Master List of Documents August, 2010 Assessment... · Master List of Documents . August, 2010 ....

of 4

Scheme for Approval of Conformity Assessment Bodies

for eGovernance

(QAF-02-05-01)

Master List of Documents August, 2010

STQC - IT Services STQC Directorate, Department of Information Technology,

Ministry of Communications & Information Technology, Electronics Niketan, 6 CGO Complex, Lodi Road,

New Delhi – 110003.

of 4

Amendment Log

Version Number

Date Change Number

Brief Description

Draft June 2010 - Draft ISSUE 1 AUGUST 2010 FIRST RELEASE

of 4

Table of Contents

Sl. No.

Doc. Ref. No. Control Document Name

1

QAF-02-05-01 Master List of Documents

2

QAF-02-05-02 Rules & Procedures for approval of Conformity Assessment Bodies for eGovernance

3

QAF-02-05-03 Guidance to Applicant for approval of Conformity Assessment Bodies for eGovernance

4

QAF-02-05-04 Schedule of Charges

5

QAF-02-05-05 Approval Agreement

6 QAF-02-05-06 Application form for approval of Conformity Assessment Bodies for eGovernance

7 QAF-02-05-07 Certificate of Approval of independent Test Laboratory

8 QAF-02-05-08 Certificate of Approval of independent Assessment Body

9 QAF-02-05-09 Procedure for Approval of Independent Testing Laboratory

10 QAF-02-05-10 Procedure for Approval of Independent Assessment Body

11 QAF-02-05-11 Approval Criteria (Check List) of Independent Testing Laboratory

12 QAF-02-05-12 Approval Criteria (Check List) of Independent Assessment Body

13 QAF-02-05-13 List of Appointments 14 QAF-02-05-14 Summary report format for independent test laboratory 15 QAF-02-05-15 Summary report format for independent assessment

body 16 (QAF-02-05-16) Compliance checklist with IT specific laboratory

requirements based on generic checklist ISO/IEC17025

17 (QAF-02-05-17) Minimum requirements for Independent Test Laboratory 18 (QAF-02-05-18) Guidelines for Third Party Conformity Assessment

Service Charges

of 26

Rules and Procedures

For


for eGovernance

(QAF-02-05-02)



New Delhi – 110003

of 26

Index

1. Introduction 2. Scope 3. Normative references 4. Terms and Definitions 5. Approving Body 5.1 Legal Status 5.2 Structure 5.3 Impartiality 5.4 Confidentiality 5.5 Liability and financing 5.6 Approval activity 6. Approving Body’s Management System 6.1 Management system 6.2 Document control 6.3 Records 6.4 Non-conformities and corrective actions 6.5 Preventive actions 6.6 Internal audits 6.7 Management reviews 6.8 Complaints 7. Human resources 7.1 Personnel associated with the approving body 7.2 Personnel involved in the approval process 7.3 Monitoring 8. Approval process 8.1 Approval criteria and information 8.2 Application for approval 8.3 Resource review 8.4 Subcontracting the assessment 8.5 Preparation for assessment 8.6 Document and record review 8.7 On-site assessment 8.8 Analysis of findings and assessment report 8.9 Decision-making and granting approval 8.10 Appeals 8.11 Reassessment and surveillance 8.12 Extending accreditation 8.13 Suspending withdrawing or reducing approval 8.14 Records on CABs 9. Reference to approval and use of symbols Annexure I: Guidelines for the use of rules and procedures

of 26

1.

Introduction

Conformity Assessment is defined in ISO/IEC 17000:2004, Conformity Assessment Vocabulary and general principles, as : “Demonstration that specified requirements relating to a product, process, system, person or body are fulfilled.” Conformity assessment procedures provide a means of ensuring that the products, services, or systems produced or operated have the required characteristics, and that these characteristics are consistent from product to product, service to service, or system to system. Conformity assessment provides benefits for manufacturers and service providers, consumers and government regulators, as well as for international trade in general. Conformity assessment consists of activities like testing, assessment, inspection, certification etc., accordingly conformity assessment bodies are independent test laboratories and assessment bodies with different scope of operation. Testing is one of the most common forms of conformity assessment and is also one of the most essential ones. Testing if used as a generic term includes activities like Sampling, Testing, Measurement and Calibration. The liberalization of trade and industry policies of the Government of India has created quality consciousness in domestic trade and provided greater thrust for export. As a consequence testing laboratories have to demonstrably operate at an internationally acceptable level of competence. The general requirements for laboratories or other organizations, to be considered competent to carry out sampling, testing (other than medical) and calibration are specified in the International Standard ISO/IEC 17025:2005. Approving bodies for laboratories thus play a pivotal role in formal recognition of technical competence of laboratories by providing approvals to this international standard. Standardization Testing and Quality Certification(STQC) Directorate is responsible to provide approval services to laboratories/Conformity assessment bodies in an impartial and non-discriminatory manner for eGovernance Conformity Assessment purposes. The objective of Scheme for Approval of Conformity Assessment Bodies (CAB) for eGovernance is to facilitate availability of competent and reliable Independent Test Laboratories and Assessment Bodies for quality assessment of eGovernance Solution which includes application, Information Security System, managed IT Services etc. This approval scheme provides availability of approved bodies for evaluating quality and security of eGovernance Projects.

For the approval process to be effective the approving bodies are required to design and operate their systems and processes in line with requirements of ISO/IEC 17011:2004 “Conformity Assessment- General requirement for accreditation bodies accrediting conformity assessment bodies”. This document provides information on management system established at STQC. The management system is based on requirements of ISO/IEC 17011:2004. This is a dynamic document in the sense that it will undergo amendments in response to requirements of continuous improvement based on feedback received from any of the interested parties (stake holders). 2. The conformity assessment activities for e-Governance covers broadly:

Scope:

• Testing of IT Solution for functional and non-functional characteristics • Assessment of information technology system for security, service assurance, quality

management system etc The scope of the two categories is defined as: a) IT (Software and System) Test Laboratories covering-

i. Functional Testing ii. Usability Testing iii. Application Security Testing

of 26

iv. Performance Testing v. Reliability/Availability Testing vi. Maintainability Testing (Application) vii. Portability Testing (Application) viii. Configuration & Compatibility Testing ix. Code review x. Network Testing (Performance) xi. Network Testing (Security) xii. National requirement of Website Quality

b) Independent Assessment and evaluation bodies with the following scope: i) Assessment of Information Security Management System (ISMS-ISO

27001) ii) Assessment of Information Technology Service Management System

(ITSM-ISO 20000-1) iii) Assessment of Quality Management in Public Service Organization

(IS 15700) iv) Assessment of System & Software Life Cycle Processes (ISO 12207) v) IT and non IT infrastructure Audit

3.

• Conformity Assessment Requirements for e-Governance (CARE) [www.egovstandards.nic.in]

Related Document and Normative references

• ISO/IEC 17011:2004-Conformity assessment –General requirements for accreditation bodies accrediting conformity assessment bodies

• ISO/IEC 17025:2005-General requirements for the competence of testing and calibration laboratories

• ISO 19011:2002- Guidelines for quality and/or environmental management systems auditing

• ISO/IEC 17000:2004 Conformity assessment-Vocabulary and general principles 4.

Terms and Definitions

Conformity Assessment- is defined as “Any activity concerned with determining directly or indirectly that relevant requirements are fulfilled. Conformity Assessment Body(CAB)- A professional Body engaged is performing the conformity assessment activity. Assessment Bodies- Assess organization or projects for compliance with management system or process (ISMS,ITSM,QMS etc) standards using professional judgment. Independent Test Laboratories- Test or measure samples or items, using scientific methods, to compliance particular characteristics and/or compliance with standards or specifications. For the purpose of this scheme laboratories cover system and software (IT) Testing Laboratory. Approving Body- Approval is defined as “procedure by which an authorized body gives formal approval(recognition) that a body or person is Competent to carry out specific tasks. In the context of this scheme STQC is authorized by DIT, MCIT to operate approving scheme for recognizing competent Conformity Assessment Body (CAB) for evaluating quality of eGovernance solutions. Certification Bodies- Certification is defined as “procedure by which a third party given written assurance that a product, process or service fulfills specified requirements”. System Certifiers- Certify organizations for compliance with management system Standards (ISO 9000 series) and/or Information Security management systems (ISO 27001) or IT Service Management Standard.

of 26

Approval System System that has its own rules of procedures and management, for carrying out approval of conformity assessment body. Registration Inclusion of conformity assessment bodies particulars and field of its assessed capability by the approving Body in an appropriate register or list which are available in public domain. Certificate of approval Document issued under the rules of a approval System indicating compliance/conformance to the specified requirements of the applicable standard or requirements. Approval Agreement An agreement which is part of the Approval System and which details the mutual rights and obligations of the Approval certificate holder and the Approving Body, and which includes the right to use the approval certificate. Appeal A formal expression of dissatisfaction by a party affected with a decision of a approving Body, which is directly related to the approval status of the Conformity Assessment Body. Complaint A formal expression of dissatisfaction with some matter related to a Approving Body, a approved CAB or an individual. Dispute Expression of difference of opinion between two parties in relation to some matter related to a approving Body, a approved CAB or an individual. Minor Non-conformity A Minor Non-conformity is an isolated lapse that will not directly affect the conformance of the CAB to the applicable requirements. However, if it persists, it may be considered a major non-conformity. Major Non-conformity A Major Non-conformity is the absence of or the in-effective implementation of one or more required system elements, or a situation, which would, on the basis of objective evidence or evaluation, affect the conformance of CAB to applicable requirement. 5. STQC is the designated approving body for the operation of the scheme, for the purpose of the scheme the Quality Policy is defined as

Approving Body

Standardization Testing and Quality Certification(STQC) Directorate is committed to promote, coordinate, guide, implement and maintain an Conformity Assessment Bodies approval System, suitable for eGovernance in a professional way and in accordance with the relevant national and international standards. STQC maintains a management system in accordance with international practices (ISO/IEC 17011:2004) and that its approved conformity assessment bodies are competent in their operations of testing and assessments. Principle and Approach: Users(Government department as buyer, funding agency, solution provider as supplier) demand confidence in the quality of the service they use. It is also important for the

of 26

businesses (solution providers) and Buyers (generally government organizations) to have confidence in the integrity and quality of the services supplied by Conformity Assessment Body. It is the independence, competence and impartiality of the participating conformity assessment bodies that provide this confidence. The principles and approach for operating this scheme are:

• Defining, harmonizing and building consistency in Test engineering and assessment service in India for quality evaluation of eGovernance solutions by ensuring common interpretation of the standards, common and harmonized test report formats and assessment procedures used by its clients (approved CAB).

• Ensuring transparency of the operations(including assessments) performed and results provided by its clients (approved CAB).

• Maintaining a harmonial related links between buyers and purchasers. • Managing a peer evaluation system consistent with international practices • Acting as a technical resource on matters related to the implementation and

operation of DIT policy on capacity building on the of Quality evaluation of IT Systems, Services and Products.

Goal, Policy, Declarations and Objectives Goal To provide approval services for Conformity Assessment Bodies in a competent and credible manner, leading to enhanced acceptability of Conformity Assessment Bodies by user’s organizations. General Policy statements, declarations and commitments The approving Body provides unhindered access to all the eligible applicants seeking approval. However, the approved applicants will have to commit that they provide the services in a competent, professional and reliable manner, in the market (business/activities) and be involved in the activities for which they have been approved. All the procedures adopted by the Approving Body are administered in a nondiscriminatory manner. The Approving Body makes its services accessible to all eligible applicants, without any undue financial or other conditions. The Approving Body confines its assessment and decision on approving to those matters specifically related to the scope of approving being considered. The Approving Body has a defined criterion against which the Biometric Devices of an applicant is assessed. In case of change in specification for any component viz-a-viz approving criteria, re-approving will be required. The Approving Body is responsible for its decision relating to the granting, maintaining, extending, reducing, suspending and withdrawing approvings. The Approving Body has an identified management structure, which has the overall responsibility for the operation of Approving System. The Approving Body has a documented structure, including provisions to assure the impartiality of the operation of Approving Body. It further enables participation of all interested parties in the content and functioning of approving system. The Approving Body has a documented system to provide confidence in its ability to operate a approving system. The Approving Body ensures that each decision on approving is taken by persons different from those who carried out the testing/assessment/evaluation.

of 26

The Approving Body has defined authorities and responsibilities relevant to its approving activities. The Approving Body has adequate arrangements to cover liabilities arising from its operations and/or activities. (as specified in approving agreement). The Approving Body has financial stability and resources required for the operation of the approving system, in the form of budgetary and resource support Department of IT. The financial administration of the scheme including determination of charges is the responsibility of Head (Approving Body). The Approving Body has sufficient number of personnel having the necessary education, training, technical knowledge and experience for performing approving functions under the overall responsibility of Head (Approving Body). The Approving Body’s personnel along with Head (Approving Body) & staff are free from any commercial, financial and other pressures, which might influence the results of Approving process. The Approving Body has a defined criterion for appointment and operation of all the committees needed for Approving process. These committees are free from any commercial, financial and other pressures that might influence decisions. The Approving Body has a defined policy and procedure for resolution of Complaints, Appeals and Disputes received from suppliers or other parties about the handling of approving or any other related matter.

5.1

Legal Status

STQC Directorate is an attached office of Department of Information technology under Ministry of communication and information Technology, Government of India. The scheme operates from its HQRS located at Department of Information Technology Electronics Niketan 6, CGO Complex Lodhi Road New Delhi - 110003

of 26

5.2

Structure

ORGANISATION CHART OF APPROVING BODY

DG(STQC) Chairman Governing Body

Director STQC IT Services

(Head Approving Body)

Technical Operations Manager

Operations Certificiate Co-ord Officer

Complaints & Appeals Offcer

Assessor Assessor Assessor Assessor Assessor

Management Committee

Technical Advisory Committee

Approval Committee

Governing Body

(Fin &Admn) Lab Management Group

Training Management

of 26

The approving body has following constituents:

I) Governing Body II) Management Committee III) Head (Approving Body) IV) Technical Advisory Committee (TAC) V) Approving Committee (AC)

Criteria, Composition and Terms of Reference I) Governing body It is chaired by DG (STQC) and will have member form DIT and industry association and STQC. It is responsible for formulating policies, basic principles and proving directions to the approving body. II) Management Committee (MC)

The objective of management committee is to carry out periodic review of effectiveness & efficiency of the approving scheme for Conformity Assessment Bodies at least once in a year. They will also ensure implementation of necessary actions to meet the objectives. Management Committee will be chaired by Head Approving Body and members nominated by DG (STQC). III) Technical Advisory Committee (TAC)

The object of the Technical Advisory Committee is to provide the technical advice to approving system at various levels, as per the requirements. TAC will be nominated by DG (STQC). The TAC will meet on the recommendation of MC or on the following events: - Change/ Review of specification documents - Review and adoption of Approving Scheme documents - Providing clarification and interpretation of technical issues, interpretation of

standard requirement. TAC would be responsible for: - Drafting and reviewing, the scheme specific technical documents etc. - Resolution of disputes received from supplier/developer with regards to the interpretation of specifications etc. - Appeals, Complaints and Disputes brought before the Approving Body by suppliers or other parties. The members are chosen among those interested parties involved in the: - Formulation of Approving System documents - Testing Experts - Technical expert on standards The TAC has six representatives that have adequate academic and professional experience in the field they represent. Representative of STQC is the Member Secretary of the Committee. The other members are: - Chairman (DG STQC) - Representative of Industry (Two Members) - Representative of STQC (One Member) - Representative of DIT (e-gov division) (One Member)

of 26

VI) Head, Approving Body

Head (Approving Body) acting under the authority of STQC Dte. He is responsible to safeguard the impartiality of the Approving Operations and to provide confidence in its approvals. Head (Approving Body) along with STQC team is responsible for operation of the Approval System. In case of conflict of opinion with the decision of the Approving Committee, he may take decision, as appropriate. He is responsible for management of approval System. IV) Approving Committee (AC) The role of the Approving Committee is to advise the Certificate Signing Authority on decisions relating to - Advising on the approval of independent test laboratories of defined scope. - Advising on the approval of assessment bodies of defined scope - Advising on the approval of specialist resource for empanelment To achieve this approving committee - Reviews the reports of testing and evaluation for adequacy of their content. - Ensure compliance through/ evaluation to the defined criteria both administrative(process and procedures) and technical - seek expert’s opinion where necessary for determining the technical basis for granting approving. - provide feed back for improvement The Approving Committee normally meets as and when required. The convener of the committee presents all requisite information along with supporting documentation to the certificate signing authority. The authority will examine the inputs and inform the Head (Approving Body) on approving decision. 5.3

Impartiality

STQC has formulated its policy and procedures in a manner to safe guard the objectivity and impartiality of its activities, at all levels. All personnel involved in the approval process are required to sign a statement of impartiality. STQC Committees comprise of members selected on the basis of their necessary technical competence, knowledge of principles and processes of approval, in a manner so as to maximize the uniformity of interpretation and impartiality of judgment and to maintain the balance of interest. Various committees of STQC have members from National Standards bodies, Regulatory bodies, Government departments, Approved laboratories, users who are technical experts in their own field and industry association etc. The committees have been constituted in such a way that no single group dominates in the decision making process. STQC renders approval services in a non-discriminatory manner. These services are accessible to all applicant laboratories and as a Assessment Body irrespective of their size, legal status, ownership and degree of independence, membership of any association/group or the number of CAB’s already approved in a particular field. On receipt of completed application, the approval process is initiated for all the applicant Conformity Assessment Bodies whose scopes of operation fall under the disciplines covered by STQC.

of 26

A uniform fee structure is maintained for all CAB’s and the charges are maintained so that CAB’s are not denied participation in the approval process. All STQC officers and staff are governed by established professional ethical norms ensuring their impartiality in the discharge of assigned duties. They are required to sign a statement of impartiality and confidentiality. The Assessors are trained in the Assessor training course to act objectively and be impartial in conducing the assessments. 5.4 STQC management system is documented and implemented in a manner to ensure confidentiality of information related to approval activities, at all levels. All documents, correspondence related to the approval matters are kept confidential. All physical records are kept in safe custody and computer records are accessible to authorized personnel only.

Confidentiality

The Assessors, approval committee members and STQC officers and support staff are bound by a commitment to maintain confidentiality, through signed statements. 5.5

Liability and financing

The liabilities of STQC may arise due to legal proceedings initiated by approved CAB, users of approved laboratories, consumer associations or through contractual liabilities. In all such cases STQC seeks advice from appropriate and competent legal consultants and sufficient budget provisioning are made to deal such situations. The financial requirements of STQC are met from the support provided by Department of Information Technology, Government of India. The earning from the approval services and other services, in terms of application fees, professional fee and annual fees etc. are deposited in consolidated fund of India. 5.6

Approval Activity

STQC provides CAB approval services to software and system laboratories operating their Management Systems in accordance with ISO/IEC 17025:2005 ‘General requirements of competence of testing and calibration laboratories’. STQC also provides approval services to assessment bodies operating their Management Systems in accordance with the defined criteria. For providing these approval services STQC operates its management system in accordance with the requirements of ISO/IEC 17011:2004. The specific criteria/guidance documents are drafted by the technical committee(s) which are constituted field/discipline wise and experts of the major groups of a field are represented in the committee. The members of the committee are selected on the basis of their necessary technical competence in the specific field under review and knowledge of approval process, with appropriate participation of interested parties. STQC also makes use of application and guidance, documents published by International bodies like European Accreditation etc. where appropriate, by adopting the same or using them as a basis for formulating its own documents. 6

Approving Body’s Management System

STQC’s top management has defined and documented the Quality Policy which is included in the beginning of this document. The overall quality objectives of STQC have been defined as given below, which also take care of the needs of interested Conformity Assessment Bodies and Industry associations which are consistent with STQC policies. These objectives form the basis for defining measurable quality objectives during the management review and are subject to periodic

of 26

review and monitoring. These also become the tool and the basis for continually improving the effectiveness of the management system. The objectives that are consistent with the policies of STQC are listed below:

i) To promote implement and maintain an approval system for laboratories and assessment bodies in accordance with the relevant national and international standards, suitable for the country and responsive to changing needs.

ii) To provide timely approval services to applicant laboratories and assessment bodies

iii) To organize awareness programs on all aspects of laboratory approval by various means including seminars and workshops .

iv) To prepare and maintain database of assessors and experts in testing and undertake regular monitoring of assessors.

v) To undertake appropriate training programs in support of laboratories and assessment bodies approval and related activities and for their improvement, like training of assessors and operation officers etc.

vi) To develop and operate mechanisms to deal with complaints as well as appeals against STQC decision on approval.

The quality policy and objectives are made available to STQC secretariat. The policy aims and objectives are informed and made understood, to all persons in STQC for implementation and continued compliance. STQC ensures that effective communication takes place for the needs of the interested parties by:

• Providing information on its website and through mails • Answering queries on time • Conducting training programs, seminars, awareness campaign etc. • Reviewing and monitoring of quality objectives based on feedbacks

STQC has adequate resources to cater to the volume of work covering the scope of this document. All approval related documents are available/accessible to all STQC officers for implementation in their areas of work. During the internal review meetings the work progress and effectiveness of implementation of STQC process is monitored. The Chairman Governing Body, appoints a member of STQC Team as Technical Operations Manager. The Technical Operations Manager, irrespective of his/her other responsibilities, has the responsibility and authority that includes-

a) establishment of procedures needed for the management system b) reporting to the Chairman, Governing Body on the performance of management

system and any need for improvement. 6.2

Document Control

STQC has a system of controlling all internal and external documents that relates to its approval activity. The control system includes the following:

i) All internally generally documents that form part of STQC Quality Management System are reviewed for adequacy and approved by authorized personnel before release. For external origin documents the controls pertain to their updation and controlled release.

ii) Documents are periodically reviewed and when necessary updated/revised to ensure continuing suitability and compliance of the system

of 26

iii) Changes to document are reviewed and approved by the same function that performs the original review, unless specifically designated.

iv) The Master list of all controlled documents is used to identify the current revision status of documents to preclude the use of invalid and/or obsolete document.

v) It is ensured that relevant editions of documents are available at the point of use. vi) All documents forming part of management system are kept in legible condition

and are uniquely identified. vii) Controls are maintained by providing limited/restricted accessibility to safeguard

the confidentiality of documents. The detailed procedure of document control as been documented. Refer ITCERT/P05

6.3 STQC has a system of maintaining the records wherever these records are required to be maintained in compliance with the requirements of ISO/IEC 17011 and also where they are required as an objective evidence of compliance to a procedure. The procedure for identification, collection, indexing, accessing, filling, storage, maintenance, and disposal of records has been documented in ITCERT/P06

Records

Records maintained are

i) Client (Applicant CAB) file containing the complete life cycle but records limited to last 3 years

ii) List of qualified assessors, assessors and technical experts profile and their empanelment record, training records.

