Trusted Digital Repository ISO 16363:2012 Audit and Certification

What is ISO 16363:2012 Certification?

On December 28, 2018, GPO made history by becoming the first organization in the United States and second organization in the world to achieve ISO 16363:2012. The Primary Trustworthy Digital Repository Authorization Body Ltd. awarded GPO ISO 16363:2012 for govinfo and publically-announced the certificate on their organization website.

As of July 2020, GPO is currently the only organization in the world to hold ISO 16363:2012 certification.

Read the 2018 final audit report, written by PTAB.

The ISO/IEC 16363:2012 Space Data and Information Transfer Systems – Audit and certification of trustworthy digital repositories is the officially recognized international standard for evaluating digital repositories for trustworthiness against 109 criteria which cover all components of the digital repository such as:

  • Organizational Infrastructure
    • Governance and Organizational Viability
    • Organizational Structure and Staffing
    • Preservation Policy and Framework
    • Financial Sustainability
  • Digital Object Management
    • Acquisition of Content
    • Creation of Archival Information Package
    • Preservation Planning
    • Access Management
  • Infrastructure and Security Risk Management
    • Technology Inventory and Monitoring
    • Technical Audits
    • Software Replacement and Monitoring
    • Backup

The ISO 16363:2012 standard expands upon predecessor best practices outlined in Trustworthy Repositories Audit & Certification: Criteria and Checklist (TRAC) and Trusted Digital Repositories: Attributes and Responsibilities. Certification under ISO 16363:2012 provides a repository third-party verified credentials necessary to demonstrate the capability of the repository to ensure the access, viability, security, usability, and discoverability of its content for the long-term according to industry best practices.

GPO's Path

GPO worked to become the first Federal agency to be named as a Trustworthy Digital Repository (TDR) for Government information through certification of govinfo under ISO 16363:2012 for several years. Certification of govinfo from an accredited certifying body validates GPO’s commitment to standards-based digital preservation practices and activities across 109 criteria in the areas of Organizational Governance, Digital Object Management, and Infrastructure and Security Management. TDR certification has been a key GPO strategic initiative and a joint effort of GPO’s Library Services and Content Management (LSCM) and Programs, Strategy, and Technology (PST) business units since 2015. Certification under ISO 16363 provides assurance to GPO stakeholders, including the FDLP community, that govinfo is a standards-compliant digital archive in which Government information shall be preserved, accessible, and usable well into the future. To prepare for external certification, GPO participated in the National Digital Stewardship Residency program, sponsored by Library of Congress and IMLS, in order to have a Resident perform an internal assessment against the 109 criteria of the ISO 16363 standard. Both PST and LSCM reviewed and expanded existing policies, procedures, workflows, and programmatic digital preservation practices in response to the internal assessment.

Project Status and Milestones

  • November 2014
    • GPO announced to the FDLP community its intent to seek certification for its Federal Digital System (now govinfo) as a Trustworthy Digital Repository.
  • December 2014
    • GPO initiated the process for seeking ISO 16363 certification and announced the project to the FDLP community through an FDLP News Alert and during the 2014 DLC Virtual Meeting.
    • GPO was named by the Library of Congress and the Institute of Museum and Library Services as one of the five institutions to receive a resident through the National Digital Stewardship Residency (NDSR) program. Under this program, GPO hosted a resident for one year to work on a significant digital stewardship project. Specifically, GPO’s NDSR resident prepared for the audit and certification of FDsys as an ISO 16363 Trustworthy Digital Repository.
  • FY 2015
    • GPO prepared for the audit. Preparation included the identification and development of the necessary documentation and responses to the criteria by which FDsys would be evaluated and confirmation of the business processes described in the documentation.
  • FY 2015/2016
    • GPO performed an internal assessment and responded to the recommendations of the internal assessment.
  • February 2016
    • govinfo was launched on February 4, 2016 as the eventual replacement for FDsys. TDR audit and certification then applied to govinfo, as FDsys was scheduled to retire in December 2018.
  • August 2016
    • GPO released a Request for Information to elicit information and to better understand the auditing processes and certification opportunities for FDsys/govinfo under ISO 16363:2012 accredited certification organizations and to identify organizations that could perform the audit.
  • October 2017
    • GPO released a solicitation in order to procure an external certification body to perform the formal audit.
  • January/February 2018
    • GPO awarded a contract to PTAB – Primary Trustworthy Authorisation Body to perform the formal audit. The external audit of GPO’s digital repository would include a phased process of initial assessment, opportunities to respond to the initial assessment, and a final assessment by the auditor.
  • June 2018
    • PTAB officially began the external audit of govinfo 
  • September 2018
    • PTAB completed Stage 1 of the external audit of govinfo . GPO responded to the auditor’s areas of concern and questions. Any remaining uncertainties from the auditor would be addressed in more detail during Stage 2.
  • October 2018
    • An update on the status of the audit was provided to the FDLP community at the Federal Depository Library Conference (October 22 – 24).
  • December 2018
    • FDsys was shut down on December 14, 2018. TDR audit and certification then applied only to govinfo.
    • PTAB performed Stage 2 of the audit. Stage 2 included a two-day site visit to review GPO repository operations and storage hardware facilities through demonstrations, interviews, presentations, and question and answer sessions. At the end of Stage 2, the auditors convened to review their findings and conclude their final recommendation to the certification committee which issues award of certification.
    • On December 28, 2018, the ISO 16363 certification committee determined that GPO had no non-conformances from Stage 2. The committee went forward to award certification to GPO, making govinfo the first digital repository in the United States and the second in the world to achieve the highest level of achievement in digital preservation and repository standards. In order to maintain certification, GPO is subject to ISO 16363 surveillance audits annually and will be eligible for a recertification audit after a three-year period.
  • December 2019
    • On December 20, 2019, the ISO 16363 certification committee determined that GPO successfully completed its annual surveillance audit required to maintain certification status. The surveillance audit included two stages of assessment including a documentation review and an onsite visit by the audit team.
  • December 2020
    • On December 22, 2020, the ISO 16363 certification committee determined that GPO successfully completed its annual surveillance audit required to maintain certification status. The surveillance audit included two stages of assessment including a documentation review and virtual audit by the auditors conducted via Microsoft Teams technology due to travel constraints during the COVID-19 pandemic. All other aspects of the surveillance audit were unaffected by the pandemic.
Back to Top