19-Q-001
Disclaimer and Conditions Regarding Use of SWGDE Documents:
SWGDE documents are developed by a consensus process that involves the best efforts of relevant subject matter experts, organizations, and input from other stakeholders to publish suggested best practices, practical guidance, technical positions, and educational information in the discipline of digital and multi-media forensics and related fields. No warranty or other representation as to SWGDE work product is made or intended.
As a condition to the use of this document (and the information contained herein) in any judicial, administrative, legislative, or other adjudicatory proceeding in the United States or elsewhere, the SWGDE requests notification by e-mail before or contemporaneous to the introduction of this document, or any portion thereof, as a marked exhibit offered for or moved into evidence in such proceeding. The notification should include: 1) The formal name of the proceeding, including docket number or similar identifier; 2) the name and location of the body conducting the hearing or proceeding; and, 3) the name, mailing address (if available) and contact information of the party offering or moving the document into evidence. Subsequent to the use of this document in the proceeding please notify SWGDE as to the outcome of the matter. Notifications should be sent to secretary@swgde.org.
From time to time, SWGDE documents may be revised, updated, or sunsetted. Readers are advised to verify on the SWGDE website (www.swgde.org) they are utilizing the current version of this document. Prior versions of SWGDE documents are archived and available on the SWGDE website.
Redistribution Policy:
SWGDE grants permission for redistribution and use of all publicly posted documents created by SWGDE, provided that the following conditions are met:
- Redistribution of documents or parts of documents must retain this SWGDE cover page containing the Disclaimer and Conditions of Use.
- Neither the name of SWGDE nor the names of contributors may be used to endorse or promote products derived from its documents.
- Any reference or quote from a SWGDE document must include the version number (or creation date) of the document and also indicate if the document is in a draft status.
Requests for Modification:
SWGDE encourages stakeholder participation in the preparation of documents. Suggestions for modifications are welcome and must be forwarded to the Secretary in writing at secretary@swgde.org. The following information is required as a part of any suggested modification:
- Submitter’s name
- Affiliation (agency/organization)
- Address
- Telephone number and email address
- SWGDE Document title and version number
- Change from (note document section number)
- Change to (provide suggested text where appropriate; comments not including suggested text will not be considered)
- Basis for suggested modification
Intellectual Property:
Unauthorized use of the SWGDE logo or documents without written permission from SWGDE is a violation of our intellectual property rights.
Individuals may not misstate and/or over represent duties and responsibilities of SWGDE work. This includes claiming oneself as a contributing member without actively participating in SWGDE meetings; claiming oneself as an officer of SWGDE without serving as such; claiming sole authorship of a document; use the SWGDE logo on any material and/or curriculum vitae.
Any mention of specific products within SWGDE documents is for informational purposes only; it does not imply a recommendation or endorsement by SWGDE.
1. Purpose
The purpose of this document is to guide Digital and Multimedia Evidence (DME) organizations to evaluate either ISO-IEC 17025 or 17020 as the basis for a quality management system, independent of the organization’s intent to pursue accreditation.
2. Scope and Document Layout
The document briefly describes the overall goal of a quality management system (QMS). It identifies the elements of and relatively minor differences between ISO/IEC 17025 and ISO/IEC 17020 and provides some considerations for selecting a standard. A list of references is also provided. Readers may also be interested in SWGDE Framework for a QMS and Overview of the Accreditation Process for Digital and Multimedia Forensic Labs. SWGDE also has a series of documents on minimum requirements for elements in a QMS. There are documents on minimum requirements for organizations including Tool Testing, Training & Competency, and Report Writing. (See References Section.)
3. Intended Audience
This document is intended for DME organizations seeking to develop, document, implement, maintain, or improve their quality management systems.
4. Background
A management system includes an organization’s business processes focused on consistently meeting customer requirements. As stated in ISO 9000:2015: management system [is a] set of interrelated or interacting elements of an organization to establish policies and objectives. Quality management is the part of a management system with regard to quality. Quality [is the] degree to which a set of inherent characteristics of an object fulfills requirements [of the customer].
The goals of a QMS are to ensure:
- reliability of services and results,
- competency of personnel,
- validity of methods, and
- equipment and software perform as expected.
The primary differences between ISO/IEC 17025 and ISO/IEC 17020 are:
- ISO/IEC 17025 relies on methods1 and outcomes produced from those activities to provide qualitative and quantitative results.