The retention period of records is limited to 3 years and a control list of records is maintained 6.4

Non-conformities and corrective actions

Through all efforts are made to adhere with defined procedure and practices there can be inadvertent or situational deviations/non-conformities. The identification and management of non-conformities in the operation of CAB approval Scheme. These are identified through internal/external audits, feedbacks from laboratories, CAB user of laboratories,assessors, committee members, complaint investigations etc. The procedure (ITCERT/P14) ensures that the non-conforming work is corrected and the cause of non-conformity is determined. To eliminate the causes of non-conformities and to prevent recurrence, appropriate corrective actions are taken, in a timely manner. If required, the effectiveness of the corrective action taken is reviewed. A record of all non-conformities and corrective action taken is maintained. The trends in non-conformities and the status of corrective actions are reported in the management review meetings. 6.5

Preventive action

To identify opportunities for improvement and to take preventive actions to eliminate the causes of potential non-conformities a procedure(ITCERT/P14)has been established. The procedure includes the sources for identification of areas for implementing preventing action, collection and analysis of data, trend/risk analysis based on which an action plan is drawn for implementation. The information sources for preventive action could include, but not restricted to the feedbacks from laboratories, CAB, assessors, approval committee members, users of laboratories, staff of STQC other bodies. A record of preventive action taken is maintained. The effectiveness of the preventive action taken is reviewed. The status of preventive action taken is reported in the management review meetings.

of 26

6.6

Internal audits

STQC has system of conducting periodic internal audits once in a year to verify that its management systems and the services conform to the stipulated requirements. An audit program is planned taking to consideration the importance of the processes and areas to be audited. The effectiveness of the corrective actions on the non-conformities of the previous audits is also reviewed. The Quality Officer is responsible for the internal audit process. Audits are conducted by qualified personnel different from those who perform the activity to be audited and are acknowledgeable. The outcome of the audit is formally informed to all concerned personnel responsible for the area audited vide the audit report for their timely and appropriate action. The audit report also includes information on opportunities for improvement, if identified. The results of internal audits are reported in Management Review Meetings. Refer ITCERT/P03 6.7

Management Review

To ensure the effectiveness of the system, Management Reviews the whole system in terms of the adequacy of its definition, in the context of current environment and its implementation compliance. Management also discusses whether system is capable to meet its objectives and the relevance of the objectives. Director, STQC IT Services (Head Approving Body) conducts the management review of the STQC management system covering all the input elements as described in procedure (ITCERT/P04). The review includes current performance and improvement opportunity, where available, for the review elements identified. The resolutions/actions for implementation arising out of management review shall

a) improvement of the management system and its processes/services b) approval processes in conformity with relevant standards and expectations of

interested parties, c) defining or re-defining or the policies, goals and objective d) requirement of additional resources

6.8

Complaints

STQC is open to receiving complaints for any of the activities performed by its officials, assessors and the approved laboratories, assessment bodies. The Conformity Assessment Body and the assessors are informed about this policy. All complaints are acknowledged and after investigations, the complainant are informed about the outcome of the complaint. All complaints and the action taken are recorded. The complaint handling procedure (ITCERT/P08) includes system of establishing validity of the complaint, taking appropriate actions and assessing their effectiveness, suitable correspondence with all the parties involved including the complainant. 7

Human Resources

7.1

Personnel associated with the approval body

STQC Directorate, comprising of Director, STQC IT Services (Head Approving Body), Technical Operations Manager and support staff are involved in the approval activities of CAB for eGovernance. All the officers and support staff are full time employees of STQC. The Officers have requisite academic qualifications, knowledge and experience in operations of CAB as well as in approval procedures. Director, STQC IT Services (Head Approving Body) is responsible for administering and managing the approvals. A job profile of all STQC officers and support staff is available in the personnel records. STQC has empanelled Lead Assessors and Technical Assessors for all fields/disciplines covered in the scope of CAB approval. All Lead Assessor and Technical Assessors have vast experience in the laboratory/CAB or any related activity and are empanelled through a

of 26

contractual agreement. In case of new and emerging areas, STQC has access to other experts from laboratories or industry or related organizations, both national and international. All STQC employees involved in CAB approval activities are required to sign a statement for maintaining confidentiality and impartiality which includes independence from commercial and other interest or any association with laboratories/CAB. All Lead Assessors and Technical Assessors are required to sign a contract with STQC which specifies the terms and conditions of their empanelment. The contract contains a declaration in respect of independence and impartiality, as well as a confidentiality statement. 7.2

Personnel involved in the approval process

STQC selects its employees, assessors and approval committee members for the operation of its approval system based on their qualification, experience and competence. All officers involved in CAB approval activity when the applicable standards get revised. Training programmes are organized by STQC for its approval officers in specific fields based on requirements. The officers are also encouraged to attend training courses conducted by reputed national and international organizations. STQC Assessors The minimum qualification requirements for assessors is a bachelor’s degree in engineering or a master’s degree in science and a minimum of five years working experience in the relevant field of conformity assessment (Software testing/Audits) at supervisory level and above. Approval committee members The desired qualification requirements for the members of approval committee are a minimum of bachelor’s degree in engineering or a master’s degree in science and a minimum of fifteen years working experience in the relevant field of testing in a senior position. The members are selected based on their necessary technical competence, knowledge of principles and processes of approval, past performance as Assessors or committee members. 7.3 All the assessors both for ITL and assessment bodies are monitored through observation and witness process and records are maintained as per ITCERT/F03

Monitoring

8

Approval Process

8.1 The approval criteria against which the conformity assessment bodies are approved by STQC are given in the following documents

Approval Criteria and Information

i.) QAF-02-05-08 criteria document for approval for independent test laboratories(software and system testing)

ii.) QAF-02-05-09 criteria document for approval for independent assessment bodies General information regarding STQC and the procedure followed for approval process and related activities is made available to public through STQC website www.stqc.nic.in, website also provides list of approved Conformity Assessment Bodies Guidance document to applicant for approval of Conformity Assessment Bodies for eGovernance(QAF-02-05-03) provides necessary information in consolidated form to the applicants

http://www.stqc.nic.in/�

of 26

8.2 The applicant Conformity Assessment Bodies are required to make an application(QAF-02-05-06) duly signed by an authorized representative. The applicant should submit application along with quality system documentation and the prescribed fee as specified in schedule of charges(QAF-02-05-04) the applicant shall also submit two copies of certification agreement(QAF-02-05-05) duly signed, one copy will be returned after signature from authorized representative of STQC.

Application for approval

The detail review for the adequacy of the application and quality management system documentation submitted by the Conformity Assessment Body is carried out by STQC designated lead assessor for that particular project and detail report is submitted to the approving body 8.3To conduct the assessment of the applicant the approving body reviews the resource requirement depending on size and complexity of the applicant organization, area of technologies and geographical location. Accordingly a team of assessors lead by a lead assessor is assigned the project.

Resource Review

8.4 Subcontracting the AssessmentAt present STQC does not do any subcontracting.

8.5 STQC has a system of conducting a system of conducting a pre assessment visit of the CAB before the initial assessment. At present this is optional.

Preparation for Assessment

Pre-assessment: STQC assessors are permitted to conduct pre-assessments. There are two situations when a pre-assessment may be conducted:

• When the lead assessor finds major gaps in the Conformity Assessment Body quality manual, or actually begins the assessment and finds a large number of problems. In this case, the assessor identifies them and suggests to the CAB that a full assessment should wait until the problem have been addressed. This first identification of the problems would be considered a pre-assessment; or

• When the CAB body requests a pre-assessment to better prepare for the final assessment. In this case, the CAB has applied, but is unsure of its documentation or system and wants someone to perform a pre-assessment to identify problems. The full assessment follows later.

To implement the pre-assessment program, the CA body must first apply for approval paying the appropriate fees. A lead assessor, with the CA body's concurrence, is assigned. If, the preliminary discussions between the CA body and assessor, the concludes that it is in its interest to have a pre-assessment, it informs the assessor. The assessor notifies STQC that the CA body wants a pre-assessment. The professional charges of the pre-assessment is the same as the regular assessment charges, and can be deducted from any free charges deposits held on account at STQC. A careful attention to the requirements should preclude the need for a pre-assessment. Delayed Assessment Policy: If an CA body fails to undergo its full assessment within one year from receipt of the application at STQC headquarters, the CA body is prompted by STQC to take action. If no action is taken within thirty (30) days of that reminder, the CA body is required to begin the application process again and pay the approval fees in effect at that time. Any fees paid with the initial application will not be refunded . Policies with respect to Branch Systems: If Applicant CAB are applying as a multi-facility CA body system, a separate application must be completed for each CAB ITL or assessment body location. CAB applying as a branch CAB shall follow the following conditions:

of 26

All application, renewal of approval and annual review processes must be coordinated through one central person, the Corporate Representative; All fee payments and invoices must be coordinated through the Corporate Representative; All Conformity Assessment Body within a single branch system must have the same anniversary date; All CAB within a single branch system are given related certificate. This central coordination and arrangement within STQC database allows for greater efficiency in handling various Processes, No discount on fee is offered to all branch Conformity Assessment Body. For large branch systems, this central coordination can become cumbersome and all branch bodies within the system are often unable to complete the various processes (renewals and annual reviews) by the same anniversary date or deadline. There are two options Choosing not to apply as a branch system and, instead, applying as independent facilities. Each CA body would be given a separate anniversary date as well as independent certificate numbers. In addition, all annual review and renewal paperwork and invoices would be sent to the individual Conformity Assessment Body contacts instead of a corporate representative. Each CAB would be responsible for the initial application fee and the full annual fee for each year of approval maintenance.

8.6

Document and record review

The adequacy of documentation is reviewed by the lead assessor before proceeding for on-site pre-assessment/assessment visit. Further, even during the on-site assessment Lead assessor/Technical Assessors/Experts are required to review the document to evaluate its conformity with the criteria (e.g. ISO 17025 for Laboratory approval) as applicable and the relevant specific criteria documents and other STQC requirement documents and report the status suitably vide the assessment report. If there are gross non-conformities reported by the team member(s), it may be decided not to proceed with the on-site assessment and the non-conformities are reported in writing to the Conformity Assessment Body. 8.7

On-site Assessment

Procedure for conducting on-site assessment is detailed in QAF-02-05-08 and QAF –02-05-09 which includes procedure for conducting an opening meeting. During the meeting where the assessment team and the key personnel of the Conformity Assessment Body are present, the team explains to the CAB the purpose of assessment, the approval criteria, the assessment schedule and the scope of approval is confirmed. The Team Leader identifies representative sample for witness the basic principles of sampling are followed to make it representative considering the applied scope. This also covers sampling for witnessing the performance of representative number of staff of the laboratory/organisation to provide assurance of the competence of the organisation across the scope of approval. 8.8

Analysis of findings and assessment report

The assessment team is required to analyse all relevant information and evidence gathered during the document and record review and the on-site assessment. Based on this the team is required to determine the extent of competence and ascertain whether the work of the organisation/laboratory is being performed in accordance with the assessment criteria. The areas of improvement if observed are required to be summarized and presented by the Assessment team to the management during the closing meeting, however assessors are made aware of the fact that the improvements suggested are merely for making the organisation/laboratory understand the requirements of the standard and should not be for offering any consultancy.

of 26

When the assessment team needs clarification/interpretation on any aspect or if there arises a conflict between assessment team and the organisation laboratory, there exists provision for referring the matter to STQC. STQC procedure for conduct of assessment requires that a closing meeting between the assessment team and the CAB management takes place. During the closing meeting the assessment team briefs the CAB about the findings of the assessment and provides clarifications on the queries raised by the (CAB). A written report is prepared, consistent with the proceedings of the assessment. STQC remains responsible for the contents of the assessment report including non-conformities. STQC procedure ensures that the responses of the (CAB) to resolve the non-conformities raised by the assessment team are reviewed to verify their adequacy and effectiveness. If required additional information is called for. The closure of non-conformities is either done based on review of evidence of effective implementation of corrective actions or through a follow-up visit, appropriate. The assessment report is forwarded to the approval committee through secretariat. The Approval Committee is provided with adequate information, to take a decision regarding recommendation for grant, reduction, extension, maintenance or withdrawal of approval. This includes information on, unique identification of the CAB, dates of the on-site assessment, names of assessors/experts involved in assessment report, a statement on the adequacy of internal organisation, information on the resolution of all non-conformities, and any other relevant information. Based on the recommendation of the approval committee, Head approval scheme takes the decision on approval. 8.9

Decision-making and granting approval

The STQC Secretariat analyses the assessment report received from the assessment team; if required, seeks further information and when fully satisfied prepares a summary. STQC organizes approval Committee meetings at regular intervals. In all cases where the assessment of the CAB has been conducted and the non-conformities if any, raised by the assessment team are subsequently closed are placed before the approval committee for a recommendation on decision. STQC does not have any policy of making use of assessments already performed by another approving body for use by its decision taking system. Decision regarding approval is taken by Head of Scheme based on the recommendation of the approval Committee. An approval certificate with unique identification number is then issued to the CAB. The certificate contains all relevant information including scope (QAF-02-05-07). 8.10

Appeals

STQC has established policy and procedure for dealing with appeals from CAB against its own decisions. The cases may involve refusal of approval or scope reduction for applicant suspension, forced withdrawal of CAB. The appeals procedure includes appointment of an independent individual/Appeals Committee, to decide validity of the appeals received. An officer of STQC has been nominated for informing CAB of the final decision and to take follow up actions, if required.

of 26

8.11 Surveillance and reassessment procedures are consistent with initial approval procedures. The experience gained during previous assessments is taken into account for future assessments.

Reassessment and surveillance

STQC grants approval to CAB for a period of 3 years. STQC conducts an annual surveillance and a re-assessment every three years. The surveillance are conducted on site. After the grant of approval a plan is prepared for conducting the surveillance and re-assessment of CAB. The design of the plan is such that it ensures that for each approved CAB the representative samples of the scope of approval are assessed during re-assessment. Where the approval scope is very large, the plan covers the entire scope over a period of two approval cycles. During surveillance or re-assessment, when non-conformities are identified, the CAB is given a maximum time of two months to take corrective actions and implement them. After the surveillance, the CAB is informed by STQC about the decision of continuation of approval in writing. After the re-assessment visit, if the approval is renewed, a new certificate bearing the old approval number and having new validity period, is issued. STQC may also conduct special surveillance visit as a result of complaints or changes effecting the CAB operations. 8.12

Extending approval

The CAB at any time during the approval cycle can request for extension of scope within already approved field(s)/disciplines or to include new fields(s)/disciplines. STQC has a policy of either conducting special assessment visit or to club it with the forthcoming assessment visit. The procedure to be followed is same as that for the initial assessment except that adequacy audit and pre-assessment are not carried out. 8.13

Suspending, withdrawing or reducing approval

When the CAB fails to meet the requirements of approval or the terms and conditions of maintaining approval. Approval can be suspended or withdrawn or results in reduction in scope. CAB itself asks for reduction in its scope of approval. 8.14

Records on CABs

STQC has a system of maintaining all the records on CAB, to demonstrate that the requirements for approval and competence have been effectively fulfilled. These records are regularly updated by concerned officers. STQC has a policy and system for maintaining all the records pertaining to CAB secured to ensure confidentiality. The hard copies of all records related to each CAB are available in respective CAB files. Each record is identified by a unique identification number and the number is displayed on the file. The files are stored at appropriate place and properly indexed. These records are keep in safe custody under lock and accessible to authorized staff of STQC. The records for CAB include the relevant correspondence last two assessment reports, minutes of approval committee meetings, approval decisions and the copies of approved certificates issued to the CAB.

of 26

9

Reference to approval and use of symbols

CAB approved by STQC are permitted to use STQC symbol as a mark of indicating their approval status. The approved CAB is neither allowed to make misleading or unauthorized statement regarding its approval nor the use to imply that a product, process, system or person is approved by the STQC. Approved CAB is required to take due care to prevent use of its report/certificate or any part thereof in a misleading manner. An approved CAB upon expiry, suspension or withdrawal of its approval is required to discontinue use of all advertising matter that contains any reference to an approved status. 10 DISCLAIMER

1. The approval services and the results thereof are provided on an AS IS basis without warranty of any kind. STQC disclaim any and all warranties, express or implied, including without limitation any warranties of merchantability or fitness for a particular purpose with respect to the approving services and the results of our assessments.

2. In no event shall STQC or any of their respective officers, directors, subsidiaries, parents or affiliates be liable to anyone claiming through Supplier, for any special, indirect, incidental or consequential damages of any kind or for any damages whatsoever resulting from reliance on the test results.

3. The terms and conditions specified in the scheme, represent the entire agreement between Supplier and the STQC relating to approving services and the assessment results thereof. In case of any dispute, the decision of Appellate Authority i.e. Chairman governing body shall be final and binding. The reports of STQC shall not be produced in any court of law, as they shall be issued only for the purpose of recognizing Conformity Assessment Bodies. Conformity Assessment Bodies rights and obligations arising under this agreement cannot be assigned, transferred or delegated to any other person.

4. The scheme is in no way replacement of accreditation of test laboratories operated by National Accreditation Board of Laboratories(NABL). The scheme is being operated with a limited objective to identify competent and reliable Conformity Assessment Bodies(Independent Test Laboratories and Assessment Bodies) for evaluating Quality of eGovernance Solutions.

of 26

Annexure I

Guidelines for the use of rules and procedures

I) Guidelines on Impartiality A Conformity Assessment Body may, in so far as the law permits, limit its service to applicants operating in a defined geographic region, or it may limit its service to organizations operating within the technical sector, or a part of a sector, in which the Conformity assessment body has its approved scope. The senior executive, staff and/or personnel of the organization need not necessarily be full time personnel, but their other employment shall not be such as to compromise their impartiality. Impartiality, can only be safeguarded by a structure, that enables “ the participation of all parties significantly concerned in the development of policies and principles regarding the content and functioning of the assessment system. The structure required for the safeguarding of the impartiality shall be separate from the management established unless the entire management function is performed by a committee or group that is constituted to enable participation of all parties. There should be a system to counteract any tendency on the part of the owners of a certification/registration body to allow commercial or other considerations to prevent the consistent technically objective provision of its service. This is particularly necessary when the finance to set up a assessment/certification/registration body has been provided by a particular interest which predominates I the shareholding and/or the board of directors. It is required that a documented structure of the assessment body has built into it provision for the participation of all the significantly concerned parties. This should normally be through some kind of committee. This structure shall be formally established at the highest level within the organisation either in the documentation that establishes the assessment body’s legal status or by some other means that prevents it being changed in a manner that compromises the safeguarding of impartiality. Any change in this structure should take into account advice from the committee, or equivalent. A judgment is required to ensure all parties significantly concerned in the system are able to participate. What is essential is that all identifiable major interests should be given the opportunity to participate, and that a balance of interests, where no single interest predominates, is achieved. Where one sector (e.g. Government, industry etc) provides more than one individual to represent separate aspects of the sector’s interests, the fact that they come from the one sector deems them to constitute a single interest. The members should normally be chosen atleast from among representatives of the following groups: government, industry, consumers, NGO’s. For practical reasons there may be a need to restrict the number of persons. On request of the committee or equivalent the management responsible for the various functions described should provide all the necessary information, including the reasons for all significant decisions and actions, and the selection of persons responsible for particular activities, in respect of assessment to the committee or equivalent to enable it to ensure proper and impartial assessment. If the advice of this committee or equivalent is not respected in any matter by the management, the committee or equivalent shall take appropriate measures, which may include informing the approval body (STQC).

II) Guidelines on Legal Entity

of 26

Approval shall only be granted to a body which is a legal entity and will be confined to declared scopes, activities and locations. If the Assessment activities are carried out by a legal entity which is part of a larger organisation, the links with other parts of the larger organisation shall be clearly defined and should demonstrate that no conflict of interest exists. Relevant information on activities performed by the other parts of the larger organisation shall be given by the assessment body to the approving body(STQC). Demonstration that a assessment body is a legal entity, as required means that if an applicant assessment body is a division within a larger legal entity, approval shall only be granted in the name of the larger legal entity. In such a situation, relevant functions of the legal entity may be subject to audit by the body in order to pursue specific audit trails and/or review records relating to the approving body in order to pursue specific audit trails and/or review records relating to the body. The part of the legal entity that forms the actual approval assessment body may trade under a distinctive name, which should appear on the approval certificate. Assessment Bodies which are part of government, or the government departments, will be deemed to be legal entities on the basis of their governmental status. Such bodies status and structure shall be formally documented

III) Guidelines on Financial Stability The requirement for financial stability requires the assessment body to demonstrate that it has a reasonable expectation of being able to continue to provide the service in accordance with its contractual obligations. Assessment bodies are responsible for providing the approving body (STQC) with sufficient evidence to demonstrate viability, e.g. management reports or minutes, annual reports, financial audit reports, financial plans. Approving body(STQC) will not attempt any direct audit of the financial accounts of assessment bodies.

IV) Guidelines on Conflict of Interest If the assessment body and an applicant or approved organisation are both part of some/ related organisation, they should not report directly to a person or group having operational responsibility for both. The assessment body shall, in view of the impartiality requirement, be able to demonstrate how it deals with such a case. There are two separate requirements firstly, assessment body shall not under any circumstances provide the services which are conflict of interest secondly, although there is no specific restriction on the services or activities a related body may provide, these shall not affect the confidentiality, objectivity or impartiality of the assessment body. Consultancy, is considered to be participation in an active creative manner in the development of the System(ISMS, ITSM etc) to be assessed by, for example:

a) preparing or producing manuals, handbooks or procedures; b) participating in the decision making process regarding management system

matters; c) giving specific advice towards the development and implementation of

management systems for eventual certification/registration/assessment. Impartiality and independence of the assessment body is assured at three levels:

a) Strategic and policy b) Decisions on approval reporting compliance c) Auditing.

Assessment bodies may carry out the following duties without them being considered as consultancy or necessarily creating a conflict of interests.

of 26

a) certification/registration including information meetings, planning meetings,

examination of documents, auditing (not internal auditing) and follow up of nonconformities;

b) arranging and participating as a lecturer in training courses, provided that where these courses relate to environmental management Quality Management, occupational safety management, Information Security Management etc. related management systems or auditing they should confine themselves to the provision of generic information and advice which is freely available in the public domain i.e. they should not provide company specific advice.

c) Making available or publishing on request information on the basis for the certification/registration body’s interpretation of the requirements of the assessment standards;

d) Activities prior to audit aimed solely at determining readiness for assessment; since the stage 1 audit includes an evaluation of readiness for further assessment activity, assessment bodies should exercise extra vigilance to assure that any additional pre-assessment activities do not result in the provision of recommendations or advice that would contravene intent of assessment. The assessment body should be able to confirm that such activities do not contravene these provisions and that they are not used to justify a reduction in the eventual assessment duration;

e) Performing second and third party audits according to other standards or regulations than those being part of the scope of approval.

f) Adding value during assessments and surveillance visits e.g. by identifying opportunities for improvement, as they become evident, during the audit without recommending specific solutions.

Consultancy by a relating body and certification/registration assessment should never be marketed together and nothing should be stated in marketing material or presentation, written or oral, to give the impression that the two activities are linked. It is the duty of the assessment body to ensure that none of its clients is given the impression that the use of both services (certification/registration and consultancy), would bring any business advantage to the client so that the assessment remains, and is seen to remain, impartial. Nothing should be said by a assessment body that would suggest that assessment would suggest that assessment would be simpler, easier or less expensive if any specified consultancy or training services were used.

V) Guidelines on Related Body A related body is one which is linked to the assessment body by common ownership or directors, contractual arrangements, common elements in the name, informal understanding or other means such that the related body has a vested interest in the outcome of an assessment or has a potential ability to influence the outcome of an assessment. He assessment body should analyse and document the relationship with such related bodies to determine the possibilities for conflict of interest with provision of assessment and identify those bodies and activities that could, if not subject to appropriate controls, affect confidentiality, objectivity or impartiality. Assessment bodies shall demonstrate how they manage their assessment business and any other activities so as to eliminate actual conflict of interest and minimize any identified risk to impartiality. The demonstration shall cover all potential sources of conflict of interest, whether they arise from within the assessment body or from the activities of related bodies. Approving body will expect assessment bodies to open up these processes for audit. This may include to the extent practicable and justified, pursuit of audit trails, account should be taken of the assessment body’s history of impartial assessment. If evidence of failure to maintain impartiality is found, there may be a need to extend the audit trail back into the

of 26

related bodies to provide assurance that control over potential conflicts of interest has been re-established. People who have provided consultancy, including those acting in a managerial capacity, should not be employed to conduct an audit as part of the assessment process if they have been involved in any consultancy activities towards the organisation in question, or any company related to that organisation, within the last two years. Situations such as an employer’s involvement or previous involvement with the organisation being assessed may present individuals involved in any part of the assessment process with a conflict of interest. The assessment body has a responsibility to identify and evaluate such situations and to assign responsibilities and tasks so as to ensure that impartiality is not compromised.

