Trusted Digital Repository ISO 16363:2012 Audit and Certification

What is ISO 16363:2012 Certification?

The ISO/IEC 16363:2012 Space Data and Information Transfer Systems – Audit and certification of trustworthy digital repositories is the officially recognized international standard for evaluating digital repositories for trustworthiness against 109 criteria which cover all components of the digital repository such as:

  • Organizational Infrastructure
    • Governance and Organizational Viability
    • Organizational Structure and Staffing
    • Preservation Policy and Framework
    • Financial Sustainability
  • Digital Object Management
    • Acquisition of Content
    • Creation of Archival Information Package
    • Preservation Planning
    • Access Management
  • Infrastructure and Security Risk Management
    • Technology Inventory and Monitoring
    • Technical Audits
    • Software Replacement and Monitoring
    • Backup

The ISO 16363:2012 standard expands upon predecessor best practices outlined in Trustworthy Repositories Audit & Certification: Criteria and Checklist (TRAC) and Trusted Digital Repositories: Attributes and Responsibilities. Certification under ISO 16363:2012 provides a repository third-party verified credentials necessary to demonstrate the capability of the repository to ensure the access, viability, security, usability, and discoverability of its content for the long-term according to industry best practices.

Project Status and Milestones

  • November 2014
  • December 2014
    • GPO initiated the process for seeking ISO 16363 certification and announced the project to the FDLP community through an FDLP News Alert and during the 2014 DLC Virtual Meeting.
    • GPO was named by the Library of Congress and the Institute of Museum and Library Services as one of the five institutions to receive a resident through the National Digital Stewardship Residency (NDSR) program. Under this program, GPO hosted a resident for one year to work on a significant digital stewardship project. Specifically, GPO’s NDSR resident prepared for the audit and certification of FDsys as an ISO 16363 Trustworthy Digital Repository.
  • FY 2015
    • GPO prepared for the audit. Preparation included the identification and development of the necessary documentation and responses to the criteria by which FDsys will be evaluated and confirming accuracy of or adjusting to the business processes described in the documentation.
  • FY 2015/2016
    • GPO performed an internal assessment and responded to the recommendations of the internal assessment.
  • FY 2016/2017
    • GPO began the acquisitions process for an external ISO 16363 certification audit.
  • January/February 2018
    • GPO awarded a contract to PTAB – Primary Trustworthy Authorisation Body to perform a formal audit in order for GPO to receive ISO 16363:2012 Certification. The external audit of GPO’s digital repository will include a phased process of initial assessment, opportunities to respond to the initial assessment, and a final assessment by the auditor. GPO anticipates to complete the formal audit prior to the end of FY2019; ongoing surveillance audits will be necessary for GPO to maintain status as a certified repository.
  • June 2018
    • PTAB officially began the external audit of govinfo as a trustworthy digital repository. The audit will be performed in two stages. The first stage of the audit will end in fall 2018. The second stage of the audit will continue into 2019. An update on the status of the audit will be provided to the FDLP community at the Federal Depository Library Conference held October 22-24, 2018.

Where is GPO Now?

GPO has been working to become the first Federal agency to be named as a Trustworthy Digital Repository (TDR) for Government information through certification of FDsys/govinfo under ISO 16363:2012 for several years. Certification of FDsys/govinfo from an accredited certifying body shall serve to validate GPO’s commitment to standards-based digital preservation practices and activities across 109 criteria in the areas of Organizational Governance, Digital Object Management, and Infrastructure and Security Management. TDR certification has been a key GPO strategic initiative and a joint effort of GPO’s Library Services and Content Management (LSCM) and Programs, Strategy, and Technology (PST) business units since 2015. Certification under ISO 16363 will provide assurance to GPO stakeholders, including the FDLP community, that FDsys/govinfo is a standards-compliant digital archive in which Government information shall be preserved, accessible, and usable well into the long-term future.

To prepare for external certification, GPO has participated in the National Digital Stewardship Residency program, sponsored by Library of Congress and IMLS, in order to have a Resident perform in internal assessment against the 109 criteria of the ISO 16363 standard. Both PST and LSCM have reviewed and expanded existing policies, procedures, workflows, and programmatic digital preservation practices in response to this internal assessment.

In August 2016, GPO released a Request for Information to elicit information and to better understand the auditing processes and certification opportunities for FDsys/govinfo under ISO 16363:2012 accredited certification organizations and to identify organizations that could perform the audit.

In October 2017, GPO released a solicitation in order to procure an external certification body to perform the formal audit. In January 2018, GPO awarded PTAB a contract to perform a formal external ISO 16363:2012 audit. LSCM and PST believe that GPO is likely to be the first Government agency to receive TDR certification sometime in 2019.

GPO began the first stage of the audit in June 2018. This stage includes the evaluation of GPO’s self-assessment by an auditing team in order to identity potential areas of concern or nonconformities; GPO will have the opportunity to respond to these nonconformities prior to Stage 2.

In Stage 2, GPO will undergo further evaluation, including onsite visits from auditors. GPO will have a set number of months to address any existing concerns from the auditor or nonconformities; if GPO successfully responds to all areas of concern, the auditing teams determine if GPO can receive certification.

*govinfo was launched on February 4, 2016 as the eventual replacement for GPO’s Federal Digital System. TDR audit and certification will continue with govinfo as FDsys is scheduled to shut down in late 2018.

Back to Top