Over the years I have heard so many horror stories about the difficulties and inconveniences accreditation presents and have even participated in discussions at the national level about the appropriateness of accreditation in some forensic disciplines to include the applicability of the general ISO/IEC standards 17020 and 17025. When asked to explain these difficulties, inconveniences, and appropriateness issues almost every answer I received could be linked back to the organization’s misinterpretation of the standard or its inappropriate application; in other words, organizations were adding more requirements to the standard than were necessary, which made them more restrictive, difficult, and inconvenient.
An example I like to use to highlight this is:
ISO STANDARD REQUIRES: You must have a piece of paper and identify its location.
AN ACCEPTABLE RESPONSE COULD HAVE BEEN: Here is my piece of paper and it is kept in the organizations administrative files
AN OVERZEALOUS RESPONSE THAT I HAVE SEEN: Here is my piece of paper, it is white in color and has blue lines evenly spaced throughout and is 8.5 x 11 inches in size. It contains the details of last year’s budget and is written in blue ink with negative number highlighted in red ink. It is kept in drawer 1 of the administrative file cabinet, which is a HON 510 Series 4 drawer vertical file cabinet, letter size, black in color, and 25” deep. Each drawer is lockable and is separately keyed. The keys are logged in the organizations key log, which is located in drawer 2 of the aforementioned administrative file cabinet and duplicates are sealed in labeled envelops, which are secure in the security file cabinet, which is…[I THINK YOU GET THE IDEA]
Clearly the overzealous response contains numerous details and applies additional requirements that are NOT REQUESTED OR REQUIRED by the ISO standard. This type of response is typical of the examples I have seen where an organization claims the accreditation standards are overly restrictive when in fact it is their misinterpretation and application of that standard that is the issue.
Don’t get me wrong, I too made these very same mistakes back when I started in 2004 and I blame myself for the current indecision challenges digital forensic organizations are experiencing today. I was one of the early pioneers who helped get DEA’s Digital Evidence Laboratory accredited and I drafted similar responses into their policies and procedures with the “goal” of making it “meaningful and defensible.” DEA’s Digital Evidence Laboratory was the first digital forensics laboratory to achieve ISO/IEC 17025 accreditation through the American Society of Crime Laboratory Directors/Laboratory Accreditation Board – International (ASCLD/LAB) closely followed by the FBI’s Digital Forensics and Multimedia Laboratory who drafted similar policies and procedures. These two organizations are now being used as role models and it is terrifying to smaller organizations who believe this is how it needs to be done.
WELL I AM HERE TO TELL YOU, IT DOES NOT NEED TO BE DONE THAT WAY!
Back in 2014, as laboratory director for CACI’s Digital Forensics Laboratory (CDFL), I hired a Quality Assurance Manager with no forensics or ISO/IEC 17025 experience, but he had over a decade and a half of experience working with ISO 9001, ITIL, and CMMI. His first task was to familiarize himself with our ISO/IEC 17025 compliant Quality Management System. After he reviewed, my very DEA/FBI-esk quality assurance manual he proceeded to tear it apart and bled all over it! It took me a week to recover as I thought I had a perfectly drafted document – boy was I wrong. 🙂 Once I completed reviewing his suggested modifications, I began to see that he was right and we proceeded to remove the unneeded information, which cut the size of our manual down considerably. We received high praise from our accrediting body assessor, who said, “it was very clear, concise, and easy to follow” and even received zero non-conformities during the last three consecutive surveillance visits and counting. BEST DECISION I MADE!
It is the knowledge and experience that we will pass on to you making you just as successful!