VI) Guidelines on Subcontracting Assessment body should require all assessment sub-contractors or external assessors/auditors to give undertakings regarding the marketing of any consultancy services. The assessment body should be responsible for ensuring that neither related bodies, nor sub-contractors, nor external assessors/auditors operate in breach of the undertakings that they have given. It should also be responsible for implementing appropriate corrective action in the event that such a breach is identified. Approving Body (STQC) body will issue certificate or “statement of compliance” on the basis of an assessment carried out by another body provided that the agreement with the subcontracted body requires it to comply with the all requirements. Assessments carried out by subcontracted bodies shall give the same confidence as assessments carried out by the approving body itself. Evaluation of the audit report and the decision on certification/registration “statement of compliance” shall be made only by the approving body (STQC) itself, and not by any other assessment body. Where joint assessments are undertaken, satisfy itself that the whole of the assessment has been satisfactorily undertaken by competent assessors/auditors. Subcontracting requirement does not mean that the consent of the organisation under assessment is required in case of subcontracting of administrative activities (such as co-ordination/Management activities of assessment body).

VII) Guidelines on Assignment for a specific assessment It is a condition of approval of assessment body that adequate resources can be deployed to conduct audits meeting the requirements. The assessment body’s procedures shall ensure that personnel employed to assess organizations are competent in the field in which they are operating. Personnel responsible for managing audits shall be identified and their competencies documented. In certain instances, particularly where there are critical requirements and special procedures, the background knowledge of the audit team may be supplemented by briefing, specific training or technical experts in attendance. The assessment body may attach non-auditor experts to their audit teams. If a body uses technical experts, its systems shall include details of how technical experts are selected and how their technical knowledge is assured on a continuing basis. The assessment body may rely on outside help, for example from industry of professional institutions.

VIII) Guidelines on Use of Technical Experts Technical experts with specific knowledge regarding the process and Technical issues (in ISMS or ITSM) and legislation affecting the organization, but who do not satisfy all of the

of 26

above criteria, may be part of the audit team. Technical experts would not function independently.

IX) Guidelines on the definition of Site Where it is not practicable to define a location (e.g. for services), the coverage of the certification/ registration should take into account the organization’s headquarters activities as well as delivery of its services. Where relevant, in special cases, the certification/registration body may decide that the certification/ registration audit will be carried out only where the organization delivers its services. In such cases the interfaces with its headquarters should be audited.

Multi-Site

This guidance addresses the situation where an organization has activities under the control of a single conformity Assessment system which operates across a number of geographical locations.

Assessment can be done covering multiple sites provided that each site included in the scope of the approval has been either

a) individually audited by the assessment body b) is included in a sample based approach (see below).

Sample based approach

Assessment bodies wishing to use a sample based approach to the assessment of sites with similar activities need to maintain procedures which include the full range of issues below in the building of their sampling programme.

The methodology and procedures which assessment body employs and provide demonstrable evidence of how these take account of the issues below to manage multi-site assessment should be approved by STQC.

The procedures should ensure that the initial contract review identifies, to the greatest extent possible, the difference between sites such that an adequate level of sampling is determined.

Where an organization has a number of sites with similar activities covered by a single management system, a “statement of conformity” may be issued to the organization to cover all such sites provided that:

(a) all sites are operating under the same management system which is centrally

administered and audited and subject to central management review, and (b) all sites have been audited in accordance with the internal audit procedure(s),

and (c) a representative sample of sites have been audited by the body, taking into

account the actors below

• the results and reports of internal site and central management system/process audits

• the results of management review • maturity of the management system • any existing knowledge of the organization • variations in the size of the sites. • Complexity of the defined management system (ISMS, ITSM,….) • Complexity of the sites • Any shift working

of 26

• Variations in working practices • Repetitiveness of functions • Variations in activities undertaken • The spread of the organization’s personnel over the sites. • The significance and extent of the Risks and associated impacts • Differing legal Regulator/ policy driven requirements • The view of interested parties, and

(d) the sample should be partly selective, based on c), above and partly non-

selective and should result in a range of different sites being selected, without excluding the random element of site selection and

(e) In case of certification by STQC, the surveillance programme should include visits to the organization’s head office, be designed in the light of the above factors and should, within a reasonable time, cover all the sites of the organization in accordance with the certification body’s sampling method, and

(f) In the case of a nonconformity being observed either at the head office, or at a single site, of an organization with an assessment covering multiple sites, the corrective action procedure should apply to all applicable sites covered by the assessment.

X) Guidelines on Independence of Conformity Assessment Body

The Conformity Assessment Body shall be independent of the parties involved. The CAB, and its staff responsible for charring out the Conformity assessment shall not be the designer, the manufacturer, supplier, installer, purchaser, owner, user, maintainer of the artifacts/items for which they assess the conformity, nor the authorized representative of any of these parties The CAB and its staff shall not engage in any activities that may conflict with their independence of judgment and integrity in relation to their conformity assessment activities. In particular they shall not become directly involved in the design, manufacture, supply, installation use of the items/artifacts/systems assessed, or similar competitive items. A clear separation of the responsibilities of the personnel from CAB from those of the personnel employed in the other functions shall be established by organizational identification and the reporting methods of the CAB within the parent organization. The CAB shall provide safe guard within the organization to ensure adequate segregation of responsibilities and accountabilities in the provision of conformity assessment services by organization and/or documented procedures.

1

QAF02-03

June2010

Conformity Assessment Requirements

- Administration

Guidance to Applicant for approval of Conformity Assessment Bodies

for eGovernance


for eGovernance

STQC Directorate

Department of Information Technology

2

INDEX

1. Background

2. Introduction

3. Purpose

4. Definitions

5. Target Audience

6. Scope

7. Approach and Process

8. Basic Principles

9. Approval Process

10. Procedure for Conformity Assessment Body (CAB) Approval

11. Disclaimer

Appendix 1: Recognition Process

Appendix2: Approval Framework

3

Scheme for recognizing Conformity Assessment Bodies for eGovernance

1.0 Background:

eGovernance Systems are quite complex in nature and incorporate various Components like Technology, Engineering, Management, Finance, Governance and Civil Society. Because of these complexities, delivery of service by electronic means is a challenge to administrators. To realize the process of e service delivery, State and local govts generally struggle to procure IT Systems. Rules of public procurement demands transparency(GFR), technological neutrality, and maintaining strategic control with Government. This requires evidence regarding “what is being delivered” versus “what was agreed”. There is a need of institutional mechanism to know what is degree of compliance of the delivered solutions with the Request for Proposal.

A framework-CARE “Conformity Assessment Requirements” has been developed to fulfill this necessity. This Five-part document is structured as

1 CARE: Requirements

2 CARE: Specifications

3 CARE: Evaluation Models

4 CARE: Certification Schemes

5 CARE: Administration

The Part 5 of the series CARE: Administration provide the information about the procedure of recognition of the Conformity Assessment bodies which are interested to take part in the eGov Conformity Assessment Programme. This document provides Guidance to the applicant interested to apply for approval as a recognized Conformity Assessment Body for eGovernance.

2.0 Introduction:

Conformity Assessment procedures provide, a means of ensuring that the products, services, or systems produced or operated have the required characteristics, and these characteristics are consistent from product to product, serve to service, or system to system. The concept of “Conformity assessment” is concerned with “fulfillment of specified Requirements”. Conformity assessment is done against Standards or normative documents which were known and agreed in advance lead to development of sound relationship between solution provider and the acquirer of IT (Govt. Department). The basis of Healthy ecosystem between IT supplier and IT buyer is objective evaluation of the solution against the agreed acceptance criteria in a transparent and rational way.

Testing is one of the most common forms of conformity assessment and is also one of the most essential ones. Testing if used as a generic term includes activities like Sampling, Testing, Measurement and Calibration. The other Conformity assessment activities required for accepting eGov Solutions are inspection, review, evaluation and certification.

As a consequence, testing centres and laboratories have to demonstrably operate at an internationally acceptable level of competence. The general requirements for test

4

laboratories are, to be considered competent to carry out software/IT products testing, are specified in the International Standard ISO/IEC 17025:2005. Similarly other Conformity assessment bodies like assessment bodies shall also operate against internationally agreed requirements and ISO 17020 principles.

3.0 Purpose, objective and goal

Purpose

To define administrative Procedure and requirements for “Conformity assessment bodies” to get recognized as a Competent body to assess, test and evaluate an e-Governance solution (or part of it as defined in Scope) under National e Governance Programme. This will help in creating National Conformity assessment infrastructure, a Competitive market and improvement in quality of e Governance System.

Objective

• To proliferate Quality Assurance of eGovernance by making it market driven and self-sustaining

Goal

• Citizens should get Quality assessed eGovernance Services and have high confidence in eGovernance system

4.0 Definitions

Approving Body

The body which provides approval of independent test laboratory and assessment body with respect to published standards and any supplementary documentation required under the system.

The approval is provided for reliability and competence of Conformity Assessment Bodies (independent test laboratory and assessment body) by STQC for the purpose of evaluating Quality of eGovernance Solution.

Registration

Inclusion of the Conformity Assessment Bodies particulars and field of assessed capability by the Approving Body in an appropriate register or list available in public domain.

Conformity Assessment Body: A Body engage in performing activities concerned with determining directly or indirectly requirements are fulfill in a professional way.

Two types of Conformity Assessment Bodies are required for evaluating Quality of eGovernance Solutions-

a) Independent Test Laboratory

b) Independent Assessment Body

5

Independent test laboratory(for eGovernance)

A laboratory independent of interest of software design and development organization,that has been recognised by STQC to conduct specific categories of tests on the applications to be used for eGovernance purposes.

6

Independent Assessment body

A body independent of interest of solution provider organization,that has been recognised by STQC to conduct specific categories of assessments (e.g. Information Security Management System, IT Service Management etc.) for eGovernance purposes.

Demonstration of Independence

Independence can be demonstrated from the view point of financial and administrative independency. The conflict of interest between various roles in our organization should be defined and necessary controls to ensure sufficient insulation between interested and influencing bodies needs to be documented and demonstrated in the organization structure.

5.0 Target Audience:

The scheme has been designed for -

a) Professionally independent bodies in the business of software and system testing

b) Assessment bodies engaged in the business of assessment of management

systems, processes and infrastructure.

6.0 Scope:

The scope of the two categories is defined as:

a) IT (Software and System) Test Laboratories covering-

i. Functional Testing

ii. Usability Testing

iii. Application Security Testing

iv. Performance Testing

v. Reliability/Availability Testing

vi. Maintainability Testing (Application)

vii. Portability Testing (Application)

viii. Configuration & Compatibility Testing

ix. Code review

x. Network Testing (Performance)

xi. Network Testing (Security)

xii. National requirement of Website Quality

b) Independent Assessment and evaluation bodies with the following scope:

i) Assessment of Information Security Management System (ISMS-ISO 27001)

7

ii) Assessment of Information Technology Service Management System (ITSM-ISO 20000-1)

iii) Assessment of Quality Management in Public Service Organization (IS 15700)

iv) Assessment of System & Software Life Cycle Processes (ISO 12207)

v) IT and non IT infrastructure Audit

7.0 Approach and process

The eGovernance Conformity Assessment System should be credible to ensure Test and Assessment Results are Repeatable, Reproducible and Reliable . To maintain the creditability of the scheme it is essential that the scheme is administered in a professional way and protects the interest of its stakeholders. To achieve this Management and Operation controls are required to be applied both by approving body(STQC) and the candidate Conformity Assessment Body. The following procedures govern these controls:

Quality Management System, procedure and Criteria followed by approving body (STQC) are described in product manual and the procedures. (QAF02-05-01 June2010)

Quality Management System, procedure and Criteria to be followed by applicant Conformity Assessment Body are described in document (QAF02-05-03 June2010)

The criteria and requirements both for approving body (STQC) and applicant Conformity Assessment Body are based on following Standards:

o ISO/IEC 17011: 2004 Conformity Assessment-General requirement for accreditation bodies accrediting conformity assessment bodies

o ISO/IEC-17020: 1998 general criteria for the operation of various types of bodies performing inspection

o ISO/IEC 17025: 2005 General requirements for the competence of testing and responsibility calibration laboratories

Responsibilties

Approving Body(STQC)

STQC is responsible nodal agency managing the Conformity Assessment activities and for maintaining a system to approve Conformity Assessment bodies for eGovernance.

Conformity Assessment Bodies (CAB)

Software and System Test Laboratories: responsible for providing IT system testing facility in a reliable and professional way and provide CA services to Government/Service Provider.

Assessment bodies are responsible for providing management system (Quality, security, IT service, processes) assessment.

Buyer of Services of Conformity Assessment Bodies

8

For eGovernance purpose Services of Conformity Assessment Bodies may be required from

a) Public Service Organisation (Govt. Department/Ministry/Local Body or project management unit of these).

b) Solution provider

As defined under the “Responsibility” clause in Request for Proposal or Contract Agreement. Any of these can approach the recognized Conformity Assessment Body as acquirer (buyer) or supplier.

8.0 Basic Principles

The basic principle for participation in this scheme is non-discriminatory. Conformity Assessment Bodies of various size, scope, nature (Government and private) can participate in the Scheme which will enable them to bid for eGovernance Conformity Assessment activities. Getting recognized as “Approved Conformity Assessment Body” with define scope does not preclude them doing other business except where conflict of interest exist.

Conformity Assessment Bodies recognized against the same standard and criteria are not be discriminated from competency, processes, infrastructure view point as the compliance with minimum level of Quality is ensured. However, different conformity assessment bodies have different policy, organizational structure, resources, practices, business model and scope of approval. It is between buyer of services and Conformity Assessment Body to agree terms of reference (for payment purpose) for availing the services of CAB. There may be a case when buyer has to go to a number of assessment body because of different approved scope and specialized area which CAB possess.

9.0 Approval Process

• Application: The interested Conformity Assessment Body shall apply to STQC in the prescribed application format (QAF-02-05-06) alongwith application fee and documentation (Quality manual, procedures etc.)

• Review of System Definition: STQC will review the system definition by checking the documentation for its adequacy, accuracy completeness, correctness traceability and document control. In case of any clarification STQC will approach to the applicant CAB.

• Assessment: After getting satisfied, STQC will carry out audit of the Conformity Assessment Body (independent testing agency or auditing Body/ assessment body as applicable) and empanelled against established criteria to work as approved Conformity Assessment Body (CAB) with defined scope by STQC. The audit criteria is given in the following documents:

QAF02-05-08 (June 2010) - criteria document for approval of independent test laboratory

QAF02-05-09(June 2010) - criteria document for approval of independent assessment body

9

• Approval: After satisfactory assessment of Conformity Assessment Body a certification committee will evaluate the assessment report

o Solution Provider can get their solution assessed against RFP from any of the empanelled Conformity Assessment Body (CAB) based on the mutually agreed terms and conditions.

o Solution provider will submit the test report and/or assessment report along with along with application to STQC for analysis of test results

o STQC will also carryout limited testing audit on sample basis to re-confirm the test/ audit results

o If found satisfactory a “statement of conformity” will be issued.

10.0 Procedure for Conformity Assessment Body (CAB) Approval

Under the CAB Recognition Scheme, STQC, Department of Information Technology will approve CABs that meet all the requirements of the scheme. A CAB shall have adequate resources, be independent, impartial, competent, be adequately insured, maintained confidential and a quality management system in place to assure the quality of its services. STQC will determine whether a body seeking approval meets these requirements, by way of an initial review assessment covering the full scope of the approval being sought.

A CAB must meet all the requirements on a continuing basis in order to maintain the approval status. To ensure that it meets those requirements, a CAB is subject to the ongoing scrutiny by the STQC. The scrutiny includes mainly audits and other forms e.g. an investigation by the STQC in case of a complaint against the CAB. For getting recognized, interested shall apply in a prescribed format and submit a fee of Rs. 10,000 (In favour of PAO, DIT) for obtaining approval under the Scheme.

10.1 Requirements of CABs

10.1.1 General Requirements

• A CAB must be a legal entity having an office in India.

• If it is a Certification Body also it should be accredited by a member of the International Accreditation Forum (IAF) for the scope sought, but it will get recognition only for the assessment activities.

• Conformity Assessment body must have adequate resources to provide conformity assessment services that fall within its scope of recognition. Its resources must be adequate in terms of its financial capability, equipment, staffing, knowledge, experience competence and subcontractors wherever applicable. The body must be in operation for minimum of two years.

• It must, prior to providing its client with conformity assessment services, sign an agreement with the client with the terms and conditions of the services explicitly specified and non disclosure agreements.

• It cannot subcontract or delegate its responsibility for the conformity assessment. It is allowed however to subcontract some of the checking, examination and audits that

10

are part of the conformity assessment, but the CAB must monitor the performance of the subcontractor, review the results of any checking, examination and audits performed by the subcontractor, and determine the outcome of the assessment based on those results and the results of any additional checking, examination and audits performed by itself.

10.2 Quality Records

• The originals or copies of the following documents related to the conformity assessments shall made available to STQC for inspection upon request:-

(a) contracts/agreements between the CAB and its client;

(b) contracts/agreements between the CAB and its subcontractors (if any);

(c) records that can demonstrate the competence of the CAB’s employees and subcontractors;

(d) Conformity assessment reports; and

10.3 Disclosure of information to the STQC(DIT)

The CAB must ensure, when contracting with a client/subcontractor in connection with any conformity assessment activities that the contract will give the CAB permission to disclose to the STQC any information that the CAB obtains or receives in the course of or in connection with the conformity assessment.

The CAB must ensure, when contracting with a client/subcontractor in connection with any conformity assessment activities for the purpose of eGovernance conformity assessment, that the contract will allow staff from the STQC(DIT) to attend the audits conducted by the CAB on its subcontractors.

10.4 Criteria to be met for the Recognition of CAB

The CAB, its Director and the assessment and verification staff shall not be the designer, manufacturer, supplier, installer, user or Consultant of the Software/services/devices, which they inspect, nor the representative of any of these persons. They may not be directly involved in the design, construction, marketing or maintenance of the software/services, nor represent the parties engaged in these activities. This in no way precludes the possibility of exchanges of technical information between the service provider and the CAB.

The CAB and its staff must carry out the assessment and verification operations with the highest degree of professional integrity and the requisite competence in the field of IT subject area and must be free from all pressures and inducements, particularly financial, which might influence their judgment or the results of the inspection, especially from persons or groups of persons with an interest in the results of the verifications. Should the CAB subcontract specific tasks connected with the establishment and verification of the facts, it must first ensure that the subcontractor meets all the applicable requirements and maintain information security requirements and declare their information security system.

The CAB must be able to carry out all the tasks for which it has been recognized/approved , whether these tasks are carried out by the CAB itself or on its responsibility. In particular, it must have the necessary staff and possess the facilities

11

needed to perform properly the technical and administrative tasks entailed in assessment and verification. This presupposes the availability of sufficient scientific staff within the organization who possess experience and knowledge sufficient to assess the eGovernance Solution functionality and performance for which it has been recognized,The impartiality of the CAB must be guaranteed. The remuneration must not depend on the results of the conformity assessment. The CAB must take out appropriate liability insurance. The staffs of the CAB are bound to observe professional secrecy with regard to all information gained in the course of their duties.

10.5 Monitoring of CABs

Audits

A CAB is subject to the continual scrutiny of the STQC(DIT) and most of the scrutiny is in the form of audits. There are two types of audit, namely the surveillance audit and the witnessed audit.

Investigations

In case of a complaint about or related to a CAB a report of an adverse incident, etc., the STQC may determine that it is necessary for it to initiate and conduct an investigation.

10.6 Application for recognition as a CAB or change of scope of recognition

Applications for recognition as a CAB or application for a change in the scope of recognition shall be made to the STQC(DIT) on the form (enclosed) (QAF02 05 F01).

10.7 Appeal against a Decision to Reject An Application Seeking Recognition/Change of scope of Recognition

• Where a decision has been made by the STQC to reject an application seeking recognition or change of scope of recognition under the CAB Recognition Scheme-

• the decision shall remain effective unless and until it is set aside in an appeal;

• an appeal against the decision lies to the CAB Recognition Appeal Board, but it must be lodged by the applicant in writing to DG(STQC) who will appoint a committee , within 4 weeks after the applicant is notified of the decision; and the committe e ruling in the appeal shall be final.

10.8 Assessment Of Conformity assessment Bodies

Applicant conformity Assessment body is audited by the team nominated by the recognizing body (STQC). The Applicable document are specified in Clause 8 of this document.

10.9 After satisfactory completion of the audit , if the CAB is meeting all the criteria for Approval Approving body (STQC) grants a certificate of approval to CAB.

12

11. DISCLAIMER.

11.1 The approval services and the results thereof are provided on an AS IS basis without warranty of any kind. STQC disclaim any and all warranties, express or implied, including without limitation any warranties of merchantability or fitness for a particular purpose with respect to the approval services and its result.

11.2 In no event shall STQC or any of their respective officers, directors, subsidiaries, parents or affiliates be liable to anyone claiming through applicant/client for any special, indirect, incidental or consequential damages of any kind or for any damages whatsoever resulting from reliance on the test/assessment results of Conformity Assessment Body approved by STQC.

13

Appendix - 1

Recognition Process

Requirement of conformity Assessment in RFP

Responsibility:

• Solution Provider-providing evidence of conformity of solution with RFP through recognised bodies

• STQC Analysis and evaluation of reports and declaration of Conformity

Recognised Conformity Assessed Body

STQC

CA Body 1 Scope1

CA BODY-2 Scope-2

CA Body-3 Scope-3

Submit Solution to

empanell CAB

Applicant/Solution Provider For Corrective Action

Dispute resolution

Body

Yes NO

Dispute

Report by CAB

By CAB

Applicant

STQC for evaluation With respect to RFP

Declaration of Conformity

Yes

defines

Applicant- Solution Provider

Assess solution’s conformity to requirements

satisfactory

Solution Provider Select CAB(s) from empannelled Competent Bodies

STQC

14

Appendix 2

APPROVAL PROCESS FOR CONFORMITY ASSESSMENT BODIES

Applicant STQC

Start approval process

Send documents as specified in application forms to evidence compliance with criteria

Take corrective actions

Demonstrate compliance with requirements in practice

Takes corrective actions

Provide information on terms and conditions

Registration

Keep applicant informed about

Preliminary investigation

Decisions to perform

assessment

assessment

assess compliance against

Decisions on approval

Maintain approval

Surveillance, re-assessment;

End approval process

Request for approval

A one time additional

Positive decision

Positive decision

A one time additional Re-investigation

(Issue 1 Dated August 2010) Page 1 of 2


for eGovernance

(QAF-02-05-04)

Schedule of charges




(Issue 1 Dated August 2010) Page 2 of 2

Schedule of charges

Application fee Rs. 10,000/- Assessment fee Rs. 10,000/- per manday Technical Expert Fee Rs. 15,000/- per manday

Additional Certificate Charges Rs.5,000/- for each additional copy of certificate

Surveillance fee Rs. 10,000/- per manday Annual Charges Rs. 25,000/-

of 7

QAF-02-05-05

August 2010

Approval Agreement


for eGovernance




of 7

Approval Agreement

1. Responsibility of Approving Body

As a party to this agreement, to assess and approve in accordance with the current issue of Rules of Procedures and procedure for approval of independent test laboratory/assessment body. It should be noted that in pursuance of its policy of continuous improvement of its services, Approving Body reserves the right to modify the contents of procedures at any time.

