of the old BS5750 approach. BS5750 and ISO9000 do enable the UK Government's requirement to be met for "inclusion" of single-person organisations and SMEs to play apart in the economy and not be excluded from it due to globalism or restraint of trade practices or over-burdensome control measures.

Previously, I drew attention to how in the US, Karin Athanas, Program Manager at the American Association for Laboratory Accreditation (A2LA), produced an article titled "Accreditation for the One-Person Organization - The smallest laboratories can teach us the biggest lessons.". This article defined that smaller business entities could achieve accreditation to ISO/IEC17025: http://trewmte.blogspot.co.uk/2016/10/isoiec-1702517020-one-person.html

The UK ISO 17025 Digital Forensics Survey 4/24/2017 isn't the first time attention has been drawn to ISO/IEC17025 that it should works for all, not the few. If the latter accreditation doesn't work then maybe another route will need to be found.

No comments: