E-Records Forum 2013: Audits of Trustworthy Digital Repositories

This is the second post in a multi-part recap of the 2013 NAGARA E-Records Forum.

One of the major differences I’ve noticed between the archives field and the records management field is the relative lack of standards in the former and an abundance of standards in the latter. However, because digital records need to be managed across their life cycle, information professionals are developing standards and practices which bridge the gap between the two fields. One such project is the articulation of criteria for a Trusted Digital Repository, or TDR. According to the RLG-OCLC report on Trusted Digital Repositories: Attributes and Responsibilities, a TDR is defined as an institution that will “provide reliable, long-term access to managed digital resources to its designated community, now and in the future.” Although this goal can be defined simply, achieving it is a long and complex process!

At the e-records forum, we learned about the audit process for TDRs from two perspectives: from those who are developing the audit process, and from an institution who went through a test audit. Mark Conrad, from NARA’s Center for Advanced Systems and Technology, gave us information about the development of the audit process. Mark Myers from the Kentucky Department of Library and Archives spoke to us about their experience participating in a test audit.

ISO 16919: Requirements for Bodies Providing Audit and Certification of Candidate Trustworthy Digital Repositories

Over the past fifteen years or so, various groups concerned with data and information organization have been defining a set of attributes and responsibilities for a TDR. This has culminated in ISO 16363, an international standard known as the Trusted Digital Repository Checklist.

But wait! Who should officially confer “Trustworthy” status on a digital repository? That’s where ISO 16919 (still under development) comes in. This standard will outline the requirements for bodies providing audit and certification of TDRs – we don’t want just anybody saying that repositories are trustworthy. There needs to be an authoritative entity of some sort that confers the TDR title only onto deserving institutions.

One way that ISO 16919 is being refined is through test audits. Mark Conrad spoke about administering the test audits to different repositories in the summer of 2011. Basically, these institutions were tasked with making themselves available for an ISO 16363 audit. The checklist that the working group and repositories used is available at the website for the Primary Trustworthy Digital Repository Authorisation Body (PTAB).

With the information gathered from these test audits, ISO is getting closer and closer to finalizing ISO 16919. However, until this standard is completed, you cannot conduct any official ISO 16363 audits, which means that there is no such thing as ISO 16363 compliance. If a vendor tells you that they can do an ISO 16363 audit for you, they are either misinformed or outright lying, so hold on to your wallet!


As mentioned before, the ISO 16919 working group administered test ISO 16363 audits to six repositories in the summer of 2011. Three of the repositories were in Europe and the other three were in the US. So far, not a single institution has been able to meet the criteria required to be deemed officially trustworthy. Conrad showed us examples of some of the metrics, which included:

Metric 3.3.1. The repository shall have defined its designated community and associated knowledge base(s) and shall have these definitions appropriately accessible.

Metric 3.3.2. The repository shall have preservation policies in place to ensure its preservation strategic plan will be met.

Metric 4.1.7. The repository shall provide the producer/depository with appropriate responses at agreed points during the ingest processes.

Metric The repository shall have tools or methods that determine what representation information is necessary to make each data object understandable to the designated community.

In all of these examples, the biggest problem from the test sites was usually a lack of written policies or insufficient policies. So while a repository might in fact carry out trustworthy practices, those practices need to be codified in written policies in order for the repository to earn the Trustworthy label.

Conrad says that it is never too early to prepare if you are interested in earning TDR status. The steps that you will need to take are:

  • Begin gathering (or creating!) the documentation you will need for audit and certification
  • Fill out the self-assessment document
  • Identify gaps and weaknesses
  • Identify needs for reallocation and/or additional resources

However, a word of warning: This can, and perhaps should be, a very long process. The six sites that were audited spent an average of 400 hours gathering the information they needed in order to fill out the self-assessment.

KDLA Audit

The Kentucky Department of Library and Archives was one of the repositories (and the only government archives) that went through the test audit, and this was the topic of Mark Myers’ presentation. The audit consisted of two parts: the self-assessment and an on-site visit. The audit focused on three things:

  • Technology and infrastructure
  • Policies and Procedures
  • Administration

KDLA has a very strong electronic records program, but even they did not pass the test audit. Or, as Myers put it: they didn’t pass, but they didn’t not pass either. They did, however, learn which metrics they failed to satisfy. From this, they inferred certain recommendations for improving their metric performances. These recommendations included:

  • Move to a “financially sustainable” program. Myers took issue with this recommendation due to the financial instability that plagues many government agencies, especially libraries.
  • Identify all the designated communities (users).
  • Strengthen the strategic plan – while KDLA did have preservation plans for the archives as a whole, they did not have one that was specific to digital materials.

Another succinct recommendation was “Beware of Buses.” Myers reports that KDLA was asked, “What if one of you was hit by a bus?” They quickly realized that a lot of that person’s knowledge would be irretrievably lost if they don’t write it down. Now, KDLA is in the process of strategic planning – they are writing and revising all policies and procedures, identifying operational and developmental systems, documenting their actions and policies for successors, and watching out for buses!


There’s no getting around the fact that the two standards discussed here, ISO 16363 and ISO 16919, make for some dry reading. However, they are and will be immensely valuable documents for institutions that want to prove their worthiness as repositories for digital records. Each standard represents years of work towards an international consensus about how to handle electronic records. Even if you feel like your organization is years away from complying with such a rigorous standard, the best thing you can do right now is document, document, document! Write down your policies and procedures. A lot of what these standards are looking for is whether an institution has a sound written plan regarding digital records. Documenting your policies and procedures will give you a solid foundation to continue developing your electronic records program.