2. Responsibility of Applicant

As a party to this agreement, to provide approving Body with all documents, information and facilities as necessary to enable Approving Body to provide the services under this agreement. Also to abide by the terms and conditions as laid down by Approving Body from time to time.

3. Terms of Payment

Terms of payments are as per document schedule of charges . The basic charges for the services requested are quoted on the assumption that the information supplied by the organisation was accurate and complete. It should be noted that schedule of charges is subject to review.

4. Cancellation

If the Applicant cancels the Application for Approval after applying, application fee will not be refunded.

5. Invoices

Invoices will be submitted as soon as practicable after the completion of any milestone of the Approving process.

of 7

6. Payment

Payment becomes due within 28 days of the date of invoices. Thereafter, the outstanding unpaid amount many accrue interest at the rate of 18% per annum. It shall be noted that the Certificate of Approval cannot be released until payment has been received by Approving Body.

8. Termination

Parties may terminate this agreement:-

8.1 By Notice

Three months written notice may be given by the Applicant to the Approving Body.

8.2 By Default

8.2.1 Immediately upon either party being notified by the other of any material breach of this agreement.

8.2.2 If any party goes into liquidation or part of the undertaking thereof.

8.2.3 If either party ceases to trade whether in whole in part.

8.3 In the event of this agreement being terminated whether by notice, default or otherwise the Certificate of Approval issued pursuant hereto shall forthwith become invalid and Applicant shall cease to use the same and return to Approving Body all documentation and other matters issued pursuant thereto or bearing an indication of such certification.

9. Liability

of 7

The Certificate of Approval given to a client under the scheme shall not be regarded as in any way diminishing the mutual contractual responsibilities/obligations between the Applicant and his customer. While the Certificate of Approval will normally be a sound indicator of the capability of Client to; implement a management system, e.g., in line with the applicable standard, it should not be taken as a sort of guarantee accorded by the Approving Body.

10. Indemnity

The Applicant shall fully and effectively indemnify Approving Body against all costs, claims, actions and demands arising from -

i) The services provided by Approving Body.

ii) The use or misuse by the organisation of Certificate of Approval and/or mark provided by Approving Body in accordance with this agreement.

iii) Any breach of this agreement.

11. Scope Expansion

In case of addition of new site/ activity, the organization shall inform the Approving body about the same and a new Approval agreement incorporating the change shall be agreed and signed by both the parties.

12. Information to be published

STQC publishes details like certified client list ,status of approval etc. on its website. In case the client has any reservation regarding this, the same shall be informed to the Approving Body in advance.

of 7

Part II :

OBLIGATIONS OF THE ORGANISATION

An applicant holding a valid Certificate of Approval shall:

a) Comply in all respects with the appropriate System standard; b) Submit to the Approving Body for prior approval, the form in which he

proposes to use the Certificate of Approval and/or logo/ mark; c) Not use the Certificate of Approval or logo / mark in any manner which

may mislead the interpretation d) Not make any change to the System which formed the basis for grant or

continuation of Approval and which prevents compliance with the System and Standard;

e) Document all changes made to the System and make available records of

such changes to the Approving Body f) Notify the Approving Body of any change of key personnel. Give access

to the assessment team appointed by Approving Body for the purposes of assessment / surveillance.

h) Keep records of all customer complaints in respect of products, process

or service and corresponding remedial measures related to System; i) Upon suspension or cancellation/withdrawal of Certificate of Approval,

discontinue of use of Certificate of Approval and logo / mark in all advertising material and other matter which contains any reference thereto; and

j) Pay all financial dues to the Approving Body as prescribed.

Note: The organisation is not entitled to any refund of fees paid or cost incurred

in the event of non-renewal, suspension, withdrawal/cancellation, modification of Certificate of Approval.

6

Part III

Acceptance of Approval Agreement

1. The terms and conditions laid down in this document are acceptable to me.

2. I am agreeable to the composition of the assessment team and to meet the financial obligations as indicated.

3. I will abide by the Approval agreement given in this document.

(to be signed by Applicant) (to be signed by Approving Body)

APPLICATION FORM QAF-02-05-06 July2010

Application for approval (or Change of Scope of Recognition) Under the Conformity Assessment Body approval scheme of STQC

Organisation Profile

1 Name of Organisation

2. Address

3. Telephone Number

4. Fax Number

5. Website

6. Email Address

7. Designated Management Representative

Name

Position

Address

Telephone No,.

Fax No.

E-mail Address

8. Organisation Chart Pl. attach

Scope of approval sought as per document QAF02-05June2010 Clause 4

9. Business of Organisation

10. Status of Organisation (e.g. body corporate). Please also provide documentation that can identify its status. (Certificate of Incorporation)/legal entity.

11 Number of employees

i) Permanent

ii) Contract base.

Resource of organisation

12. Test facilities. Please state their addresses and test capabilities and give details, including documentary proof, of any accreditation.

13. In-house experts/specialists/assessors. Please list their names and their areas of competence and provide their CVs.

Declaration

(Please read the important Notes above before signing this declaration)

1. We______________________________________________________________

_____________________________________(name and address of applicant) declare

i) That the information given on this application form and on any separate sheets that supplement this form is true and correct; and

ii) That the documents that are submitted with this application form are

true copies of their respective originals.

2. We understand and agree that the requirements of the CAB Recognition Scheme,, which are subject to revisions from time to time.

3. We agree that the Government may publish the following information to the public once this application is successful:

- Our name and contract details;

- Our status as a recognized Conformity Assessment Body under the Scheme;

- Our scope of recognition, as well as the date when this scope becomes effective

Signature (authorized representative): ___________________________________________

Name: ____________________________________________________________________

Position: __________________________________________________________________

Telephone No.: ____________________________________________________________

Organisation: _____________________________________________________________

Date: __________________________________________________________________

Enclosures:

• Information about the Laboratory/Assessment Body and its activities

• Quality Manual

• List of Tools with license number (in case of laboratory)

• List of manpower with their qualification and experience

• Detail scope of approval sought


for eGovernance

CERTIFICATE OF APPROVAL

Approval Number:

M/s. -----------------------------------------------------------has been assessed satisfactorily to the

Requirements of Scheme for Approval of independent Test Laboratory for eGovernance for the following scope

This Certificate is valid upto:

Date of Issue:

Authorized Signatory

(STQC)


Ministry of Communications & IT

Electronics Niketan, 6 CGO Complex, Lodhi Road

New Delhi-110003

QAF-02-05-07, August 2010


for eGovernance

CERTIFICATE OF APPROVAL

Approval Number:

M/s. -----------------------------------------------------------has been assessed satisfactorily to the

Requirements of Scheme for Approval of independent Assessment Body for eGovernance for the following scope

This Certificate is valid upto:

Date of Issue:

Authorized Signatory

(STQC)


Ministry of Communications & IT

Electronics Niketan, 6 CGO Complex, Lodhi Road

New Delhi-110003

QAF-02-05-08, August 2010

1

QAF02-05-09

June 2010

Procedure for

Approval of Independent Testing Laboratory

for eGovernance Conformity Assessment System

Government of India STQC Directorate


2

Index Page No

1.0 Introduction 3 2.0 References 3 3.0 Target Audience 3 4.0 Operation of the Scheme 3 5.0 Approval procedure 4 6.0 Criteria for Approval 10

7.0 Supplementary requirements of Approval process 11

8.0 Scope of Approval 25

9.0 Guidelines for the use of STQC Logo

Annexure I – Definitions 27

3

Procedure for Approval of an independent testing laboratory

1.0 Introduction:

Government of India has initiated National eGovernance Programme(NeGP) to enable Governance using ICT to increase its efficiency, effectiveness and transparency. For assuring Quality of eGovernance Solutions it is required to ensure the Conformity of IT Solution characteristics with the System requirements. in order to ascertain this conformity, availability of IT Test laboratories which are established as per International Best Practices becomes necessary. Such labs are required to be approved as Independent Test Laboratories of IT domain with define scope. This will enable IT Solution provider to demonstrate compliance of its solution to the requirements of the project / RFP by providing a test report from an approved laboratory. This scheme is promoted by STQC Directorate, Department of Information Technology and is based on International Standard ISO/IEC 17025:2005 (General requirements for the competence of testing and calibration laboratories).

The scheme is intended to recognize the competence of independent test laboratories and to provide confidence to the stakeholders that Test results of eGovernance Solutions tested in these laboratories are reliable, reproducible and repeatable. Under the scheme, after satisfactory completion of the testing, the laboratory is issued a `Certificate of Approval’ indicating conformance to specified requirements of applicable standards as specified in the scheme.

The scheme covers both private and public (Government) independent test laboratories involved in software testing of information technology solutions with in-house and/or on-site capabilities.

2.0 References: ISO/IEC 17000, “Conformity assessment – Vocabulary and general principles” ISO/IEC 17025: 2005, “General requirements for the competence of testing and calibration laboratories” IEEE STD 610-12:1990 “IEEE Standard Glossary of Software Engineering Terminology”


This document is addressed to the independent Software Test Laboratory’s Designated Management Representative and other personnel, responsible for implementing 17025, and interested to get approval for eGovernance Conformity Assessment purpose. This document will also be used by Certification Body and the Laboratory Assessors.

4

4.0 Operation of the Scheme

The Scheme is operated through a `Approving Body’ set up under STQC Directorate, Department of Information Technology, Government of India. The Approving body is guided by an advisory board, which has representatives from various Government and Non-Government organizations. With a view of facilitating mutual recognition at International Level, the activities of Approving body are designed to comply with the requirements of International ISO/IEC and European Standards.

Liability The Certificate of Approval is normally a sound indicator that the laboratory has established quality system as per the requirements of ISO/IEC 17025 and has demonstrated the competence of the laboratory to the Approval body to produce technically valid data and results. It should not however be taken as a sort of guarantee accorded by a Approval Body. The Approval Body will not be liable for any deficiency in the service supplied by the laboratory. However, in case of laboratory’s failure to meet declared capability / contractual responsibilities / obligation, the affected party may approach the Certification Body for redressal. Legislation: It is the responsibility of each laboratory to ensure that it complies with all relevant and applicable legislation. Legislative requirements take precedence over the criteria given in this document. It is also strongly recommended that laboratories must prepare register of relevant legislation. Approval under the scheme does not preclude laboratories complying with the applicable regulation and legislation.

Safety: Approval Body (STQC ) does not define mandatory safety measures but does draw attention to any unsafe practices that are observed in the course of assessment. These includes loose cables/plugs, poor layouts etc. Laboratories are however, encouraged to apply the safety aspects in IT Testing Laboratory, these include but not limited to ergonomics and usability related aspects as prescribed in ISO 9241 series of standards. Confidentiality: All information provided by a laboratory in connection with an enquiry or an application for approval and all information obtained in connection with an assessment is stated as confidential. Technical assessor, Approval Committee members, Governing Board Members are bound to maintain confidentiality of information. The confidentiality clause is not valid in case of regulatory and legislative requirements.

Assessment and Evaluation Personnel For the purpose of assessment, testing and evaluation, the Approval Body makes use of qualified assessors from both within and outside STQC Directorate.

5.0 Approval procedure

This document provides the administrative procedure for approval of independent test laboratory and explanation of the criteria, ISO/IEC17025, applicable for IT Test Laboratories.

5

5.1 Pre-approval Requirements

Laboratories interested in obtaining approval, shall have established quality system in the laboratory as per ISO/IEC 17025 and Quality Manual with related documents & records are available. Laboratory based on its capability define their proposed scope of approval with locations while applying to the Approving body.

5.2 Approval Process

Step I Preliminary Information

Upon enquiry at the STQC, organization will be provided with all relevant information on the Scheme along with application Form.

Step II Application for Approval

Any independent testing laboratory, which is a legally identifiable organization, wishes to become an approved testing laboratory under the eGovernance Conformity Assessment System shall

a) Apply to the Approval Body (STQC) giving the information required (QAF-02-05-06) and accompanied by current application fee. b) Undertake to allow access by the Approving Body nominated assessment team to all parts of the location relevant to the scope of approvals sought. This assessment team shall not disclose, without the prior permission of testing laboratories, any confidential information obtained in the course of their duties, and

c) Nominate a Designated Management Representative (DMR)

The independent testing laboratory shall indicate following information in the

application form:

• The type of test it wishes to carry out on IT Systems • The location of the testing laboratory (laboratories), for which approval is sought. In case, more than one location is applicable separate application need not be submitted. However, locationwise scope and Quality System needs to be informed and

• Prepared the required documentation as a basis for the appraisal by the assessment team nominated by Approving Body and has the resources available to meet the requirements of the system.

• At the time of application the Designated Management Representative shall ensure and make a statement that at least two internal audits and one management review has been carried out by the lab and action has been taken on all outstanding issues.

All applications are screened for completeness before acceptance and the Approving Body may seek or provide more information when necessary.

6

After acceptance every application will be acknowledged and allotted a serial number, which must be quoted in all future correspondence. At all time during the application process the laboratory is encouraged to hold discussion with relevant certification body (STQC) technical staff. While seeking approval, laboratory staff should familiarize themselves with the approval requirements and ask for clarification from the approving body, if need arises. Fees for Services: Applicable charges are levied as indicated in “schedule of charges”. Specific information on charges can obtain by contacting Head (IT Centre) of any region or visiting STQC website www.stqc.nic.in These charges are required to be paid prior to the commencement of approval process.

Step III Assessment process

Evaluation of Documentation The laboratory’s Quality Manual is evaluated for ensuring compliance with all applicable requirements. Laboratory will have to carry out necessary corrections and amendments if there are any discrepancies or gap areas, since this documentation will form the basis for further assessment. The extent of documentation details depends upon the scope of approval laboratory is interested in.

Preliminary (stage 1) assessment:

After ensuring adequacy of documentation evaluation, preliminary visit shall be organized to confirm the laboratory’s readiness in terms of quality management implementation, processes established, methods practiced, environmental aspects, adequacy and allocation of resources and to confirm scope of approval sought. Assessment Procedure The applicant shall demonstrate to the assessment team that:

• It meets the requirements of ISO/IEC17025 • It has tested minimum 3 products/projects demonstrating their competence in Test Management and Test engineering • That it is sufficiently free from external influences which would prevent from acting in an impartial manner. • Also, demonstrates sufficiently to the assessment team, competency of the test lab. The scope shall accordingly be recommended by the assessment team.

In performing the appraisal account shall be taken off any comparable approvals granted by a recognized National/International Accreditation Body. Decision of approval committee shall be final in this regard. The approval requirements are determined primarily by an on site assessment of its resources, procedures and documentation. The objective of an assessment is to establish whether the laboratory can completely perform the activities for which approval has been sought. The assessment team is required to investigate the operation of the laboratory against the


7

criteria. The following criteria checklists are used for assessing the Conformity of the laboratory with the requirements of the system.

i) Criteria as per Compliance checklist with ISO/IEC17025 (QAF-02-05-11) ii) Compliance checklist with IT specific laboratory requirements based on

generic checklist ISO/IEC17025 (QAF-02-05-16) The assessment team comprises a Lead Assessor and one or more specialist technical assessor. The Lead assessor is also responsible for review of the Quality System. The size of the assessment team is dependent upon the areas that must be covered in the course of the assessment.

Assessments will generally take at least two mandays and may extend over a number of days depending on the range and complexity of activities to be covered. Technical Assessors are chosen according to their specialist knowledge and are matched as closely to the activities of the laboratories as possible. Consideration is given to possible concerns about conflict of interest in selecting assessors. Laboratory staff will be called upon to discuss, with the technical assessors, technical issues relating to measurement and tests that are in progress, or are carried out by the laboratory. Laboratories must demonstrate their capabilities to the assessment team to enable them to recommend “scope of approval” appropriately. Laboratories undergoing an assessment should expect all areas for which approval is sought to be covered in some way. All laboratory staff involved in on-site or field testing shall participate in assessments. Where necessary an assessment of a remote facility will be carried out and additional fee charged as specified in schedule of charges.

Closing meeting is held at the conclusion of the assessment at which the assessment findings are represented by the lead assessor. Generally, the DMR would be expected to attend the closing meeting along with relevant senior staff. The purpose of closing meeting is to allow discussion about the findings of the assessment. Laboratories are strongly encouraged to clarify issues they consider may have been misunderstood by the assessment team and to seek that clarification about assessment findings. A report is handed over to the DMR for its concurrence. The report will include findings of the assessment beside the scope of approval and approved signatories covering all tests for which approval is recommended. Where necessary, the report will detail the action required by the laboratory to allow the approval to be recommended. In these cases the laboratory will be asked to provide certification body with the necessary evidence that corrective and preventive actions have been taken.

Occasionally, a further visit by the assessment team may be required to close the non-conformities raised. There are a number of reasons for this including concerns about the competence of the facility, the inability to assess certain aspect of the facility during the schedule of visit due to non-availability of key staff, or to review the effective implementation of the corrective action taken as a result of the assessment. The same procedure for assessment will be followed but may concentrate only the areas found to be deficient. Charges will be levied for this visit as per schedule of charges.

8

5.3 Post Approval Activities

Granting approval Approving body (STQC) grants approval following a recommendation by the Approval committee. This recommendation is made when the laboratory has met all the requirements for approval. The DMR is formally informed of the granting of the approval and issued with a certificate of approval containing the scope. The approval shall remain valid for 3 years.

Scope of Approval:

Approval is described by the granularity of tests. The collective expression or scope of laboratory approval is known as its “scope of approval”. The scope of approval of all approved laboratories shall be placed on STQC website.

Approved Signatories: Approving Body grants formal approval to laboratory staff to sign test report bearing STQC endorsement. The persons authorized by the Approving Body or known as “approved signatories” and their competence to undertake this role is determined during assessment.

Approved signatories assume responsibility for technical validity and accuracy of all information contained in an endorsed document. They must have to demonstrate a sound knowledge of: • The principle of measurement and test they perform or supervise; • The standards or specification for which approval is sought or held; • The laboratories quality system; • The Approving body approval requirements relevant to this field; • Where relevant to this approval, measurement ranges and the estimation of the actual uncertainty association with the test.

Individuals may be approved as signatories for all or part of the laboratories scope of approval. Laboratories must have approved signatories to cover the complete range of its scope of approvals.

Modification to Scope of Approval Laboratory holding a valid certificate of approval may apply for the modification to the scope of approval. The Approving body can at its discretion, decide either in favour of re-assessment or fresh application as applicable. Maintenance of Certification of Approval Certificate of Approval will be followed by Surveillance visit every year during which relevant quality system and product or process, requirements are audited to verify that all the processes are well maintained and continue to comply with Approval requirements. For the purpose of maintenance of certificate of approval, laboratory is required to remit an annual fee as outlined in schedule of charges.

9

Renewal of Certificate of Approval The certificate of approval is valid for a period of three years. The Approving Body may, at its discretion, decide for renewal of certificate of approval based on surveillance reports of the current validity period. The applicable charges of renewal of certification of approval are given in schedule of charges. Suspension of Certificate of Approval Approval may be suspended for a limited period at the discretion of the Approving body under the following circumstances: • If surveillance indicates minor discrepancies to the relevant

certification requirements and the same is not cleared even after lapse of initial time period given for corrective action.

• If the surveillance indicates major non-conformance to the certification requirements.

• If improper use of Certificate of Approval or Certification Mark is not rectified to the satisfaction of Approving Body.

• If there has been any other contravention of the applicable requirements or rules and procedure of the scheme.

Upon fulfillment of indicated conditions in the suspension notice within specified period, the suspension will be revoked. Withdrawal / Cancellation of Approval Withdrawal of Certificate of Approval and authorization for the use of STQC logo and cancellation of approval will be resorted to, under the following circumstances: • If the laboratory under suspension fails to rectify non-conformance

within specified period. • If the laboratory either will not or cannot ensure conformance to the

rules and procedures of Approving body. • Failure to meet the financial obligations to Approving Body. • At the formal request of the laboratory • Any other serious contravention of applicable requirements of rules of

procedure of the scheme. Appeals Under the Scheme, there is a provision for applicants or laboratory to appeal against any decision relating to grant/suspension/ cancellation/withdrawal of Certificate of Approval. In the event of an applicant or laboratory wishing to appeal, he shall lodge a notice of appeal with the Chairman, Governing Board within two weeks of a decision that he deems to be incorrect. In response, to this, the organisation will receive a detailed statement indicating the basis for the decision in question. If the applicant still wishes to pursue his appeal, he shall forward to the Chairman, Governing Board a statement within four weeks giving his case for going ahead with the appeal along with applicable charges as indicated in Schedule of Charges.

10

After this a three member committee, two of which being acceptable to each party to the dispute, will be constituted. The appellant can appear himself or nominate his representative(s) to appear on his behalf before the date of hearing. He is required to submit all written evidences at least one week before the date of hearing. The decision of chairman, Advisory Board shall be final and binding on both parties. Obligations of the Organization An organization holding a valid Certificate of Approval shall:

a) Comply in all respect with the applicable requirements.

b) Not claim or imply that his Information Security Management System, IT

Service Management System, Quality Management System and Services are certified or approved.

c) Not make any major change to the quality manual which formed the basis for grant of continuation of registration and which prevents compliance with the requirements.

d) document all changes made to the Quality Manual and make available

records of such changes to the Approving Body;

e) Notify the Approving Body of any change in the name or ownership of the laboratory, key personnel in relation to management and technical functions or Senior Management and any significant change in the function of the laboratory.

f) give access to the assessment team appointed by Approving Body for

the purpose of assessment or surveillance;

g) keep records of all complaints and corresponding remedial measures related to quality system;

h) upon suspension or cancellation/withdrawal of Certification of Approval,

discontinue use of Certificate of Approval and logo in all advertising material and other matters which contain any reference thereto; and

i) Pay all financial dues to Certification Body as prescribed. Laboratory is

not entitled to any refund of charges paid or cost incurred in the event of non- renewal, suspension, withdrawal, cancellation, modification of certificate of registration.

6.0 Criteria for approval: General Criteria: The general requirements for approval of testing laboratories are described in ISO/IEC 17025:2005 (General requirements for the competence of testing and calibration laboratory). These requirements are designed to apply to all types of testing laboratories and therefore, needs to be interpreted with respect to the type of testing concerns with eGovernance Projects and the techniques involved. The contents of ISO/IEC 17025 which forms the basis of the criteria are reproduced below:

11

Introduction 1 Scope 2 Normative references 3 Terms and definitions 4 Management requirements 4.1 Organization 4.2 Quality System 4.3 Document Control 4.4 Review of requests, tenders and contracts 4.5 Subcontracting of tests and calibrations 4.6 Purchasing services and supplies 4.7 Service to the client 4.8 Complaints 4.9 Control of non-conforming testing and/or calibration work 4.10 Improvements 4.11 Corrective action 4.12 Preventive action 4.13 Control of records 4.14 Internal audits 4.15 Management reviews 5. Technical requirements 5.1 General 5.2 Personnel 5.3 Accommodation and environmental conditions 5.4 Test and Calibration methods and method validation 5.5 Equipment 5.6 Measurement traceability 5.7 Sampling 5.8 Handling of test and calibration Items 5.9 Assuring the quality of test and calibration results 5.10 Reporting the results

7.0 Supplementary requirements of approval: All laboratories seeking certificate of approval for Information Technology Testing must meet the general requirements of ISO/IEC 17025: 2005. This section describes additional requirements known as supplementary requirements specifically applicable to laboratories performing testing related to information technology. These requirements constitute either additions to the general requirements or classifications or interpretations of the general requirements as they relate to IT testing. The approval criteria for IT testing laboratories constitute both general requirements and supplementary requirements. The clauses referred below are the clauses of ISO/IEC 17025: 2005.

