ISO Standards for Digital Archives

Scope
“ISO standards are part of a suite of standards at the repository, national, and international levels that demonstrate trustworthy and responsible data management and stewardship. They provide digital repositories of all sizes with direction for demonstrating their adherence to quality and consistency, to respect for data integrity, and a commitment to the long-term preservation of and access to the information entrusted to their care.”

There are three important ISO standards concerning digital repositories:
 * ISO 14721:2003 and ISO 14721:2012 (OAIS – a reference model for what is required for an archive to provide long-term preservation of digital information)
 * ISO 16363:2012 (Audit and certification of trustworthy digital repositories (TDR) – sets out comprehensive metrics for what an archive must do, based on OAIS)
 * ISO/FDIS 16919 (soon to be published – requirements for bodies providing audit and certification of candidate trustworthy digital repositories; specifies the competencies and requirements on auditing bodies)

Development
OAIS, the reference model for an Open Archival Information System (OAIS) was published by the Consultative Committee for Space Data Systems (CCSDS) in 2002 and became an ISO standard (ISO 14721) in 2003. It was designed to create a “consensus on what is required for an archive to provide permanent, or indefinite Long Term, preservation of digital information” and provides a common conceptual framework describing the environment, functional components, and information objects within such a system.

Following the publication of OAIS “institutions began to declare themselves ‘OAIS-compliant’ to underscore the trustworthiness of their digital repositories” although “there was no established understanding of ‘OAIS-compliance’ beyond being able to apply OAIS terminology to describe their archive”.

For this reason, the Research Libraries Group (RLG) and the National Archives and Records Administration (NARA) created a joint task force to specifically address digital repository certification and subsequently published Trustworthy Repositories Audit & Certification (TRAC) in 2007. The development of TRAC was influenced among others by the certification working group of Germany’s nestor (Network of Expertise in Long-Term Storage of Digital Resources) project and their development of the Kriterienkatalog vertrauenswürdige digitale Langzeitarchive (Catalogue of Criteria for Trusted Digital Repositories).

The CCSDS in turn published a Recommended Practice based on TRAC for providing audit and certification of the trustworthiness of digital repositories which provides a detailed specification of criteria by which digital repositories shall be audited. This document was accepted as ISO 16363 and sets out comprehensive metrics for what a digital archive must do, based on OAIS.

The OAIS reference model (ISO 14721)
“An OAIS is an Archive, consisting of an organization, which may be part of a larger organization, of people and systems that has accepted the responsibility to preserve information and make it available for a Designated Community. […] The term ‘Open’ in OAIS is used to imply that this Recommendation, as well as future related Recommendations and standards, are developed in open forums, and it does not imply that access to the Archive is unrestricted. The information being maintained has been deemed to need Long Term Preservation, even if the OAIS itself is not permanent. Long Term is long enough to be concerned with the impacts of changing technologies, including support for new media and data formats, or with a changing user community. Long Term may extend indefinitely.”

The OAIS model is neither an implementation plan nor a data model, nor a specification for digital archives but a reference model which provides a framework for archival information systems including terminology, concepts, roles, and operations. OAIS is applicable for all archives and organizations as well as for all kinds of information objects.

The following definitions are taken from the official documentation of the ISO 14721/OAIS standard.

Model view of an OAIS environment

 * Producer: The role played by those persons or client systems that provide the information to be preserved. This can include other OAISes or internal OAIS persons or systems.
 * Management: The role played by those who set overall OAIS policy as one component in a broader policy domain, for example as part of a larger organization.
 * Consumer: The role played by those persons, or client systems, who interact with OAIS services to find preserved information of interest and to access that information in detail. This can include other OAISes, as well as internal OAIS persons or systems.



OAIS information definition

 * Information is always expressed (i.e., represented) by some type of data.
 * Data interpreted using its Representation Information yields Information.
 * Information Object preservation requires clear identification and understanding of the Data Object and its associated Representation Information.
 * An Information Package is a conceptual container holding two types of information:
 * Content Information
 * Preservation Description Information (PDI)
 * The OAIS reference model also distinguishes between an Information Package that is preserved by an OAIS and the Information Packages that are submitted to, or disseminated from, an OAIS:
 * SIP (Submission Information Package): Delivered by the Producer to the OAIS for use in the construction or update of one or more AIPs and/or the associated Descriptive Information.
 * AIP (Archival Information Package): Consists of the Content Information and the associated Preservation Description Information (PDI), which is preserved within an OAIS.
 * DIP (Dissemination Information Package): Derived from one or more AIPs, and sent by Archives to the Consumer in response to a request to the OAIS.

The six functional entities of an OAIS

 * Ingest: Contains the services and functions that accept SIPs from Producers, prepares AIPs for storage, and ensures that AIPs and their supporting Descriptive Information become established within the OAIS.
 * Archival Storage: Contains the services and functions used for the storage and retrieval of AIPs.
 * Data Management: Contains the services and functions for populating, maintaining, and accessing a wide variety of information. Some examples of this information are catalogs and inventories on what may be retrieved from Archival Storage, processing algorithms that may be run on retrieved data, Consumer access statistics, Consumer billing, Event Based Orders, security controls, and OAIS schedules, policies, and procedures.
 * Administration: Contains the services and functions needed to control the operation of the other OAIS functional entities on a day-to-day basis.
 * Preservation Planning: Provides the services and functions for monitoring the environment of the OAIS and which provides recommendations and preservation plans to ensure that the information stored in the OAIS remains accessible to, and understandable by, and sufficiently usable by, the Designated Community over the Long Term, even if the original computing environment becomes obsolete.
 * Access: Contains the services and functions which make the archival information holdings and related services visible to Consumers.

For further information concerning the OAIS reference model, please refer to the official document.

Overview of audit and certification criteria
ISO 16363 defines so-called metrics: normative measures against which a digital repository may be judged and which it should meet in order to gain an audit. According to the ISO 16363 documentation “when evaluated together, metrics can be used to judge the overall suitability of a repository to be trusted to provide a preservation environment that is consistent with the goals of the OAIS. Separately, individual metrics or measures can be used to identify possible weaknesses or pending declines in repository functionality”.

There are three main sections of metrics, each consisting of one or more subsections:
 * Organizational Infrastructure
 * Digital Object Management
 * Infrastructure and Security Risk Management

Each metric includes a short Supporting Text, as well as Examples of Ways the Repository Can Demonstrate It Is Meeting This Requirement, followed by a Discussion. The full text of the standard is available here, while a self-assessment template can be downloaded here.

According to the Primary Trustworthy Digital Repository Authorisation Body (PTAB), “an ISO 16363 audit should include a period of preparation by the digital repository and a site visit by an audit team, resulting in a formal report to the digital repository and, if appropriate, issuance of certification to the digital repository. The process should begin long before the actual audit with the repository assembling materials to address the ISO 16363 metrics. Following the initial certification audit, repositories may be subject to subsequent audits if they wish to maintain certification over time.”

Current Status
As of October 2014:

The Audit and Certification of Trustworthy Digital Repositories was published as ISO 16363 in February 2012 (ISO 16363:2012) by the International Organization for Standardization (ISO). The corresponding Requirements for Bodies Providing Audit and Certification of Candidate Trustworthy Digital Repositories, draft ISO 16919, which determines the standards an organization must meet in order to provide digital repositories with an ISO 16363 audit, is not yet published due to ongoing discussions between PTAB, the ISO Committee for Conformity Assessment (CASCO) and the International Accreditation Forum (IAF), over their respective roles in the audit and certification process. It must be noted that until the draft ISO 16919 is completed and subsequently published, no ISO 16363 audit can be conducted nor any ISO 16363 certification issued. Nonetheless, digital repositories can already begin to prepare for an audit by self-assessing their repository and assembling materials to address the ISO 16363 metrics.