- ISO/IEC 17020 relies on the professional judgement of competent personnel to conduct inspection activities of products, processes, services, and make determinations that are responsive to customer requirements.
An organization can be accredited to either standard by an Accrediting Body.2
ISO/IEC 17025 was drafted for traditional forensic science disciplines, and ISO/IEC 17020 is more applicable to crime scene units. However, both standards can be an effective basis for quality management in DME organizations.
ISO/IEC 17025 has a broad application to “testing” laboratories (e.g., product and medical testing). Forensics is one sub-set of testing laboratories. DME is a discipline within the forensics community and, as such, ISO/IEC 17025 is an applicable standard. ISO/IEC 17025 is used as a foundation for a quality management system for testing laboratories. Traditionally, DME organizations have developed and implemented their quality management system under the concept that activities performed in the analysis of digital devices and associated data are testing processes. It is understood that there are elements of ISO/IEC 17025 which are not applicable for DME (e.g., calibration, measurement uncertainty, sampling).
ISO/IEC 17020 is a standard for inspection bodies and, similar to 17025, has a broad application beyond forensic laboratories. For example, it is often used to define quality management systems for manufacturing organizations to establish impartiality and consistency of inspection activities (i.e., consistent quality of a product or process) to verify conformance to customer requirements. The processes conducted by digital and multimedia forensic examiners include identification, collection/acquisition, and preservation of digital evidence. These processes are aligned with “inspection” processes. ISO/IEC 17020 may be applicable to digital and multimedia forensics since examiners (inspectors) use their professional judgement and expertise to determine the best methods to yield reliable results and whether those results meet customer requirements (e.g., recovery of data with probative value).3
5. Quality Management System Objectives
The following should be core objectives of an organization’s QMS:
- Meeting Customer’s Requirements:
- Stakeholders have confidence in the organization’s processes and results.
- Risk Management and Continuous Improvement:
- Laboratory management implements a risk management program that identifies, analyzes, and evaluates risks and associated actions for each risk element or event to:
- Eliminate
- Implement an activity to reduce the likelihood of occurrence
- Pursue as an opportunity for improvement
- Avoid
- Share
- Monitor and Control
- Laboratory management implements a risk management program that identifies, analyzes, and evaluates risks and associated actions for each risk element or event to:
- Operational Rigor and Consistency:
- Policies and procedures are effectively implemented to ensure results are reliable and repeatable, especially in a dynamic environment where technology changes rapidly.
6. Comparison of ISO/IEC 17025 and ISO/IEC 17020
In order to determine the best fit for your organization it is necessary to understand the differences between ISO/IEC 17025 and ISO/IEC 17020. The selection considerations discussed below can be applied only after understanding the differences between these two standards.
The following chart outlines the elements and relatively minor differences between ISO/IEC 17025 and ISO/IEC 17020. When a clause has two titles, the ISO/IEC 17025 name is listed first in bold type.4 Further information is available in SWGDE Overview of the Accreditation Process for Digital and Multimedia Forensic Labs.
| Clause | Description | ISO/IEC 17025 Clause | ISO/IE C 17020 Clause | Differences (DME Only) |
|---|---|---|---|---|
|
IMPARTIALITY |
Defines how impartiality is managed and safeguarded |
4.1 |
4.1 |
Minimal |
|
CONFIDENTIALITY |
Defines how data confidentiality is
managed
|
4.2 |
4.2 |
Minimal |
|
STRUCTURAL |
Defines management responsibilities and operational structure |
5 |
5 |
Minimal |
| RESOURCE REQUIREMENTS | 6 | 6 | Title | |
|---|---|---|---|---|
|
Personnel |
Defines competence and training requirements; defines authorization to perform specific activities. |
6.2 |
6.1 |
ISO/IEC 17020 has a mentoring requirement. Competence includes assessment of professional judgment. |
|
Facilities |
Defines environmental and physical access control requirements. |
6.3 |
6.2 |
Minimal |
|
Equipment |
6.4 |
6.2 |
Minimal |
|
|
Metrological Traceability |
NA |
6.5 |
6.2.6 – 6.2.10 |
NA for DME |
|
Externally provided products and services (contracting) |
Defines requirements for the competence of contracted services and quality of products |
6.6 |
6.3 – services 6.2.11 – products |
Minimal |
| PROCESS REQUIREMENTS | 7 | 7 | Title | |
|---|---|---|---|---|
|
Review of requests |
Defines procedures for review and acceptance of requests for services and ensuring shared understanding of customer requirements. |
7.1 |
5.1.5 |
Minimal |
|
Methods-Selection/ Validation |
Defines requirements for documenting technical procedures, lab developed methods, and validation. |
7.2 |
7.1 |
ISO/IEC 17025 is more detailed and requires validation prior to use. |
|
Sampling |
Statistical sampling is NA |
7.3 |
7.1.2 |
NA for DME.7 |
|
Handling of test items (e.g., evidence) |
Defines procedures for evidence management. Note that calibration, reference materials and measurement
uncertainty are NA.8 |
7.4 |
7.2 |
Minimal |
|
Technical records/ Inspection records |
Defines requirements for recording processes performed, observations, and data. |
7.5 |
7.3 |
Both standards require recording of observations, but ISO/IEC 17025
requires they be recorded at the time they are made. |
|
Evaluation of measurement uncertainty |
Defines requirements for evaluation the
uncertainty of qualitative results. |
7.6 |
NA |
Minimal for DME.9 |
| PROCESS REQUIREMENTS | 7 | 7 | Title | |
|---|---|---|---|---|
|
Ensuring the validity of results |
Defines requirements to monitor and evaluate the reliability of results. |
7.7 |
6.1 |
ISO/IEC 17025 has specific requirements for proficiency testing and review of results. ISO/IEC 17020 relies upon witnessing and monitoring. |
|
Reporting results/ Inspection reports and certificates |
Defines requirements for reporting results. Certificates are NA. |
7.8 |
7.4 |
Minimal |
|
Complaints |
Process for handling, receiving, and acting on internal and external complaints. |
7.9 |
7.5-7.6 |
Minimal |
|
Nonconforming work |
Procedures for handling nonconforming work. |
7.10 |
8.7, 8.8 |
ISO/IEC 17025 has additional requirements for stopping and resuming work as part of impact analysis. |
|
Control of data/ information management |
Procedures for managing data from collection to archive. |
7.11 |
Not included |
Not in ISO/IEC 17020 |
| MANAGEMENT SYSTEM REQUIREMENTS | 8 | 8 | ||
|---|---|---|---|---|
|
Options |
Defines options for the QMS. |
8.1 |
8.1 |
Minimal |
|
Management system documentation |
Defines how lab documents QMS. |
8.2 |
8.2 |
Minimal |
|
Control of management system documents |
Describes documentation of policies and procedures of QMS. |
8.3 |
8.3 |
While the practical difference is minimal, ISO/IEC 17025 does not require written policies and procedures. |
|
Control of records |
Describes control of both QMS and technical records. |
8.4 |
8.4 |
Minimal |
|
Actions to address risks/opportunities |
Describes policies and procedures for managing risk and identifying opportunities for improvement. |
8.5 |
Not included |
ISO/IEC 17020 has no specific risk management process requirements, but it may be inferred in requirements for preventive action (8.8). |
|
Improvement/ Preventive Action |
Describes policies and procedures for continuous improvement. |
8.6 |
8.8 |
ISO/IEC 17025 includes preventive action concepts in risk management, but does not have a separate section. ISO/IEC 17020 has specific requirements for preventive action. |
|
Corrective action |
Describes process for identifying and
documenting corrective actions. |
8.7 |
8.7 |
Minimal |
|
Internal audits |
Describes program for conducting internal audits. |
8.8 |
8.6 |
ISO/IEC 17025 requirements are more general. ISO/IEC 17020 has more specificity for timeframes and auditor responsibilities. |
|
Management Review |
Describes the process and output for management review. |
8.9 |
8.5 |
ISO/IEC 17025 is somewhat more detailed, but the overall intent of both standards is the same. |
7. Selection Consideration Scenarios
For many DME labs, either quality management standard can be used effectively, since some labs may do both testing and inspection. The following is a discussion of some key considerations.
7.1 Scenario 1
Other disciplines in my lab have developed a QMS based on ISO/IEC 17025. Do I have to use ISO/IEC 17025 or can my DME lab QMS be under ISO/IEC 17020?
A laboratory can use both standards – each for different forensic disciplines. For example, latents, firearms and DME can be under ISO/IEC 17020 while Forensic Biology can be under ISO/IEC 17025. Harmonization of the differences between the standards should be addressed in the QMS, but it is not required. An organization may operate under each of these two standards.
7.2 Scenario 2
Are there advantages to developing a QMS under one standard for all forensic disciplines in the laboratory?