4 Management requirements

4.1 Organisation: i) The management system requirements of ISO/IEC 17025 and the

additional requirements of this document apply to the laboratory’s permanent facilities, testing performed at the customer’s facility, and on any testing performed via a remote connection to the customer’s

12

ii) If the laboratory intends to perform any part of a testing at the

premises of the client, the developer or the user, the laboratories management system shall include procedures for handling testing performed at those premises. If testing are to be performed using equipment or system normally controlled by the client, developer or user, procedures for controlling these items shall also be included.

iii) For laboratory staff who may also have design production or

marketing related responsibilities clear policy must be available to define how impartiality is assured for their testing responsibilities.

iv) The desirability of testing software during the development

process is recognized. In these circumstances, the laboratory shall have procedures for ensuring its independence and that of its staff from the development process, and for identifying and controlling potential conflict of interest.

v) When the laboratory is part of a larger organization, procedures

shall define those personnel other than lab staff who can have access to test results relating to test perform for that organization. Results of test perform would normally not be available to personal outside of the lab or its client.

vi) On completion of on-site testing if the system on which testing is

perform is not under the full control of either the lab or the client, the laboratory is responsible for the removal of all records generated during the test unless otherwise requested by the client.

4.2 Quality System:

i) Quality documentation must include or reference approved signatories, scope of approval and the policy on the use of the certification body endorsement.

4.3 Document Control:

i) Test method can include test plan, test suite, test cases including relevant input data, test procedures and test design specification and so shall be controlled, reviewed, approved and revised as required by clauses 4.3 and 5.4 of ISO/IEC 17025.

ii) When approval is sought for testing to international standards and/or in

accordance with regulatory rules and requirements, laboratories must maintain controlled copy of all relevant document.

iii) The procedures to control computerized system should address appropriate

implementation of configuration management and control, maintenance of traceability between related documents, and where appropriate a combination of manual and computer based approaches.

13

4.4 Review of requests, tenders and contracts i) The contract shall define which components of the test environment

are being supplied by the laboratory and which are being supplied by the client. This includes hardware and software. The test environment boundary interface points shall also be clearly defined.

ii) A testing organization may find it of value to assess its capability for

the software testing process and other relevant processes by following an approach based upon ISO/IEC 15504. Results of such evaluation can form the basis for an identification of associated process risk.

4.5 Sub-contracting of Tests and Calibration:

i) This clause applies in those cases where a laboratory is required to sub-contract part of its normal service (example due to temporary incapacity, excess workload) or where a laboratory subcontract due to the need for further expertise and the results of the sub-contracted service(s) are incorporated into the laboratory’s test reports or used to formulate an opinion which is subsequently incorporated into the laboratory’s test report.

ii) A competent sub-contractor is defined as an appropriately approved

laboratory by STQC or a lab accredited by one of India mutual recognitions partners under NABL Programme. The accreditation status of subcontractors should be regularly reviewed to ensure currency.

4.6 Purchasing, services and supplies:

i) Commercially available test tool validation services and software testing tools are regarded as services and supplies. These procedures also applied to Hardware and software Consumable such as DISKETTES, CD, DVDS etc. used in the testing and maintenance of servers, network, UPS, air conditioners etc

4.7 Service to the client: No supplementary requirements

4.8 Complaints: No supplementary requirements

4.9 Control of Non-conforming Testing and/or calibration work:

i) Errors detected in the SUT do not constitute non-conforming work, but are an aspect of the overall results of the test. These errors shall be documented in the test report in accordance with ISO/IEC 17025 section 5.10.

ii) Any other aspect of testing not associated with results, that do not

conform to the documented test methodologies (see section 5.4) shall be considered non-conforming work and subject to the requirements of this section.

4.10 Improvements: No supplementary requirements 4.11 Corrective Action: No supplementary requirements 4.12 Preventive Action: No supplementary requirements

14

4.13 Control of records:

4.13.1 General

i) Technical records shall include, as far as possible, the correct and complete identification of the test environment used for the SUT; this includes complete configuration management identification for all system components (both hardware and software).

ii) All records must include the identity of the person making the records.

iii) The requesters initial requirements and the subsequently develop

Testing requirements, Testing specifications and Testing plan shall all be treated as technical records.

iv) Unless otherwise prescribed by legislation or contractual obligations,

retention time will not be less than three years. 4.13.2 Technical records:

i) Technical records shall include, as far as possible, the correct and complete identification of the test environment used for the SUT; this includes complete configuration management identification for all system components(Both hardware and software).

ii) Alterations to data must also include the date the change was made.

4.14 Internal Audit

i) The internal audit schedule should ideally cover all elements of the Quality System over a 12 months period.

4.15 Management reviews

i) The effectiveness of the Quality System shall be reviewed by Management at least once in a year.

5.0 Technical Requirements: 5.1 General: No supplementary requirements 5.2 Personnel: No supplementary requirements 5.3 Accommodation and Environmental Conditions:

i) For software testing, the term “environment” includes the hardware and associated software on which the software being tested is running. The laboratory shall ensure that any interference from other activities in the system does not invalidate the result of the specified tests. Examples of such activities are uncontrolled network activity during a performance test, virus scanners, obsolete or obsolescent

15

versions of software, and backing up.

ii) IT testing should be separated from any design/development or production environments. There should be no other concurrent activities occurring during testing that could affect or invalidate the results.

iii) Any virtual environments or other special configurations shall be fully

documented in the test records along with a justification as to why it is believed not to affect or invalidate the results.

iv) When a computing hosting center is utilized to house the lab-owned

system hardware it is considered within and part of the lab environment.

v) When testing on-site the same requirements apply as those which

apply when testing in a permanent approved laboratory. Therefore additional precautions may be necessary when testing on-site in order to ensure that all requirements of ISO/IEC 17025 and this interpretive document are met.

vi) The following are examples of some aspects of on-site testing for

which additional precautions may be necessary:

• Testing staff may need training in the operation of on-site equipment and software;

• Signatories who do not usually accompany the testing staff when evaluations are performed on-site must undertake sufficient technical audits of the testing activities to main confidence in them;

• Additional action may be needed to ensure security of test records; • Additional action may be needed to ensure proper integration of test

equipment including test tools with the on-site hardware and software environment

vii) The laboratories procedures for on-site testing must be described in

the laboratory’s quality system documentation and be subject to the review and internal auditing process.

viii) It is possible that the laboratories capability for on-site testing may

differ from its capability for testing in its permanent laboratories. This will be reviewed during the assessment process

ix) The test environment and the software under test shall be sufficiently

recorded and control to ensure their correct and complete identification at any time.

16

5.4 Test and Calibration Methods and Method validation:

i) The lab shall define and document a testing methodology which shall address the following topics:

(a) Test preparation and setup (b) Test coverage and traceability to requirements. (c) Assurance that test case results are not ambiguous and have single thread of execution with objective results relating to expected outcomes. (d) Assurance that any automated test suites will produce valid results. (e) Test document approval prior to testing. (f) Completed test case review and approval. (g) Test reporting with anomaly severity classifications. (h) Test Candidate configuration management.

It may also include the following, subject to contract review: (i) Test anomaly characterization and priority. (j) Criteria for running partial testing or re-testing candidates. (k) Any other topics with agreement with the customer.

ii) Testing work shall be defined in Test Plans, Test Specifications,

Test Cases, or other test suite deliverables as defined in the testing methodology. These can also be encompassed in an overall Validation Plan with matching Validation Report as defined by the methodology.

iii) The test suites/plans/specifications/cases shall be technically

reviewed and approved prior to execution. This can be considered the validation of test method as defined in ISO/IEC 17025 clause 5.4.5. This review shall include:

(a) Confirmation of adequate test coverage of all requirements. (b) Confirmation that test case results are not ambiguous and have Objective pass/fail criteria. (c) Confirmation that any automated test suites will produce valid results.

.

iv) Laboratories approved for testing to standard methods must maintain records of all interpretive decision which they may make as a response to ambiguity in the test methods or specification contained in standards.

v) For software, validation is the process of verifying that a means of testing or test tool will produce results that are consistent with the specifications of the relevant test suites, with any relevant standards and, if applicable, a previously validated version of the means of testing or test tool.

17

vi) Commercial off-the-shelf test tools in general use within their

designed application range may be considered as sufficiently validated until a suitable means of independent validation becomes available. However, in-house modifications to test tools should be validated.

vii) Laboratories shall make all reasonable efforts to ensure that interpretations made are consistent with those of other laboratories and regulatory authorities. Other laboratories accredited for the same tests should also be consulted. Attendance at relevant national, international or industry forums where such interpretations are discussed is strongly encouraged.

viii) There are circumstances when Certification Body (STQC) may impose additional requirements on standard test methods. This action is only taken when testing in accordance with the stated requirements of a standard is likely to cause an inappropriate interpretation of the result appearing in a Certification Body endorsed test report and so bring STQC into disrepute. Such a requirement would only remain in place until the standard was appropriately amended.

ix) It is not anticipated that Software Testing Laboratories would

normally perform calibration of any measuring instruments used in Testing of Software. However, any software testing laboratories which do perform in-house calibration in support of their testing activities shall have internal calibration procedures fully documented and controlled in accordance with section 5.4 including uncertainty estimation

x) The concept of Measurement Uncertainty (MU) typically is not

applicable as IT testing executes digital logic on a pass/fail basis. MU may be applied to IT under the following conditions:

(a) When the SUT is performing mathematical operations or using

approximations and rounding in statistical analysis, calculus, or geometry, an uncertainty may be introduced by the algorithms themselves. Where this becomes significant to the output or functioning of the SUT, MU shall be documented

(b) Due to current state of the art and the evolving nature of software measurements, there are no specific requirements for determination of measurement uncertainties, except those applicable to physical measurements of electrical or other quantities, e.g. voltage, frequency, bandwidth, etc. made with appropriate instruments. These instruments must be calibrated by an appropriately accredited facility

5.5 Equipment:

i) Software test tools significant to testing are considered equipment and shall follow the appropriate ISO/IEC 17025 section 5.5 clauses.

18

ii) Software Tool validation confirms that the software tools meet the

specified requirements. The software tools shall be validated, documented and include the following objective evidence:

(a) Custom software testing tools – Full validation effort. (b) COTS software tools used as is – Acceptance testing for each installed instance. (c) MOTS software tools – Acceptance testing for each installed instance along with validation of the modification or tailoring.

iii) Each software test tool installation (instance) shall undergo a

documented installation/operational qualification prior to use. There shall be documented evidence of the configuration and inventory of each specific installed software or system and suitable tests to confirm functionality.

iv) Software test tools can be installed on many systems. Each instance of test tool software shall be uniquely identified on each target environment and be under configuration management.

v) The equipment records requirements in ISO/IEC 17025 are defined here as follows:

(a) Identity – each instance of software/hardware. (b) Manufacturer – includes manufacturer name, program name, and version number. (c) Checks - installation/operational qualifications (d) Location – target system name or location. (e) Manufacturers instructions – user manuals. (f) Calibrations - as discussed in 5.5.2 (g) Maintenance Plan – N/A this is not applicable (h) Damage – N/A this is not applicable.

vi) When software test tools are used by others outside of the laboratory’s control, configurations and adaptations shall be checked and possibly reset to ensure proper functioning.

vii) Software test tools should be reset or logs emptied between test candidates to ensure that only current test data is recorded.

viii) Automated test cases should be checked for validity between test candidates to ensure valid test results.

ix) Software test tool configurations shall be safeguarded by user roles or other appropriate means.

19

x) Instruments used for making measurements of physical quantities,

e.g. electrical, time, frequency, etc. shall be calibrated and checked in accordance with the requirements of clauses 5.4.6, 5.5.2 and 5.6.

xi) Test tools should be identified by atleast their name, supplier and version number.

xii) Hardware shall be identified and recorded to the extent necessary for the tests being undertaken, in order to achieve repeatability and reproducibility and bearing in mind the risk of recall due to hardware errors or configuration changes.

xiii) Instruments used for physical measurements shall be re-calibrated at intervals. This should be as per National Measurement Policy described by NABL.

5.6 Measurement Traceability:

i) Traceability is not applicable for software test tools that operate in relation to hardware processor clock cycles and /or counters with no dependence on real time.

ii) For Software testing it is mostly not yet possible or relevant to

calibrate the test tools. The suitability of test tool for a particular use is confirmed by a process of validation, which is intended to meet the requirements of ISO/IEC 17025 for verification and “calibration” of test tools.

iii) A record shall be maintained of all test tool validations and re-validations giving reasons for the cases being run, date, environmental information if appropriate, and a summary of the results obtained plus the details of any discrepancies from the expected results. When the test tool validation is made using a reference implementation, the laboratory shall document fully the expected results (i.e. previously obtained results) from using the full conformance test suite to test the nominated reference implementation.

iv) If a reference implementation is used for test tool validation, then the procedures for carrying out the validations shall be fully documented by the laboratory.

v) If there is no suitable reference implementation that could be used to validate a test tool, then the laboratory shall define and document the procedures and methods that it uses to check the correct operation of the test tool and provide evidence that these procedures and methods are also applied whenever the test tool is modified.

vi) When the test method requires test software to be installed on the

20

system under test, the laboratory shall specify a set of confidence tests (possibly a subset of the conformance test suite) and specify the procedures to run them to check that the test software has been installed correctly. The laboratory shall also specify procedures to ensure that all test software mounted on a system under test is derived faithfully from appropriate master version held by the laboratory.

vii) Whenever any minor changes are made to the test tool or testing environment, or whenever there is any doubt about the correct operation of the test tool, it shall be re-validated by testing against the reference implementation using an appropriate subset of the conformity test suite, selected in accordance with specified procedures of the testing laboratory. Whenever any discrepancy is shown by the running of such a subset of the test suite or whenever any major change is made to the test tools or testing environment, then the test tools shall be validated against the reference implementation using the complete conformance test suite before any further testing or clients’ systems taken place.

viii) If there are any discrepancies from expected results of validations or re-validations then the relevant test cases or the test tool itself shall be suspended from use until the discrepancies have been resolved.

ix) The laboratory shall specify the procedures and methods it uses to validate new versions of each test tool, including its traceability to the master copy and where relevant, the consistency with previous results.

x) Test equipment that has significant effect on the reported results and associated uncertainties of measurement (including, where relevant, instruments used for monitoring critical environmental conditions) must be calibrated by Laboratory accredited under the National System (NABL).

xi) A particular implementation may be used as a reference implementation only if its behaviour when tested by the relevant conformance test suite is repeatable and if the coverage of the conformance test cases that it is capable of exercising is impartial towards the range of implementations that may have to be tested by the conformance test suite.

xii) When atleast one suitable implementation becomes available for use as a reference implementation, then the relevant test tools shall be validated against it within a reasonable period of time.

xiii) initial validation of a test tool shall be made by testing the test tool against the reference implementation, using all the test cases from

21

the complete conformance test suite that are applicable to the reference implementation.

xiv) Validation reports shall, wherever applicable, indicate the traceability to international standard test suites or appropriate authoritative specifications, and shall provide the equivalence results and list known defects. This shall apply to both validations performed by the laboratory or by an external supplier.

5.7 Sampling:

i) `Sampling’ refers to the taking of a representative sample of the whole such as might occur when a sample of a help file is spell-checked, based on the statistical knowledge that spelling errors found in such a sample will, with a known level of confidence, represent the spelling errors in the whole help file. It is not intended to refer to the taking of a selection of software, such as certain units or software from particular developers, based on experience that such software is more likely to contain errors, not does it refer to the use of a subset of test cases in order to test software, notwithstanding that these processes may be amendable to statistical techniques.

5.8 Handling of Test and Calibration Items:

i) Laboratories shall maintain software test candidates (SUT samples) under configuration management with appropriate metadata to ensure it is unique.

ii) SUTs maintained under a common configuration management system

accessible by customers shall be controlled and isolated.

iii) The requirements of this clause apply specifically to the test items. It is recognized that interactions between the test item, the test tools and the test environment may result in modifications occurring to the test item as part of the normal installation or testing process. The intent is to prevent unintended changes from occurring and to ensure that an unmodified version of the test item may be made and used for testing provided that the copies are traceable back to the original supplied test item and are controlled, e.g. by lodgment in a version control system.

iv) Additional labeling of equipment under test may not be necessary for hardware and software identified by a manufacturer’s model type or number as well as a unique serial number and version number.

5.9 Assuring the Quality of Test and Calibration Result:

i) The quality control monitoring in this clause consists of software quality control efforts documented by the lab. No other monitoring is applicable.

22

ii) Test systems shall be subject to hardware and software in-service checks before beginning to test each new implementation under test. These checks shall include authentication of the version of the test system to be used. If faults are detected then the procedures for dealing with defective equipment shall be applied.

iii) Laboratories shall confirm the integrity of the testing environment at the start of each series of tests.

5.10 Reporting the Results:

i) Whenever test cases are such that analysis of the observations by the test operator is required in order to interpret the results, before the results can be stated in a test report, the laboratory shall define objective.

ii) Unambiguous procedures to be followed by the personnel doing the

analysis, sufficient to ensure that repeatability, reproducibility and objectivity are maintained.

iii) Test reports containing open errors shall have them described in an unambiguous way and should include severity descriptions in user terms.

iv) Laboratories shall define and document the procedures to be followed by its staff concerning the re-running of test cases. They shall include objective criteria to decide whether to re-run a test case and procedures for ensuring that the repeatability, reproducibility and objectivity of the process for deciding the outcome, e.g. pass or fail, is maintained.

v) If a test case which is supposed to specify pass or fail outcomes does not completely define which verdicts are to be assigned to which set of observations, then the testing laboratory shall either;

a) define and use testing procedures which ensure that any unspecified

verdict assignments meet the criteria of repeatability ,reproducibility and objectivity with respect to the relevant standards; or

b) assign an inconclusive verdict to any unspecified situation until the test suite has been corrected.

vi) The testing laboratory shall also take appropriate steps to get such

(incomplete) test cases revised so that they completely define all allowed verdict assignments.

vii) If it is not possible when applying the accepted conformance testing methodology for a particular area, for conformance test cases to specify the actual verdicts to be assigned, then the test case shall specify verdict criteria which meet the criteria of repeatability, reproducibility and objectivity, so that

23

it is well defined what verdict should be assigned in every situation resulting from the execution of each test case.

5.10.1 Test reports and calibration certificates:

I. STQC endorsement a) Approved laboratories are encouraged to apply the STQC

endorsement for tests measurements covered by their approval.

b) Endorsed test documents must include the required information detailed in the clause of ISO/IEC 17025. The name in which approval is held, the relevant approval number of the laboratory and the date of issue of the endorsed test document must also be included.

c) In instances where laboratory has granted specific approval for

inclusion of results of tests not covered by the scope of approval, the notation “STQC approval does not cover the performance of this service” shall be applied.

d) An endorsed document may include results reported in an endorsed

document issued by another accredited/approved laboratory(refer 5.10.6)

e) Each page of a multi-page document shall bear a statement of the

page number and the total number of pages.

II. Approved signatories

a) The test document must further be signed by a STQC approved signatory. In general, approved signatories are expected to apply their signatures in manuscript. The use of photographic, electronic and mechanical means of reproduction of signatures or names of signatories, where applicable, will be reviewed at assessment.

b) A protocol must be in place to demonstrate that the approved

signatory authorized the test report at the time of its issue, eg by use of password protected templates.

III. Unendorsed reports:

a) An approved laboratory may issue unendorsed documents reporting results within and outside its scope of accreditation. Such documents must not however include the STQC emblem, reference to the approval or any other reference to STQC

b) Unendorsed reports, and the associated work on tests outside the

24

scope of approval, are expected to avoid any conflict with the proper interests of the client or the general public and to avoid the bringing of STQC into disrepute.

IV. Preliminary reports:

a) In circumstances where STQC permits approved facilities to issue preliminary test documents prior to final endorsed documents, the final test document shall contain a reference to the preliminary document. When test reports contain multiple tests or partial tests, the test report shall describe how they interrelate to show a complete approved test. In addition o the requirements detailed under 5.10.2, endorsed test documents must also include information as described in a),b),c) and e) of this clause, where relevant. Test reports should indicate the test suites used to perform the tests.

b) Compliance statements shall indicate those sections or clauses of the test specification, for calibrations, the parameters and ranges to which the compliance statement relates.

c) It is recognized that there are situations in software testing when the

inclusion of an opinion is required either to clarify the understanding of a test result or to provide advice on possible future directions of testing. When required by the client such opinions are allowed, however, they must be clearly identified as opinions and outside of the scope of approval. Any discussions of workarounds or resolution status are considered opinions and shall be denoted as such.

5.10.2 Testing and calibration results obtained from subcontractors:

a) The subcontractor’s endorsed report shall be issued in full to the client, except in those cases where only part of a test is subcontracted. In this case the contractor’s endorsed report may include the results reported by the subcontractor provided they are clearly identified as such. The following information taken from the subcontractor’s endorsed document shall also be included:

• Identification of the approved facility by the name in which accreditation is

held and the approval number; • Endorsed report/document identification

5.10.3 Electronic transmission and remote issue of results:

a) Test reports may be electronically issued (including from a site other than the accredited laboratory) provided that the reports have been appropriately authorized for release. The adequacy of such arrangements will be reviewed at assessment.

25

b) Endorsed documents may be issued from a site other than the approved laboratory provided they bear;

• The signature, facsimile signature or typescript name of an approved

signature; • The signature of a checking officer at the issuing location, approved for this

purpose.

c) Copies of the documents shall be retained at the issuing site and at the laboratory

d) The laboratory must be able to demonstrate appropriate controls over

the electronic generation, access, storage and back-up of results and reports and program controls such as password protection. It the report is to be accessed from a web site by the client there must be an appropriate control in place to ensure the report can only be downloaded in a protected format.

e) Printing issues may also need to be considered. Any information

normally included in a hardcopy report must be included on the electronically transmitted version and appear in any hard copy printed by the recipient.

26

8.0 Scope of approval:

Applications for approval in the field of Information Technology shall be made under three main disciplines: - Software conformance Testing - System conformance Testing - Network Testing

Under these 3 disciplines, approval may be sought for different type of testing given below:

o Functional Testing (Code 01)

o Usability Testing (Code 02)

o Application Security Testing (Code 03)

o Performance Testing (Code 04)

o Reliability/Availability Testing (Code 05)

o Maintainability Testing (Application) (code 06)

o Portability Testing (Application) (code 07)

o Interoperability testing

o Accessibility testing

o Configuration & Compatibility Testing (Code 08)

o Code review (Code 09)

o Network Testing (Performance) (Code10)

o Network Testing (Security) (Code 11)

o National requirement of Website Quality (Code 12)

9.0 Guidelines to approved Laboratories for use of STQC Logo

All STQC approved laboratories shall use STQC logo on their letterhead, test reports and any other relevant documents. Logo shall be used for the purpose of identifying correctly and unambiguously the testing services approved by STQC.

While using the logo it shall be ensured by the laboratory that design and its manifestations are not distorted and be reproduced in any single colour (preferably black) and any size while maintaining the aspect ratio.

It shall be responsibility of the approved laboratory that the use of log does not

misrepresent the scope of approved testing services. In case where the approval sought and granted do not cover all the activities of the laboratory’s services, care should be exercised to restrict the use of logo only to those approved activities.

The letterheads and publicity materials, brochures, test reports of the approved

laboratory bearing the STQC logo shall cover only the test results under approval

27

category. For non-approval category the laboratory shall use a letterhead without STQC logo.

Such restriction shall also apply to large organizations with several laboratories but with only some of them having STQC accreditation. Use of logo in a combined letterhead representing all the constituent laboratories, some of which are not approved, is not permissible.

Approved laboratories shall not authorize the use of logo for testing services sub-

contracted to other laboratories which are not accredited by STQC. In case of complaints in this regard from users and other laboratories, or use of

STQC logo and approval in such a manner as to bring STQC into dispute or may reasonably consider to be misleading by any person or organization, STQC reserves the right to initiate appropriate action.

In the event of the laboratory being put under abeyance, suspension or forced

withdrawal category, the laboratory shall immediately discontinue the use of STQC logo.

The digital copy of STQC Logo may be obtained from STQC HQrs. on request.

28

Annexure-I

Definitions

Software Developer: An organization that performs development activities during the software life cycle process. Requester Requirements: An initial version of the evaluation requirements provided by the evaluation requesters. Test Requirements: Description of the objectives of the testing, generally relating to the products intended used an associates risks Test specification: Description of the scope of the Testing and the measurement to be performed on the product submitted for Testing and its various components. Test Plan: A description of Test actions required and resources needed to perform specified evaluation as well as the distribution of these resources across these action. Test Method: Specified Technical procedures for performing a testing service including:

• The specification of all the individual test cases of a test suite • The test tools (both hardware and software) used to run those test cases

and the way in which those test tools are used: • The procedures used to select and run the test cases; • The procedures used to analyse the observation and state the result

Means of testing (MOT): Hardware/Software, and the procedures for its use including the executable test suite itself,used to carry out the testing required. Test Case: A set of inputs, execution precondition and expected outcomes develop for a particular objective such as to exercise a particular programme path or to verify compliance with a specific requirement. Test Software: Software used in order to carry out or assist in carrying out the testing required. Test suite: A complete set of test cases that is necessary to achieve some testing objective. Test Tool: Hardware and/or Software, excluding the test tool itself, used to carry out or assist in carrying out the testing required.

29

Test Verdict; Verdict A “Statement of Pass” , “fail” or “inconclusive”, specified in a test case, concerning conformance of the software under test with respect to that test case when it is executed. Acceptance Testing: Formal testing conducted to determine whether or Not system satisfies acceptance criteria and to enable the customer to Determine whether to accept the system [IEEE STD 610-12:1990]. Configuration management: A discipline applying technical and administrative direction and surveillance to identify and document the functional and physical characteristics of a configuration item, control changes to those characteristics, record and report change processing and implementation status and verify compliance with specified requirements. COTS (Commercial Off The Shelf) Software: Code that is purchased without modification and either cannot or will not be modified by the lab. An example of this would be Microsoft Word/Excel/or dedicated instrument interface. Criticality or Severity: The degree of impact that a requirement, module, fault, error, failure, or other item has on the development or operation of system Error or Fault: The difference between a computed, observed, or measured valued or condition and the true, specified, or theoretically correct value condition. MOTS (Modified Off The Shelf) Software: COTS software th configured or adapted to a specific application. Examples include Lab Windows, Lab Tech Notebook, Tile EMC, generic data acquisition software, excel formulas, or MS Office macros, etc. Product: Any COTS, MOTS, or custom software is considered a product. Software Life Cycle (SLC): The period of time that begins when a software product is conceived and ends when the software is no longer available for use. SUT (System Under Test): The software product or system undergoing testing by the laboratory System: A computing environment that contains both hardware and software. A collection of components organized to accomplish a specific function or set of functions Test Cases: A set of test inputs, execution conditions, and expected results developed for a particular objective, such as to exercise a particular

30

program path or to verify compliance with a specific requirement Test Environment: An operating environment that emulates, as close as possible, the target environment of the SUT. The test environment includes hardware, operating system, and any other software products running on the same machine. Test Plan: A document that describes the technical and management

approach to be followed for testing a system or component Test Specification: A document that specifies the test inputs, execution

Conditions, and predicts results for an item to be tested. Test Suite: A collection of test cases to be executed as a logical group. Test Tools: Software or hardware products that are used to facilitate the

testing of the SUT. Reference Implementation: An implementation of one or more standards or

specification, against which a mean of testing a test tool for those standards or specification are tested for the purpose of validation of those means of testing and test tools. The term validated reference implementation is used if the reference implementation has been shown to be derived faithfully from (i.e. to be “traceable” back to) the relevant standards are specification.

1

QAF-02-05-08

June 2010

Procedure for

Approval of an Independent Assessment Body

for eGovernance Conformity Assessment System

Government of India STQC Directorate


2

Index Page No

1.0 Introduction 3

2.0 Scope of Approval Scheme 3

3.0 References 3

4.0 Target Audience 4 5.0 Operation of the Scheme 4

6.0 Route to Approval 4

7.0 Criteria for approval 9

8.0 Use of Logo 10

Annexure I: Conduct of Assessment by the Assessment 11

Body for the clients of the certification body

3

Procedure for Approval of an independent Assessment Body

1.0 Introduction:

For assuring Quality of eGovernance Solution it is required to assess the Conformity of IT Solution characteristics with the System requirements. These systems requirements include Management Systems and processes. For assessing these Management Systems and processes there is a need to have professionally competent Independent Assessment Bodies of IT domain with defined scope. This will enable IT Solution provider to demonstrate compliance of its solution to the requirements of the project / RFP by providing a assessment report from an approved body. It is a scheme promoted by STQC Directorate, Department of Information Technology. This scheme is based on International Standard (ISO/IEC 17021:2006 (Conformity Assessment-Requirements for bodies providing audit and certification of management systems and ISO/IEC 17020- General criteria for the operation of various types of bodies performing inspection).

The scheme is intended to recognize the competence of assessment bodies so that by using their services management system and processes can be assessed and evaluated for compliance to the requirements of the project. Under the scheme, after satisfactory completion of the evaluation, the assessment body is issued a `Certificate of Approval’ indicating conformance to specified requirements of applicable standards as specified in the scheme.

2.0 Scope of Approval Scheme The scheme covers both private and public (Government) Assessment Bodies involved in assessment of

i) Assessment of Information Security Management System (ISMS-ISO

27001)

ii) Assessment of Information Technology Service Management System (ITSM-ISO 20000-1)

iii) Assessment of Quality Management in Public Service Organization (IS 15700)

iv) Assessment of System & Software Life Cycle Processes (ISO 12207)

3.0 References: ISO/IEC 17000, “Conformity assessment – Vocabulary and general principles” ISO/IEC 17021: 2006, “Conformity Assessment-Requirements for bodies providing audit and certification of management systems” ISO/IEC 17020- General criteria for the operation of various types of bodies performing inspection). IEEE STD 610-12:1990 “IEEE Standard Glossary of Software Engineering Terminology”

4


This document is addressed to the independent Assessment Bodies, Designated Management Representative and other personnel responsible for implementing 17021 and interested to get approval for eGovernance Conformity Assessment purpose. This document also to be used by Approving Body and the Management System auditors/assessors.

5.0 Operation of the Scheme

The Scheme is operated through a ` Approving Body’ set up under STQC Directorate, Department of Information Technology, Government of India. The Approving body is guided by an advisory board, which has representatives from various Government and Non-Government organisations.

With a view of facilitating mutual recognition at International Level, the activities of Approving body are designed to comply with the requirements of International ISO/IEC and European Standards.

Assessment and Evaluation Personnel

For the purpose of evaluation, the Approving Body makes use of qualified assessors from both within and outside STQC Directorate.

Liability The Certificate of Approval is normally a sound indicator the assessment body has established quality system as per the requirements of ISO/IEC 17021 and has demonstrated the competence of the body to the Approving body to produce technically valid data and results. It should not however be taken as a sort of guarantee accorded by a Approving Body. The Approving Body will not be liable for any deficiency in the service supplied by the assessment body. However, in case of assessment body’s failure to meet declared capability / contractual responsibilities / obligation, the affected party may approach the Approving Body for redressal. Confidentiality: All information provided by a assessment body in connection with an enquiry or an application for approval and all information obtained in connection with an assessment is stated as confidential. Technical assessor, Approving Committee members, Governing Board Members are bound to maintain confidentiality of information. The confidentiality clause is not valid in case of regulatory and legislative requirements.

6.0 Route to Approval

a) Pre- Approval Requirements

Assessment Body interested in obtaining approval, shall have established quality system as per ISO/IEC 17021 and Quality Manual with related documents & records are available. Assessment Body based on its capability

5

define their proposed scope of approval with locations while applying to the Approving body.

b) Steps to achieve Certification

Step I Preliminary Information

Upon enquiry at the STQC, organisation will be provided with all relevant information on the Scheme along with application Form.

Step II Application

Organisation should submit the application for Approval of their assessment body in the prescribed format, along with application fee as applicable. Each application shall be accompanied by Quality Manual indicating various policies and procedures and proposed scope of approval.

All applications are screened for completeness before acceptance and the Approving Body may seek or provide more information when necessary. After acceptance every application will be acknowledged and allotted a serial number, which must be quoted in all future correspondence.

Fees for Services: Applicable charges are levied as indicated in “schedule of charges”. Specific information on charges can obtain by contacting Head (IT Centre) of any region or visiting STQC website www.stqc.nic.in

Step III Assessment process Evaluation of Documentation

The Assessment body Quality Manual is evaluated for ensuring compliance with all applicable requirements. Assessment body will have to carry out necessary corrections and amendments if there are any discrepancies or gap areas, since this documentation will form the basis for further assessment. The extent of documentation details depends upon the scope of approval Assessment body is interested in. Stage 1 audit: Preliminary Assessment After ensuring adequacy of documentation evaluation, preliminary visit shall be organized to confirm the organization readiness in terms of quality management implementation, processes established, adequacy and allocation of resources and to confirm scope of approval sought. Stage 2 Audit : Main Assessment The applicant shall demonstrate to the assessment team that:

• It meets the requirements of ISO/IEC17021 or equivalent national standard • It has conducted minimum 3 assessments demonstrating their competence in assessments


6

• That it is sufficiently free from external influences which would prevent from acting in an impartial manner.

In performing the appraisal account shall be taken off any comparable approvals granted by a recognized National/International Accreditation Body. The approval requirements are determined primarily by an on site assessment of its resources, procedures and documentation. The objective of an assessment is to establish whether the assessment body can completely perform the activities for which approval has been sought. The assessment team is required to investigate the operation of the assessment body against the criteria. The assessment team comprises a Lead assessor and one or more specialist assessor. The Approving Body lead assessor is also responsible for review of the Quality System. The size of the assessment team is dependent upon the areas that must be covered in the course of the assessment.

Assessments will generally take atleast two mandays and may extend over a number of days depending on the range and complexity of activities to be covered. Technical Assessors are chosen according to their specialist knowledge and are matched as closely to the activities of the assessment body as possible. Consideration is given to possible concerns about conflict of interest in selecting assessors.

Closing meeting is held at the conclusion of the assessment at which the assessment findings are represented by the lead assessor. Generally, the DMR would be expected to attend the closing meeting along with relevant senior staff. The purpose of closing meeting is to allow discussion about the findings of the assessment. Assessment body are strongly encouraged to clarify issues they consider may have been misunderstood by the assessment team and to seek that clarification about assessment findings. A report is handed over to the DMR for its concurrence. The report will include findings of the assessment beside the scope of approval. Where necessary, the report will detail the action required by the assessment body to allow the approval to be recommended. In these cases the assessment body will be asked to provide certification body with the necessary evidence that corrective and preventive actions have been taken.

Occasionally, a further visit by the assessment team may be required to close the non-conformities raised. There are a number of reasons for this including concerns about the competence of the facility, the inability to assess certain aspect of the facility during the schedule of visit, due to non-availability of key staff, or to review the effective implementation of the corrective action taken as a result of the assessment. The same procedure for assessment will be followed but may concentrate only the areas found to be deficient. Charges will be levied for this visit as per schedule of charges.

Post Recommendation Process

7

Granting approval Approving body (STQC) grants approval following a recommendation by the Approving committee. This recommendation is made when the assessment body has met all the requirements for approval. The DMR is formally advised of the granting of the approval and issued with a certificate of approval containing the scope. The approval shall remain valid for 3 years.

Modification to Scope of Approval Assessment body holding a valid certificate of approval may apply for the modification to the scope of approval. The certification body can at its discretion, decide either in favour of re-assessment or fresh application as applicable. Maintenance of Certification of Approval Certificate of Approval will be followed by Surveillance visit every year during which relevant quality system and product or process, requirements are audited to verify that all the processes are well maintained and continue to comply with Approval requirements. For the purpose of maintenance of certificate of approval, assessment body is required to remit an annual fee as outlined in schedule of charges. Renewal of Certificate of Approval The certificate of approval is valid for a period of three years. The Approving Body may, at its discretion, decide for renewal of certificate of approval based on surveillance reports of the current validity period. The applicable charges of renewal of certification of approval are given in schedule of charges. Suspension of Certificate of Approval Approval may be suspended for a limited period at the discretion of the certification body under the following circumstances: If surveillance indicates minor discrepancies to the relevant

certification requirements and the same is not cleared even after lapse of initial time period given for corrective action.

If the surveillance indicates major non-conformance to the certification requirements.

If improper use of Certificate of Approval is not rectified to the satisfaction of Approving Body.

If there has been any other contravention of the applicable requirements or rules and procedure of the scheme.

Upon fulfillment of indicated conditions in the suspension notice within specified period, the suspension will be revoked. Withdrawal / Cancellation of Approval Withdrawal of Certificate of Approval and authorization for the use of certification logo and cancellation of approval will be resorted to, under the following circumstances:

8

• If the assessment body under suspension fails to rectify non-conformance within specified period.

• If the assessment body either will not or cannot ensure conformance to the rules and procedures of Approving body.

• Failure to meet the financial obligations to Approving Body. • At the formal request of the assessment body • Any other serious contravention of applicable requirements of

rules of procedure of the scheme. Appeals Under the Scheme, there is a provision for applicants or assessment body to appeal against any decision relating to grant/suspension/ cancellation/withdrawal of Certificate of Approval. In the event of an applicant or assessment body wishing to appeal, he shall lodge a notice of appeal with the Chairman, Governing Board within two weeks of a decision that he deems to be incorrect. In response, to this, the organisation will receive a detailed statement indicating the basis for the decision in question. If the applicant still wishes to pursue his appeal, he shall forward to the Chairman, Governing Board a statement within four weeks giving his case for going ahead with the appeal along with applicable charges as indicated in Schedule of Charges. After this a three member committee, two of which being acceptable to each party to the dispute, will be constituted. The appellant can appear himself or nominate his representative(s) to appear on his behalf before the date of hearing. He is required to submit all written evidences at least one week before the date of hearing. The decision of chairman, Advisory Board shall be final and binding on both parties. Obligations of the Organization An organization holding a valid Certificate of Approval shall:

a) Comply in all respect with the applicable requirements.

b) Not claim or imply that his Information Security Management

System, IT Service Management System, Quality Management System and Services are certified or approved.

c) Not make any major change to the quality manual which formed the basis for grant of continuation of registration and which prevents compliance with the requirements.

d) document all changes made to the Quality Manual and make

available records of such changes to the Approving Body;

e) Notify the Approving Body of any change in the name or ownership of the assessment body, key personnel in relation to management and technical functions or Senior Management and any significant change in the function of the assessment body.

f) give access to the assessment team appointed by Approving Body

for the purpose of assessment or surveillance;

9

g) keep records of all complaints and corresponding remedial

measures related to quality system;

h) upon suspension or cancellation/withdrawal of Certification of Approval, discontinue use of Certificate of Approval and logo in all advertising material and other matters which contain any reference thereto; and

i) Pay all financial dues to Approving Body as prescribed.

Assessment body is not entitled to any refund of charges paid or cost incurred in the event of non- renewal, suspension, withdrawal, cancellation, modification of certificate of registration.

7.0 Criteria for approval:

The general requirements for approval of assessment/auditing bodies are described in ISO/IEC 17021:2006 (Conformity Assessment- Requirements for bodies providing audit and certification of management systems). These requirements are designed to apply to all types of assessment/auditing bodies and therefore, needs to be interpreted with respect to the audits required for eGovernance Projects. The contents of ISO/IEC which are basis of acceptance criteria of assessment/audit bodies are reproduced below: Introduction 1 Scope 2 Normative references 3 Terms and definitions 4 Principles 4.1 General 4.2 Impartiality 4.3 Competence 4.4 Responsibility 4.5 Openness 4.6 Confidentiality 4.7 Responsiveness to complaints 5 General requirements 5.1 Legal and contractual matters 5.2 Management of impartiality 5.3 Liability and financing 6 Structural requirements 6.1 Organisational structure and top management 6.2 Committee for safeguarding impartiality 7 Resource requirements 7.1 Competence of management and personnel 7.2 Personnel involved in the assessment activities 7.3 Use of individual external auditors and external technical experts 7.4 Personnel records 7.5 Outsourcing 8 Information requirements 8.1 Publically accessible information 8.2 Assessment documents 8.3 Directory of certified clients 8.4 Reference to certification and use of marks- not applicable 8.5 Confidentiality

10

8.6 Information exchange between a assessment body and its clients 9 Process requirements 9.1 General requirements 9.2 Initial audit 9.3 Surveillance activities 9.4 Recertification: not applicable 9.5 Special audits 9.6 Suspending, withdrawing or reducing the scope of certification: not applicable 9.7 Appeals 9.8 Complaints 9.9 Records of applicants and clients 10 Management system requirements for certification for certification Bodies 10.1 Options 10.2 Option1: Management system requirements in accordance with ISO

9001 Option 2: General Management system requirements

8.0 Guidelines for use of STQC Logo All STQC approved assessment bodies shall use STQC logo on their

letterhead, assessment reports and any other relevant documents. Logo shall be used for the purpose of identifying correctly and unambiguously the services approved by STQC.

While using the logo it shall be ensured by the assessment body that design and its manifestations are not distorted and be reproduced in any single colour (preferably black) and any size while maintaining the aspect ratio.

It shall be responsibility of the approved assessment body that the use of logo

does not misrepresent the scope of approved services. In case where the approval sought and granted do not cover all the activities of the assessment body’s services, care should be exercised to restrict the use of logo only to those approved activities.

In case of complaints in this regard from users and other organizations , or

use of STQC logo and approval in such a manner as to bring STQC into dispute or may reasonably consider to be misleading by any person or organization, STQC reserves the right to initiate appropriate action.

In the event of the assessment body being put under abeyance, suspension

or forced withdrawal category, the assessment body shall immediately discontinue the use of STQC logo.

The digital copy of STQC Logo may be obtained from STQC HQrs. on

request.

11

Annexure I Conduct of Assessment by the Assessment body for the clients of the approving/certification body: It is envisaged in the scheme that the Approving body( STQC) will approve the Assessment Body which is independent for carrying out assessments on behalf of Approving body for the defined scope. The assessment body shall use only certification body (STQC) supplied procedures and formats. Though the words audit and assessments are used interchangeably but for the purpose of this documents the word audit has been used for auditing the assessment body and assessment is used for carrying out the assessments by the assessment body for the clients of Approving body. The following roles and responsibilities shall be established for an assessment:

a) Lead Assessor b) Assessors c) Assessed organization( client of the certification body)

1. Lead Assessor The lead Assessor shall be responsible for the assessment. This responsibility includes administrative tasks pertaining to the assessment, ensuring that the assessment is conducted in an orderly manner, and meets its objectives. The responsibilities of lead assessor includes:

i) Preparing the assessment plan ii) Managing the assessment team iii) Making decisions regarding the conduct of the assessment iv) Making decisions regarding any assessment observations v) Preparing the assessment report vi) Reporting on the inability or apparent inability of any of individuals

involved in the assessment to fulfill their responsibilities vii) Reporting any discrepancies/ non conformities or inconsistencies

supported by verifiable objective evidences The lead assessor shall be free from bias and influence that could reduce his ability to make independent, objective evaluations.

2. Assessor The Assessor shall examine artifacts and records , as defined in the assessment plan. They shall document their observations and supported with verifiable evidence. All Assessors shall be free from bias and influences that could reduce their ability to make independent, objective evaluations, or shall identify their bias and proceed with acceptance from the initiator.

12

Assesses organization( client of the Approving body) The Assesses organization shall be responsible for the following activities:

a) Decide upon the need for an Assessment b) Decide upon the purpose and scope of the assessment c) Responsible for concurring on assessment team nominated by the

certification body d) Review the assessment report e) Decide what follow-up action will be required f) Distribute the assessment report within the organization

The Assesses organization shall provide a liaison to the auditors and all information requested by the assessors . When the audit is completed, the Assesses organization should implement corrective actions and recommendations.

3. Inputs for the audit Inputs to the Assessment shall be listed in the Assessment plan and shall include the following:

a) Purpose and scope of the Assessment b) Background information about the Assesses organization c) Procedures, processes and records to be Assessed d) Evaluation criteria, including applicable regulations, standards, guidelines,

plans and procedures to be used for Assessment e) Definitions : for example, “acceptable,” “needs improvement”, “unacceptable”, “ Major Non conformity”, “ Minor Non conformity”, f) Records of previous similar assessments

4. Entry criteria

Authorisation

An Assesses organization decides upon the need for an Assessment. This decision may be prompted by a routine event, such as the arrival at a project milestone, or a non-routine event, such as the suspicion or discovery of a major non-conformance.

The need for an Assessment may be established by one or more of the following events

a) The Assessee organization decides to verify compliance with the

applicable regulations, standards, guidelines, plans, and procedures (this decision may have been made when planning the project).

b) The customer organization decides to verify compliance with applicable regulations, standards, guidelines, plans and procedures.

c) A third party such as a regulatory agency or assessment body, decides upon the need to Assess the supplier organization to verify compliance with applicable regulations, standards, guidelines, plans and procedures.

13

In every case, the Assessee organization shall authorize the Assessment.

5. Preconditions

An Assessment shall be conducted only when all of the following conditions have been met:

a) The Assessment has been authorized by an appropriate authority b) A statement of objectives of the Assessment is established c) The required Assessment inputs are available

6. Procedures

i) Management preparation for conducting the Assessment

Managers shall ensure that the Assessment is performed as required by applicable standards and procedures and by requirements mandated by law, contract, or other policy. To this end, manager shall

a) Plan time and resources required for Assessment, including support

functions. b) Provide resources and facilities required to plan, define, execute and

manage the Assessment c) Provide training and orientation on the Assessment procedures

applicable to a given project d) Ensure appropriate levels of expertise and knowledge sufficient to

comprehend the Assessment e) Ensure that planned Assessment are conducted f) Act on Assessment team recommendations in a timely manner

ii) Planning the Assessment

The Assessment plan shall describe the a) Purpose and scope of the Assessment b) Assessed organization, including location and management c) Evaluation criteria, including applicable regulations, standards, guidelines,

plans and procedures to be used for evaluation d) Assessors responsibilities e) Examination activities (for example, interview staff, read and evaluate

documents, observe tests) f) Assessment activity resource requirements g) Assessment activity schedule h) Requirements for confidentiality i) Checklists j) Report formats k) Report distribution l) Required follow-up activities

Where sampling is used, a statistically valid sampling method shall be used to establish selection criteria and sample size.

The Assessment plan shall be agreed by the Assessee organization. The Assessment plan should allow for changes based on information gathered during the Assessment, subject to approval by the Assessee organization.

14

iii) Opening meeting

An opening meeting between the Assessment team and assessed organization shall occur at the beginning of the examination phase of the Assessment. The overview meeting agenda shall include

a) Purpose and scope of the Assessment b) Assessment procedures and outputs c) Expected contributions of the assessed organization to the Assessment d) Assessment schedule e) Access to facilities, information and documents required

iv) Preparation The certification body shall notify the Assessee organization management in writing before the Assessment is performed, except for unannounced audits. The notification shall define the purpose and scope of the audit. Identify what will be audited, identify the audits and identify the Assessment schedule. The purpose of notification is to enable the Assessee organization to ensure that the people and material to be examined in the Assessment are available .