Developing, implementing, maintaining, and improving a QMS under one accreditation standard for all laboratory disciplines may offer both financial benefits (e.g., less administrative overhead) and overall consistency for the organization.
7.3 Scenario 3
My organization receives unique requests requiring novel methods. Is there an advantage to developing a QMS under one standard over the other?
ISO/IEC 17020 allows for the use of novel (e.g., unusual, unique, new) methods to meet customer requirements based upon the professional judgment of competent personnel and supporting documentation. ISO/IEC 17025 requires that nonstandard methods be validated prior to use. See SWGDE Establishing Confidence in Digital Forensic Results by Error Mitigation Analysis and SWGDE Minimum Requirements for Testing Tools used in Digital and Multimedia Forensics.
8. Conclusion
In conclusion, both ISO/IEC 17025 and ISO/IEC 17020 may be used as the basis and are appropriate to establish a foundation for a quality management system for DME. From a technical perspective, there are no overriding considerations that would require a DME lab to choose one standard over the other. ISO/IEC 17020 provides greater flexibility for a laboratory to address both the role of professional judgement and expertise of the examiner (inspector) and to set the appropriate level of review for novel methods. ISO/IEC 17025 is more commonly used by traditional forensic laboratory disciplines and provides a more robust testing structure especially for addressing standardized forensic processes or where non-standard methods are developed for testing.
9. References
Scientific Working Group for Digital Evidence (SWGDE) (www.swgde.org):
- SWGDE Framework of a Quality Management System for Digital and Multimedia Evidence Forensic Science Service Providers
- SWGDE Overview of the Accreditation Process for Digital and Multimedia Forensic Labs
- SWGDE Minimum Requirements for Testing Tools used in Digital and Multimedia Forensics
- SWGDE Requirements for Report Writing in Digital and Multimedia Forensics
- SWGDE Establishing Confidence in Digital Forensic Results by Error Mitigation Analysis
International Organization for Standardization (ISO) https://www.iso.org/standards.html):
- ISO 9000:2015 – Quality management systems: Fundamentals and vocabulary
- ISO/IEC 17020 – Conformity assessment – Requirements for the operation of various types of bodies performing inspection
- ISO/IEC 17025 – General requirements for the competence of testing and calibration laboratories
- ISO/IEC 27037 – Information Technology – Security Techniques – Guidelines for Identification, Collection, Acquisition and Preservation of Digital Evidence
- ISO/IEC 27041 – Information Technology – Security Techniques – Guidance on Assuring Suitability and Adequacy of Incident Investigative Method
- ISO/IEC 27042 – Information Technology – Security Techniques – Guidelines for the Analysis and Interpretation of Digital Evidence
- ISO 31000:2018 – Risk management – Guidelines
ASTM (astm.org):
- E2916 – Standard Terminology for Digital and Multimedia Evidence Examination
- E3016 – Standard Guide for Establishing Confidence in Digital and Multimedia Evidence Forensic Results by Error Mitigation Analysis
National Institute of Standards and Technology (NIST):
- Computer Forensics Tool Testing project – cftt.nist.gov
Accrediting Bodies:
Quality Management Organizations:
History
| Revision | Issue Date | Section | History |
|---|---|---|---|
|
1.0
DRAFT |
2019-09-19 |
Quality |
Initial draft created and voted by SWGDE for release as a Draft for Public Comment. |
|
1.0 DRAFT |
2019-09-29 |
Quality |
Formatting and technical edit performed for release as a Draft for Public Comment. |
|
2.0 |
2021-06-17 |
Quality |
Revised based on comments. Voted by SWGDE for release as Final Publication |
1 ISO 27035 Section 3.11 defines “method” as an operation which can be used to produce data or derive information as an output from specified inputs.
2 Each accrediting body will have supplemental requirements to consider in addition to the ISO standards.
3 An updated version of 17020 is currently in the early stages of revision which will more closely align the standard with 17025.
4 If seeking accreditation, understand that Accreditation Bodies may include additional requirements for forensic laboratories.
5 Equipment (such as a forensic workstation) is dependent upon the software that runs on it, if applicable. ISO 17025 section 6.4.1 includes the term “software.”
6 Calibration may be applicable for Audio and Video disciplines.
7 See SWGDE paper on “field sampling” pertaining to ANAB scope out for comment in 2021.
8 Calibration may be applicable for Audio and Video disciplines.
9 Photogrammetry analysis and reports may involve measurement uncertainty estimates.