Assessors shall prepare for the Assessment by studying the a) Assessment plan b) Assessee organization c) Process and procedures to be audited d) Applicable regulations, standards, guidelines, plans and procedures to be

used for evaluation e) Evaluation criteria

In addition, the lead assessor shall make the necessary arrangements for

f) Team orientation and training for STQC supplied procedures, forms and

formats g) Facilities for Assessment interviews h) Materials, documents, and tools required by the Assessment procedures i) Assessment process activities

v) Assessment process activities

Assessment process shall consist of evidence collection and analysis with respect to the Assessment criteria, a closing meeting between the auditors and Assessed organization, and preparing an report.

vi) Evidence collection

The auditors shall collect evidence of conformance and non-conformance by interviewing Assessee organization staff, examining documents, and witnessing processes. The auditors should attempt all the examination activities defined in the Assessment plan. They shall undertake additional investigate activities if they consider such activities required to define the full extent of conformance or non-conformance

Auditors shall document all observations of non-conformance and exemplary conformance. An observation is a statement of fact made during an

15

Assessment that is substantiated by objective evidence. Examples of non-conformance are

a) Applicable regulations, standards, guidelines, plans and procedures not

used at all b) Applicable regulations, standards, guidelines, plans and procedures not

used correctly

Observations should be categorized as major or minor. An observation should be classified as major if the non-conformity will likely have a significant effect on process quality, cost or schedule.

All observations shall be verified by discussion with the assessed organization before the closing Assessment meeting.

vii) Closing Meeting

The lead auditor shall convene a closing meeting with the audited organisation’s management. The closing meeting should review a) Actual extent of implementation of the Assessment plan b) Problems experienced in implementing the Assessment plan, if any c) Observations made by the assessors d) Preliminary conclusions of the assessors e) Preliminary recommendations of the assessors f) Overall audit assessment

Comments and issues raised by the Assessed organization should be resolved. Agreements should be reached during the closing Assessment meeting and must be completed before the Assessment report is finalized.

viii) Reporting

The lead auditor shall prepare the Assessment report. The Assessment report should be prepared as soon as possible after the Assessment. Any communication between assessors and the assessed organization made between the closing meeting and the issue of the report should pass through the lead assessor .

The lead assessors shall send the Assessment report to the Assessee organization. The Assessee organization should distribute the assessment report within the assessed organization.

7. Output

The output of the assessment is the Assessment report. The Assessment report shall contain the a) Purpose and scope of the Assessment b) assessed organization, including location, liaison staff and management c) Identification of the procedures and process audited d) Applicable regulations, standards, guidelines, plans and procedures used

for evaluation e) Evaluation criteria f) Summary of assessed organization g) Summary of examination activities

16

h) Summary of the planned examination activities not performed i) Observation list, classified as major or minor

8. Follow-up Assessee organization is responsible for a) Determining what corrective action is required to remove or prevent a

non-conformity b) Initiating the corrective action

9. Exit criteria An Assessment shall be considered complete when a) The Assessment report has been submitted to the assessed organization b) All of the assessed organisation’s follow-up corrective and preventive

actions included in the scope of the audit have been performed, reviewed and approved, and closed by the certification body

L:\Checklists\ – General Checklist: ISO/IEC 17025 Laboratory Approval Program (2/5/10) Page 1 of 69

QAF-02-05-11


for eGovernance

Approval Criteria (Check List) of Independent Testing Laboratory


Ministry of Communications & Information Technology,

Electronics Niketan, 6 CGO Complex, Lodi Road, New Delhi – 110003


GENERAL CHECKLIST ISO/IEC 17025 LABORATORY APPROVAL PROGRAM

(Includes STQC Advertising Policy, STQC Measurement Traceability Policy, And STQC Proficiency Testing requirements)

This checklist is intended for use in association with STQC assessments, and is not to be publicly distributed. Use of this document is restricted to STQC employees, contractors, and applicant and Approval laboratories. Any other use of this document is prohibited. ------------------------------------------------------------------------------------------------------------------------------------------- The following pages present the criteria from ISO/IEC 17025-2005, “General requirements for the competence of testing and calibration laboratories” in a checklist format, including the full text of the relevant sections of the standard. Revisions resulting from the 2005 version of the standard are in bold italics. Additional requirements from Reference to STQC Approval Status - STQC Advertising Policy and STQC Policy on Measurement Traceability are included at the end of this checklist. The laboratory’s policies and procedures must meet these requirements. Requirements that include the need for a written policy, procedure or arrangement are shaded. Laboratory Instructions: This checklist must be completed and submitted as part of the application for Approval in order to help both the laboratory and assessor(s) prepare for the assessment. Correct completion of this checklist may save a significant amount of assessment time and cost. Complete the document reference identifiers in the checklist's second column (labeled "Reference") for all shaded requirements. The appropriate “reference” must identify the document (quality manual, laboratory manual, SOPs, etc) and include a “locator” to facilitate identification of the appropriate portion(s) of the relevant document (page number, section number, etc.) The quality system documentation and supporting records must be available for the assessor's review. Assessor Instructions: Review the laboratory’s documented management system to verify compliance with the applicable 17025 documentation requirements. Assess to verify that the documented management system is indeed implemented as described. Place a tick mark in the yes (Y), no (N), or not applicable (NA) space for each checklist item. Please note that the N/A block has been removed for those clauses that are always applicable for all types of laboratories, both commercial and captive. Record comments related to any requirement on the space provided. Record comments related to tests on separate sheets and/or on the method review matrix. All deficiencies must be identified and explained in the assessor deficiency report. Assess the laboratory’s technical competence to perform specific tests or specific types of tests. IMPORTANT NOTE: An asterisk (*) in the comments section indicates that the assessor must document the specific traceable objective evidence reviewed in association with that requirement. Objective evidence information is mandatory for those clauses. Laboratory Name:_________________________________________________________________________

City: ___________________________________________________ State: ________________________

Personnel Information (Names, Titles, and Responsibilities): Technical Management: ____________________________________________________________________

________________________________________________________________________________________

________________________________________________________________________________________

Quality Manager (QM): ___________________________________________________________________

Deputy QM: ___________________________________________________________________________


General Checklist: ISO/IEC 17025 Laboratory Approval Program Type of Assessment (please indicate):

Full Assessment

Surveillance Assessment

To the best of my knowledge, all laboratory document references below as well as actual laboratory practice have been assessed for compliance with the relevant clauses of ISO/IEC 17025 and General Requirements: Approval of ISO/IEC 17025 Laboratories. I hereby attest that all ‘Yes’ marked compliance clauses, whether initialed or not, meet the aforementioned requirements. Any areas of noncompliance have been fully described in the Assessor Deficiency Report. STQC Assessor Signature: ____________________________________________ Date: _____________________

Requirement

Reference

{RESERVED FOR ASSESSORS ONLY}

Compliance Comments

Y N NA

4. MANAGEMENT REQUIREMENTS 4.1 Organization

4.1.1 The laboratory or the organization of which it is part shall be an entity that can be held legally responsible.

4.1.2 It is the responsibility of the laboratory to carry out its testing and calibration activities in such a way as to meet the requirements of this International Standard and to satisfy the needs of the customer, the regulatory authorities or organizations providing recognition.


Requirement

Reference


Compliance Comments

Y N NA

4.1.3 The management system shall cover work carried out in the laboratory's permanent facilities, at sites away from its permanent facilities, or in associated temporary or mobile facilities.

4.1.4 If the laboratory is part of an organization performing activities other than testing and/or calibration, the responsibilities of key personnel in the organization that have an involvement or influence on the testing and/or calibration activities of the laboratory shall be defined in order to identify potential conflicts of interest.

4.1.5 The laboratory shall

a) have managerial and technical personnel who, irrespective of other responsibilities, have the authority and resources needed to carry out their duties, including the implementation, maintenance and improvement of the management system, and to identify the occurrence of departures from the management system or from the procedures for performing tests and/or calibrations, and to initiate actions to prevent or minimize such departures (see also 5.2);

b) have arrangements to ensure that its management and personnel are free from any undue internal and external commercial, financial and other pressures and influences that may adversely affect the quality of their work;


Requirement

Reference


Compliance Comments

Y N NA

c) have policies and procedures to ensure the protection of its customers’ confidential information and proprietary rights, including procedures for protecting the electronic storage and transmission of results;

d) have policies and procedures to avoid involvement in any activities that would diminish confidence in its competence, impartiality, judgement or operational integrity;

e) define the organization and management structure of the laboratory, its place in any parent organization, and the relationships between quality management, technical operations and support services;

f) specify the responsibility, authority and interrelationships of all personnel who manage, perform or verify work affecting the quality of the tests and/or calibrations;

g) provide adequate supervision of testing and calibration staff, including trainees, by persons familiar with methods and procedures, purpose of each test and/or calibration, and with the assessment of the test or calibration results;

h) have technical management which has overall responsibility for the technical operations and the provision of the resources needed to ensure the required quality of laboratory operations;


Requirement

Reference


Compliance Comments

Y N NA

i) appoint a member of staff as quality manager (however named) who, irrespective of other duties and responsibilities, shall have defined responsibility and authority for ensuring that the management system related to quality is implemented and followed at all times;

the quality manager shall have direct access to the highest level of management at which decisions are made on laboratory policy or resources;

j) appoint deputies for key managerial personnel (see note).

k) ensure that its personnel are aware of the relevance and importance of their activities and how they contribute to the achievement of the objectives of the management system.

4.1.6 Top management shall ensure that appropriate communication processes are established within the laboratory and that communication takes place regarding the effectiveness of the management system.

4.2 Management system

4.2.1 The laboratory shall establish, implement and maintain a management system appropriate to the scope of its activities. The laboratory shall document its policies, systems, programs, procedures and instructions to the extent necessary to assure the quality of the test and/or calibration results.


Requirement

Reference


Compliance Comments

Y N NA

The system's documentation shall be communicated to, understood by, available to, and implemented by the appropriate personnel.

4.2.2 The laboratory's management system policies related to quality, including a quality policy statement, shall be defined in a quality manual (however named).

The overall objectives shall be established, and reviewed during management review. The quality policy statement shall be issued under the authority of top management. It shall include at least the following:

a) the laboratory management's commitment to good professional practice and to the quality of its testing and calibration in servicing its customers;

b) the management's statement of the laboratory's standard of service;

c) the purpose of the management system related to quality;

d) a requirement that all personnel concerned with testing and calibration activities within the laboratory familiarize themselves with the quality documentation and implement the policies and procedures in their work; and

e) the laboratory management's commitment to comply with this International Standard and to continually improve the effectiveness of management system.


Requirement

Reference


Compliance Comments

Y N NA

4.2.3 Top management shall provide evidence of commitment to the development and implementation of the management system and continually improving its effectiveness.

*

4.2.4 Top management shall communicate to the organization the importance of meeting customer as well as statutory and regulatory requirements.

4.2.5 The quality manual shall include or make reference to the supporting procedures including technical procedures. It shall outline the structure of the documentation used in the management system.

4.2.6 The roles and responsibilities of technical management and the quality manager, including their responsibility for ensuring compliance with this International Standard, shall be defined in the quality manual.

4.2.7 Top management shall ensure the integrity of the management system is maintained when changes to the management system are planned and implemented.


Requirement

Reference


Compliance Comments

Y N NA

4.3 Document control

4.3.1 General The laboratory shall establish and maintain procedures to control all documents that form part of its management system (internally generated or from external sources), such as regulations, standards, other normative documents, test and/or calibration methods, as well as drawings, software, specifications, instructions and manuals.

4.3.2 Document approval and issue

4.3.2.1 All documents issued to personnel in the laboratory as part of the management system shall be reviewed and Approval for use by authorized personnel prior to issue.

A master list or an equivalent document control procedure identifying the current revision status and distribution of documents in the management system shall be established and be readily available to preclude the use of invalid and/or obsolete documents.

4.3.2.2 The procedure(s) adopted shall ensure that:

a) authorized editions of appropriate documents are available at all locations where operations essential to the effective functioning of the laboratory are performed;

b) documents are periodically reviewed and, where necessary, revised to ensure continuing suitability and compliance with applicable requirements;


Requirement

Reference


Compliance Comments

Y N NA

c) invalid or obsolete documents are promptly removed from all points of issue or use, or otherwise assured against unintended use;

d) obsolete documents retained for either legal or knowledge preservation purposes are suitably marked.

4.3.2.3 Management system documents generated by the laboratory shall be uniquely identified. Such identification shall include the date of issue and/or revision identification, page numbering, the total number of pages or a mark to signify the end of the document, and the issuing authority(ies).

4.3.3 Document changes

4.3.3.1 Changes to documents shall be reviewed and Approval by the same function that performed the original review unless specifically designated otherwise. The designated personnel shall have access to pertinent background information upon which to base their review and approval.

4.3.3.2 Where practicable, the altered or new text shall be identified in the document or the appropriate attachments.

4.3.3.3 If the laboratory's document control system allows for the amendment of documents by hand pending the re-issue of the documents, the procedures and authorities for such amendments shall be defined.


Requirement

Reference


Compliance Comments

Y N NA

Amendments shall be clearly marked, initialed and dated. A revised document shall be formally re-issued as soon as practicable.

4.3.3.4 Procedures shall be established to describe how changes in documents maintained in computerized systems are made and controlled.

4.4 Review of requests, tenders and contracts

4.4.1 The laboratory shall establish and maintain procedures for the review of requests, tenders and contracts. The policies and procedures for these reviews leading to a contract for testing and/or calibration shall ensure that:

a) the requirements, including the methods to be used, are adequately defined, documented and understood (see 5.4.2);

b) the laboratory has the capability and resources to meet the requirements;

c) the appropriate test and/or calibration method is selected and capable of meeting the customers’ requirements (see 5.4.2).

Any differences between the request or tender and the contract shall be resolved before any work commences. Each contract shall be acceptable both to the laboratory and the customer.


Requirement

Reference


Compliance Comments

Y N NA

4.4.2 Records of reviews, including any significant changes, shall be maintained. Records shall also be maintained of pertinent discussions with a customer relating to the customer’s requirements or the results of the work during the period of execution of the contract.

*

4.4.3 The review shall also cover any work that is subcontracted by the laboratory.

4.4.4 The customer shall be informed of any deviation from the contract.

4.4.5 If a contract needs to be amended after work has commenced, the same contract review process shall be repeated and any amendments shall be communicated to all affected personnel.

4.5 Subcontracting of tests and calibrations

4.5.1 When a laboratory subcontracts work whether because of unforeseen reasons (e.g. workload, need for further expertise or temporary incapacity) or on a continuing basis (e.g. through permanent subcontracting, agency or franchising arrangements), this work shall be placed with a competent subcontractor. A competent subcontractor is one that, for example, complies with this International Standard for the work in question.

4.5.2 The laboratory shall advise the customer of the arrangement in writing and, when appropriate, gain the approval of the customer, preferably in writing.


Requirement

Reference


Compliance Comments

Y N NA

4.5.3 The laboratory is responsible to the customer for the subcontractor's work, except in the case where the customer or a regulatory authority specifies which subcontractor is to be used.

4.5.4 The laboratory shall maintain a register of all subcontractors that it uses for tests and/or calibrations and a record of the evidence of compliance with this International Standard for the work in question.

4.6 Purchasing services and supplies

4.6.1 The laboratory shall have a policy and procedure(s) for the selection and purchasing of services and supplies it uses that affect the quality of the tests and/or calibrations.

Procedures shall exist for the purchase, reception and storage of reagents and laboratory consumable materials relevant for the tests and calibrations.

4.6.2 The laboratory shall ensure that purchased supplies and reagents and consumable materials that affect the quality of tests and/or calibrations are not used until they have been inspected or otherwise verified as complying with standard specifications or requirements defined in the methods for the tests and/or calibrations concerned. These services and supplies used shall comply with specified requirements.

Records of actions taken to check compliance shall be maintained.

*


Requirement

Reference


Compliance Comments

Y N NA

4.6.3 Purchasing documents for items affecting the quality of laboratory output shall contain data describing the services and supplies ordered. These purchasing documents shall be reviewed and Approval for technical content prior to release.

*

4.6.4 The laboratory shall evaluate suppliers of critical consumables, supplies and services which affect the quality of testing and calibration, and shall maintain records of these evaluations and list those Approved.

*

4.7 Service to the customer

4.7.1 The laboratory shall be willing to cooperate with customers or their representatives in clarifying the customer’s request and in monitoring the laboratory's performance in relation to the work performed, provided that the laboratory ensures confidentiality to other customers.

4.7.2 The laboratory shall seek feedback, both positive and negative, from its customers. The feedback shall be used and analyzed to improve the management system, testing and calibration activities and customer service.

*

4.8 Complaints The laboratory shall have a policy and procedure for the resolution of complaints received from customers or other parties. Records shall be maintained of all complaints and of the investigations and corrective actions taken by the laboratory (see also 4.11).

*


Requirement

Reference


Compliance Comments

Y N NA

4.9 Control of nonconforming testing and/or calibration work

4.9.1 The laboratory shall have a policy and procedures that shall be implemented when any aspect of its testing and/or calibration work, or the results of this work, do not conform to its own procedures or the agreed requirements of the customer. The policy and procedures shall ensure that:

a) the responsibilities and authorities for the management of nonconforming work are designated and actions (including halting of work and withholding of test reports and calibration certificates, as necessary) are defined and taken when nonconforming work is identified;

b) an evaluation of the significance of the nonconforming work is made;

c) correction is taken immediately, together with any decision about the acceptability of the nonconforming work;

d) where necessary, the customer is notified and work is recalled;

e) the responsibility for authorizing the resumption of work is defined.

4.9.2 Where the evaluation indicates that the nonconforming work could recur or that there is doubt about the compliance of the laboratory's operations with its own policies and procedures, the corrective action procedures given in 4.11 shall be promptly followed.


Requirement

Reference


Compliance Comments

Y N NA

4.10 Improvement The laboratory shall continually improve the effectiveness of its management system through the use of the quality policy, quality objectives, audit results, analysis of data, corrective and preventive actions and management review.

4.11 Corrective action

4.11.1 General The laboratory shall establish a policy and a procedure and shall designate appropriate authorities for implementing corrective action when nonconforming work or departures from the policies and procedures in the management system or technical operations have been identified.

4.11.2 Cause analysis The procedure for corrective action shall start with an investigation to determine the root cause(s) of the problem.

4.11.3 Selection and implementation of corrective actions Where corrective action is needed, the laboratory shall identify potential corrective actions. It shall select and implement the action(s) most likely to eliminate the problem and to prevent recurrence.

Corrective actions shall be to a degree appropriate to the magnitude and the risk of the problem.

The laboratory shall document and implement any required changes resulting from corrective action investigations.


Requirement

Reference


Compliance Comments

Y N NA

4.11.4 Monitoring of corrective actions

The laboratory shall monitor the results to ensure that the corrective actions taken have been effective.

4.11.5 Additional audits Where the identification of nonconformities or departures casts doubts on the laboratory's compliance with its own policies and procedures, or on its compliance with this International Standard, the laboratory shall ensure that the appropriate areas of activity are audited in accordance with 4.14 as soon as possible.

4.12 Preventive action

4.12.1 Needed improvements and potential sources of nonconformities, either technical or concerning the management system, shall be identified.

When improvement opportunities are identified or if preventive action is required, action plans shall be developed, implemented and monitored to reduce the likelihood of the occurrence of such nonconformities and to take advantage of the opportunities for improvement.

4.12.2 Procedures for preventive actions shall include the initiation of such actions and application of controls to ensure that they are effective.

4.13 Control of records 4.13.1 General


Requirement

Reference


Compliance Comments

Y N NA

4.13.1.1 The laboratory shall establish and maintain procedures for identification, collection, indexing, access, filing, storage, maintenance and disposal of quality and technical records. Quality records shall include reports from internal audits and management reviews as well as records of corrective and preventive actions.

4.13.1.2 All records shall be legible and shall be stored and retained in such a way that they are readily retrievable in facilities that provide a suitable environment to prevent damage or deterioration and to prevent loss.

Retention times of records shall be established.

4.13.1.3 All records shall be held secure and in confidence.

4.13.1.4 The laboratory shall have procedures to protect and back-up records stored electronically and to prevent unauthorized access to or amendment of these records.

4.13.2 Technical records

4.13.2.1 The laboratory shall retain records of original observations, derived data and sufficient information to establish an audit trail, calibration records, staff records and a copy of each test report or calibration certificate issued, for a defined period.


Requirement

Reference


Compliance Comments

Y N NA

The records for each test or calibration shall contain sufficient information to facilitate, if possible, identification of factors affecting the uncertainty and to enable the test or calibration to be repeated under conditions as close as possible to the original.

The records shall include the identity of personnel responsible for the sampling, performance of each test and/or calibration and checking of results.

4.13.2.2 Observations, data and calculations shall be recorded at the time they are made and shall be identifiable to the specific task.

4.13.2.3 When mistakes occur in records, each mistake shall be crossed out, not erased, made illegible or deleted, and the correct value entered alongside. All such alterations to records shall be signed or initialed by the person making the correction.

In the case of records stored electronically, equivalent measures shall be taken to avoid loss or change of original data.

4.14 Internal audits

4.14.1 The laboratory shall periodically, and in accordance with a predetermined schedule and procedure, conduct internal audits of its activities to verify that its operations continue to comply with the requirements of the management system and this International Standard.


Requirement

Reference


Compliance Comments

Y N NA

The internal audit program shall address all elements of the management system, including the testing and/or calibration activities.

It is the responsibility of the quality manager to plan and organize audits as required by the schedule and requested by management.

Such audits shall be carried out by trained and qualified personnel who are, wherever resources permit, independent of the activity to be audited.

4.14.2 When audit findings cast doubt on the effectiveness of the operations or on the correctness or validity of the laboratory's test or calibration results, the laboratory shall take timely corrective action, and shall notify customers in writing if investigations show that the laboratory results may have been affected.

4.14.3 The area of activity audited, the audit findings and corrective actions that arise from them shall be recorded.

*

4.14.4 Follow-up audit activities shall verify and record the implementation and effectiveness of the corrective action taken.

4.15 Management review


Requirement

Reference


Compliance Comments

Y N NA

4.15.1 In accordance with a predetermined schedule and procedure, the laboratory's top management shall periodically conduct a review of the laboratory's management system and testing and/or calibration activities to ensure their continuing suitability and effectiveness, and to introduce necessary changes or improvements. The review shall take account of:

the suitability of policies and procedures;

reports from managerial and supervisory personnel;

the outcome of recent internal audits;

corrective and preventive actions;

assessments by external bodies;

the results of inter-laboratory comparisons or proficiency tests;

changes in the volume and type of the work;

customer feedback;

complaints;

recommendations for improvement;

other relevant factors, such as quality control activities, resources and staff training.


Requirement

Reference


Compliance Comments

Y N NA

4.15.2 Findings from management reviews and the actions that arise from them shall be recorded.

*

The management shall ensure that those actions are carried out within an appropriate and agreed timescale.

5 Technical requirements

5.1 General

5.1.1 Many factors determine-the correctness and reliability of the-tests and/or calibrations performed by a laboratory. These factors include contributions from: - human factors (5.2); - accommodation and environmental conditions (5·3); - test and calibration methods and method validation (5.4); - equipment (5.5); - measurement traceability (5.6); - sampling (5.7); - the handling of test and calibration items (5.8).


Requirement

Reference


Compliance Comments

Y N NA

5.1.2 The extent to which the factors contribute to the total uncertainty of measurement differs considerably between (types of) tests and between (types of) calibrations. The laboratory shall take account of these factors in developing test and calibration methods and procedures, in the training and qualification of personnel, and in the selection and calibration of the equipment it uses.

5.2 Personnel

5.2.1 The laboratory management shall ensure the competence of all who operate specific equipment, perform tests and/or calibrations, evaluate results, and sign test reports and calibration certificates.

When using staff who are undergoing training, appropriate supervision shall be provided.

Personnel performing specific tasks shall be qualified on the basis of appropriate education, training, experience and/or demonstrated skills, as required.

5.2.2 The management of the laboratory shall formulate the goals with respect to the education, training and skills of the laboratory personnel.

The laboratory shall have a policy and procedures for identifying training needs and providing training of personnel. The training program shall be relevant to the present and anticipated tasks of the laboratory.


Requirement

Reference


Compliance Comments

Y N NA

The effectiveness of the training actions taken shall be evaluated.

5.2.3 The laboratory shall use personnel who are employed by, or under contract to, the laboratory. Where contracted and additional technical and key support personnel are used, the laboratory shall ensure that such personnel are supervised and competent and that they work in accordance with the laboratory's management system.

5.2.4 The laboratory shall maintain current job descriptions for managerial, technical and key support personnel involved in tests and/or calibrations.

5.2.5 The management shall authorize specific personnel to perform particular types of sampling, test and/or calibration, to issue test reports and calibration certificates, to give opinions and interpretations and to operate particular types of equipment.

The laboratory shall maintain records of the relevant authorization(s), competence, educational and professional qualifications, training, skills and experience of all technical personnel, including contracted personnel. This information shall be readily available and shall include the date on which authorization and/or competence is confirmed.

5.3 Accommodation and environmental conditions


Requirement

Reference


Compliance Comments

Y N NA

5.3.1 Laboratory facilities for testing and/or calibration, including but not limited to energy sources, lighting and environmental conditions, shall be such as to facilitate correct performance of the tests and/or calibrations.

The laboratory shall ensure that the environmental conditions do not invalidate the results or adversely affect the required quality of any measurement. Particular care shall be taken when sampling and tests and/or calibrations are undertaken at sites other than a permanent laboratory facility.

The technical requirements for accommodation and environmental conditions that can affect the results of tests and calibrations shall be documented.

5.3.2 The laboratory shall monitor, control and record environmental conditions as required by the relevant specifications, methods and procedures or where they influence the quality of the results. Due attention shall be paid, for example, to biological sterility, dust, electromagnetic disturbances, radiation, humidity, electrical supply, temperature, and sound and vibration levels, as appropriate to the technical activities concerned.

Tests and calibrations shall be stopped when the environmental conditions jeopardize the results of the tests and/or calibrations.


Requirement

Reference


Compliance Comments

Y N NA

5.3.3 There shall be effective separation between neighboring areas in which there are incompatible activities. Measures shall be taken to prevent cross-contamination.

5.3.4 Access to and use of areas affecting the quality of the tests and/or calibrations shall be controlled. The laboratory shall determine the extent of control based on its particular circumstances.

5.3.5 Measures shall be taken to ensure good housekeeping in the laboratory. Special procedures shall be prepared where necessary.

5.4 Test and calibration methods and method validation

5.4.1 General The laboratory shall use appropriate methods and procedures for all tests and/or calibrations within its scope. These include sampling, handling, transport, storage and preparation of items to be tested and/or calibrated, and, where appropriate, an estimation of the measurement uncertainty as well as statistical techniques for analysis of test and/or calibration data.

The laboratory shall have instructions on the use and operation of all relevant equipment, and on the handling and preparation of items for testing and/or calibration, or both, where the absence of such instructions could jeopardize the results of tests and/or calibrations.


Requirement

Reference


Compliance Comments

Y N NA

All instructions, standards, manuals and reference data relevant to the work of the laboratory shall be kept up to date and shall be made readily available to personnel (see 4.3).

Deviation from test and calibration methods shall occur only if the deviation has been documented, technically justified, authorized, and accepted by the customer.

5.4.2 Selection of methods The laboratory shall use test and/or calibration methods, including methods for sampling, which meet the needs of the customer and which are appropriate for the tests and/or calibrations it undertakes. Methods published in international, regional or national standards shall preferably be used.

The laboratory shall ensure that it uses the latest valid edition of a standard unless it is not appropriate or possible to do so. When necessary, the standard shall be supplemented with additional details to ensure consistent application.


Requirement

Reference


Compliance Comments

Y N NA

When the customer does not specify the method to be used, the laboratory shall select appropriate methods that have been published either in international, regional or national standards, or by reputable technical organizations, or in relevant scientific texts or journals, or as specified by the manufacturer of the equipment. Laboratory-developed methods or methods adopted by the laboratory may also be used if they are appropriate for the intended use and if they are validated.

The customer shall be informed as to the method chosen.

The laboratory shall confirm that it can properly operate standard methods before introducing the tests or calibrations. If the standard method changes, the confirmation shall be repeated.

The laboratory shall inform the customer when the method proposed by the customer is considered to be inappropriate or out of date.

5.4.3 Laboratory-developed methods The introduction of test and calibration methods developed by the laboratory for its own use shall be a planned activity and shall be assigned to qualified personnel equipped with adequate resources.

Plans shall be updated as development proceeds and effective communication amongst all personnel involved shall be ensured.


Requirement

Reference


Compliance Comments

Y N NA

5.4.4 Non-standard methods When it is necessary to use methods not covered by standard methods, these shall be subject to agreement with the customer and shall include a clear specification of the customer’s requirements and the purpose of the test and/or calibration. The method developed shall have been validated appropriately before use.

5.4.5 Validation of methods

5.4.5.1 Validation is the confirmation by examination and the provision of objective evidence that the particular requirements for a specific intended use are fulfilled.

5.4.5.2 The laboratory shall validate non-standard methods, laboratory-designed/developed methods, standard methods used outside their intended scope, and amplifications and modifications of standard methods to confirm that the methods are fit for the intended use. The validation shall be as extensive as is necessary to meet the needs of the given application or field of application. The laboratory shall record the results obtained, the procedure used for the validation, and a statement as to whether the method is fit for the intended use.


Requirement

Reference


Compliance Comments

Y N NA

5.4.5.3 The range and accuracy of the values obtainable from validated methods (e.g. the uncertainty of the results, detection limit, selectivity of the method, linearity, limit of repeatability and/or reproducibility, robustness against external influences and/or cross-sensitivity against interference from the matrix of the sample/test object), as assessed for the intended use, shall be relevant to the customer’s needs.

5.4.6 Estimation of uncertainty of measurement

5.4.6.1 A calibration laboratory, or a testing laboratory performing its own calibrations, shall have and shall apply a procedure to estimate the uncertainty of measurement for all calibrations and types of calibrations.

5.4.6.2 Testing laboratories shall have and shall apply procedures for estimating uncertainty of measurement. In certain cases the nature of the test method may preclude rigorous, metrologically and statistically valid, calculation of uncertainty of measurement. In these cases the laboratory shall at least attempt to identify all the components of uncertainty and make a reasonable estimation, and shall ensure that the form of reporting of the result does not give a wrong impression of the uncertainty. Reasonable estimation shall be based on knowledge of the performance of the method and on the measurement scope and shall make use of, for example, previous experience and validation data.


Requirement

Reference


Compliance Comments

Y N NA

5.4.6.3 When estimating the uncertainty of measurement, all uncertainty components which are of importance in the given situation shall be taken into account using appropriate methods of analysis.

5.4.7 Control of data

5.4.7.1 Calculations and data transfers shall be subject to appropriate checks in a systematic manner.

5.4.7.2 When computers or automated equipment are used for the acquisition, processing, recording, reporting, storage or retrieval of test or calibration data, the laboratory shall ensure that:

a) computer software developed by the user is documented in sufficient detail and is suitably validated as being adequate for use;

b) procedures are established and implemented for protecting the data; such procedures shall include, but not be limited to, integrity and confidentiality of data entry or collection, data storage, data transmission and data processing;

c) computers and automated equipment are maintained to ensure proper functioning and are provided with the environmental and operating conditions necessary to maintain the integrity of test and calibration data.

5.5 Equipment


Requirement

Reference


Compliance Comments

Y N NA

5.5.1 The laboratory shall be furnished with all items of sampling, measurement and test equipment required for the correct performance of the tests and/or calibrations (including sampling, preparation of test and/or calibration items, processing and analysis of test and/or calibration data).

In those cases where the laboratory needs to use equipment outside its permanent control, it shall ensure that the requirements of this International Standard are met.

5.5.2 Equipment and its software used for testing, calibration and sampling shall be capable of achieving the accuracy required and shall comply with specifications relevant to the tests and/or calibrations concerned.

Calibration programs shall be established for key quantities or values of the instruments where these properties have a significant effect on the results.

Before being placed into service, equipment (including that used for sampling) shall be calibrated or checked to establish that it meets the laboratory's specification requirements and complies with the relevant standard specifications. It shall be checked and/or calibrated before use (see 5.6).

5.5.3 Equipment shall be operated by authorized personnel.


Requirement

Reference


Compliance Comments

Y N NA

Up-to-date instructions on the use and maintenance of equipment (including any relevant manuals provided by the manufacturer of the equipment) shall be readily available for use by the appropriate laboratory personnel.

5.5.4 Each item of equipment and its software used for testing and calibration and significant to the result shall, when practicable, be uniquely identified.

5.5.5 Records shall be maintained of each item of equipment and its software significant to the tests and/or calibrations performed. The records shall include at least the following:

a) the identity of the item of equipment and its software;

b) the manufacturer's name, type identification, and serial number or other unique identification;

c) checks that equipment complies with the specification (see 5.5.2);

d) the current location, where appropriate;

e) the manufacturer's instructions, if available, or reference to their location;

f) dates, results and copies of reports and certificates of all calibrations, adjustments, acceptance criteria, and the due date of next calibration;


Requirement

Reference


Compliance Comments

Y N NA

g) the maintenance plan, where appropriate, and maintenance carried out to date;

h) any damage, malfunction, modification or repair to the equipment.

5.5.6 The laboratory shall have procedures for safe handling, transport, storage, use and planned maintenance of measuring equipment to ensure proper functioning and in order to prevent contamination or deterioration.

5.5.7 Equipment that has been subjected to overloading or mishandling, gives suspect results, or has been shown to be defective or outside specified limits, shall be taken out of service. It shall be isolated to prevent its use or clearly labeled or marked as being out of service until it has been repaired and shown by calibration or test to perform correctly.

The laboratory shall examine the effect of the defect or departure from specified limits on previous tests and/or calibrations and shall institute the “Control of nonconforming work” procedure (see 4.9).

5.5.8 Whenever practicable, all equipment under the control of the laboratory and requiring calibration shall be labeled, coded or otherwise identified to indicate the status of calibration, including the date when last calibrated and the date or expiration criteria when recalibration is due.


Requirement

Reference


Compliance Comments

Y N NA

5.5.9 When, for whatever reason, equipment goes outside the direct control of the laboratory, the laboratory shall ensure that the function and calibration status of the equipment are checked and shown to be satisfactory before the equipment is returned to service.

5.5.10 When intermediate checks are needed to maintain confidence in the calibration status of the equipment, these checks shall be carried out according to a defined procedure.

5.5.11 Where calibrations give rise to a set of correction factors, the laboratory shall have procedures to ensure that copies (e.g. in computer software) are correctly updated.

5.5.12 Test and calibration equipment, including both hardware and software, shall be safeguarded from adjustments which would invalidate the test and/or calibration results.

5.6 Measurement traceability

5.6.1 General All equipment used for tests and/or calibrations, including equipment for subsidiary measurements (e.g. for environmental conditions) having a significant effect on the accuracy or validity of the result of the test, calibration or sampling shall be calibrated before being put into service.

The laboratory shall have an established program and procedure for the calibration of its equipment.


Requirement

Reference


Compliance Comments

Y N NA

5.6.2 Specific requirements

5.6.2.1 Calibration

5.6.2.1.1 For calibration laboratories, the program for calibration of equipment shall be designed and operated so as to ensure that calibrations and measurements made by the laboratory are traceable to the International System of Units (SI) (Système international d'unités).

A calibration laboratory establishes traceability of its own measurement standards and measuring instruments to the SI by means of an unbroken chain of calibrations or comparisons linking them to relevant primary standards of the SI units of measurement. The link to SI units may be achieved by reference to national measurement standards. National measurement standards may be primary standards, which are primary realizations of the SI units or agreed representations of SI units based on fundamental physical constants, or they may be secondary standards which are standards calibrated by another national metrology institute.

When using external calibration services, traceability of measurement shall be assured by the use of calibration services from laboratories that can demonstrate competence, measurement capability and traceability.

The calibration certificates issued by these laboratories shall contain the measurement results, including the measurement uncertainty and/or a statement of compliance with an identified metrological specification (see also 5.10.4.2).


Requirement

Reference


Compliance Comments

Y N NA

5.6.2.1.2 There are certain calibrations that currently cannot be strictly made in SI units. In these cases calibration shall provide confidence in measurements by establishing traceability to appropriate measurement standards such as:

- the use of certified reference materials provided by a competent supplier to give a reliable physical or chemical characterization of a material;

- the use of specified methods and/or consensus standards that are clearly described and agreed by all parties concerned.

Participation in a suitable program of inter-laboratory comparisons is required where possible.

5.6.2.2 Testing

5.6.2.2.1 For testing laboratories, the requirements given in 5.6.2.1 apply for measuring and test equipment with measuring functions used, unless it has been established that the associated contribution from the calibration contributes little to the total uncertainty of the test result. When this situation arises, the laboratory shall ensure that the equipment used can provide the uncertainty of measurement needed.


Requirement

Reference


Compliance Comments

Y N NA

5.6.2.2.2 Where traceability of measurements to SI units is not possible and/or not relevant, the same requirements for traceability to, for example, certified reference materials, agreed methods and/or consensus standards, are required as for calibration laboratories (see 5.6.2.1.2).

5.6.3 Reference standards and reference materials

5.6.3.1 Reference standards The laboratory shall have a program and procedure for the calibration of its reference standards.

Reference standards shall be calibrated by a body that can provide traceability as described in 5.6.2.1.

Such reference standards of measurement held by the laboratory shall be used for calibration only and for no other purpose, unless it can be shown that their performance as reference standards would not be invalidated.

Reference standards shall be calibrated before and after any adjustment.

5.6.3.2 Reference materials Reference materials shall, where possible, be traceable to SI units of measurement, or to certified reference materials. Internal reference materials shall be checked as far as is technically and economically practicable.


Requirement

Reference


Compliance Comments

Y N NA

5.6.3.3 Intermediate checks Checks needed to maintain confidence in the calibration status of reference, primary, transfer or working standards and reference materials shall be carried out according to defined procedures and schedules.

5.6.3.4 Transport and storage The laboratory shall have procedures for safe handling, transport, storage and use of reference standards and reference materials in order to prevent contamination or deterioration and in order to protect their integrity.

5.7 Sampling

5.7.1 The laboratory shall have a sampling plan and procedures for sampling when it carries out sampling of substances, materials or products for subsequent testing or calibration.

The sampling plan as well as the sampling procedure shall be available at the location where sampling is undertaken.

Sampling plans shall, whenever reasonable, be based on appropriate statistical methods. The sampling process shall address the factors to be controlled to ensure the validity of the test and calibration results.


Requirement

Reference


Compliance Comments

Y N NA

5.7.2 Where the customer requires deviations, additions or exclusions from the documented sampling procedure, these shall be recorded in detail with the appropriate sampling data and shall be included in all documents containing test and/or calibration results, and shall be communicated to the appropriate personnel.

5.7.3 The laboratory shall have procedures for recording relevant data and operations relating to sampling that forms part of the testing or calibration that is undertaken.

These records shall include the sampling procedure used, the identification of the sampler, environmental conditions (if relevant) and diagrams or other equivalent means to identify the sampling location as necessary and, if appropriate, the statistics the sampling procedures are based upon.

5.8 Handling of test and calibration items

5.8.1 The laboratory shall have procedures for the transportation, receipt, handling, protection, storage, retention and/or disposal of test and/or calibration items, including all provisions necessary to protect the integrity of the test or calibration item, and to protect the interests of the laboratory and the customer.


Requirement

Reference


Compliance Comments

Y N NA

5.8.2 The laboratory shall have a system for identifying test and/or calibration items. The identification shall be retained throughout the life of the item in the laboratory. The system shall be designed and operated so as to ensure that items cannot be confused physically or when referred to in records or other documents. The system shall, if appropriate, accommodate a sub-division of groups of items and the transfer of items within and from the laboratory.

5.8.3 Upon receipt of the test or calibration item, abnormalities or departures from normal or specified conditions, as described in the test or calibration method, shall be recorded.

When there is doubt as to the suitability of an item for test or calibration, or when an item does not conform to the description provided, or the test or calibration required is not specified in sufficient detail, the laboratory shall consult the customer for further instructions before proceeding and shall record the discussion.

5.8.4 The laboratory shall have procedures and appropriate facilities for avoiding deterioration, loss or damage to the test or calibration item during storage, handling and preparation. Handling instructions provided with the item shall be followed.

When items have to be stored or conditioned under specified environmental conditions, these conditions shall be maintained, monitored and recorded.


Requirement

Reference


Compliance Comments

Y N NA

Where a test or calibration item or a portion of an item is to be held secure, the laboratory shall have arrangements for storage and security that protect the condition and integrity of the secured items or portions concerned.

5.9 Assuring the quality of test and calibration results

5.9.1 The laboratory shall have quality control procedures for monitoring the validity of tests and calibrations undertaken.

The resulting data shall be recorded in such a way that trends are detectable and, where practicable, statistical techniques shall be applied to the reviewing of the results.

This monitoring shall be planned and reviewed and may include, but not be limited to, the following:

a) regular use of certified reference materials and/or internal quality control using secondary reference materials;

b) participation in inter-laboratory comparison or proficiency-testing programs;

c) replicate tests or calibrations using the same or different methods;

d) retesting or recalibration of retained items;

e) correlation of results for different characteristics of an item.


Requirement

Reference


Compliance Comments

Y N NA

5.9.2 Quality control data shall be analyzed and, where they are found to be outside pre-defined criteria, planned actions shall be taken to correct the problem and to prevent incorrect results from being reported.

5.10 Reporting the results

5.10.1 General The results of each test, calibration, or series of tests or calibrations carried out by the laboratory shall be reported accurately, clearly, unambiguously and objectively, and in accordance with any specific instructions in the test or calibration methods.

The results shall be reported, usually in a test report or a calibration certificate (see note 1), and shall include all the information requested by the customer and necessary for the interpretation of the test or calibration results and all information required by the method used. This information is normally that required by 5.10.2, and 5.10.3 or 5.10.4.

In the case of tests or calibrations performed for internal customers, or in the case of a written agreement with the customer, the results may be reported in a simplified way.

Any information listed in 5.10.2 to 5.10.4 which is not reported to the customer shall be readily available in the laboratory which carried out the tests and/or calibrations.


Requirement

Reference


Compliance Comments

Y N NA

5.10.2 Test reports and calibration certificates Each test report or calibration certificate shall include at least the following information, unless the laboratory has valid reasons for not doing so:

a) a title (e.g. “Test Report” or “Calibration Certificate”);

b) the name and address of the laboratory, and the location where the tests and/or calibrations were carried out, if different from the address of the laboratory;

c) unique identification of the test report or calibration certificate (such as the serial number), and on each page an identification in order to ensure that the page is recognized as a part of the test report or calibration certificate, and a clear identification of the end of the test report or calibration certificate;

d) the name and address of the customer;

e) identification of the method used;

f) a description of, the condition of, and unambiguous identification of the item(s) tested or calibrated;

g) the date of receipt of the test or calibration item(s) where this is critical to the validity and application of the results, and the date(s) of performance of the test or calibration;


Requirement

Reference


Compliance Comments

Y N NA

h) reference to the sampling plan and procedures used by the laboratory or other bodies where these are relevant to the validity or application of the results;

i) the test or calibration results with, where appropriate, the units of measurement;

j) the name(s), function(s) and signature(s) or equivalent identification of person(s) authorizing the test report or calibration certificate;

k) where relevant, a statement to the effect that the results relate only to the items tested or calibrated.

5.10.3 Test reports

5.10.3.1 In addition to the requirements listed in 5.10.2, test reports shall, where necessary for the interpretation of the test results, include the following:

a) deviations from, additions to, or exclusions from the test method, and information on specific test conditions, such as environmental conditions;

b) where relevant, a statement of compliance/non-compliance with requirements and/or specifications;


Requirement

Reference


Compliance Comments

Y N NA

c) where applicable, a statement on the estimated uncertainty of measurement; information on uncertainty is needed in test reports when it is relevant to the validity or application of the test results, when a customer’s instruction so requires, or when the uncertainty affects compliance to a specification limit;

d) where appropriate and needed, opinions and interpretations (see 5.10.5);

e) additional information which may be required by specific methods, customers or groups of customers.

5.10.3.2 In addition to the requirements listed in 5.10.2 and 5.10.3.1, test reports containing the results of sampling shall include the following, where necessary for the interpretation of test results:

a) the date of sampling;

b) unambiguous identification of the substance, material or product sampled (including the name of the manufacturer, the model or type of designation and serial numbers as appropriate);

c) the location of sampling, including any diagrams, sketches or photographs;

d) a reference to the sampling plan and procedures used;


Requirement

Reference


Compliance Comments

Y N NA

e) details of any environmental conditions during sampling that may affect the interpretation of the test results;

f) any standard or other specification for the sampling method or procedure, and deviations, additions to or exclusions from the specification concerned.

5.10.4 Calibration certificates

5.10.4.1 In addition to the requirements listed in 5.10.2, calibration certificates shall include the following, where necessary for the interpretation of calibration results:

a) the conditions (e.g. environmental) under which the calibrations were made that have an influence on the measurement results;

b) the uncertainty of measurement and/or a statement of compliance with an identified metrological specification or clauses thereof;

c) evidence that the measurements are traceable (see note 2 in 5.6.2.1.1).

5.10.4.2 The calibration certificate shall relate only to quantities and the results of functional tests. If a statement of compliance with a specification is made, this shall identify which clauses of the specification are met or not met.


Requirement

Reference


Compliance Comments

Y N NA

When a statement of compliance with a specification is made omitting the measurement results and associated uncertainties, the laboratory shall record those results and maintain them for possible future reference.

When statements of compliance are made, the uncertainty of measurement shall be taken into account.

5.10.4.3 When an instrument for calibration has been adjusted or repaired, the calibration results before and after adjustment or repair, if available, shall be reported.

5.10.4.4 A calibration certificate (or calibration label) shall not contain any recommendation on the calibration interval except where this has been agreed with the customer. This requirement may be superseded by legal regulations.

5.10.5 Opinions and interpretations When opinions and interpretations are included, the laboratory shall document the basis upon which the opinions and interpretations have been made. Opinions and interpretations shall be clearly marked as such in a test report.

5.10.6 Testing and calibration results obtained from subcontractors When the test report contains results of tests performed by subcontractors, these results shall be clearly identified. The subcontractor shall report the results in writing or electronically.


Requirement

Reference


Compliance Comments

Y N NA

When a calibration has been subcontracted, the laboratory performing the work shall issue the calibration certificate to the contracting laboratory.

5.10.7 Electronic transmission of results In the case of transmission of test or calibration results by telephone, telex, facsimile or other electronic or electromagnetic means, the requirements of this International Standard shall be met (see also 5.4.7).

5.10.8 Format of reports and certificates The format shall be designed to accommodate each type of test or calibration carried out and to minimize the possibility of misunderstanding or misuse.

5.10.9 Amendments to test reports and calibration certificates Material amendments to a test report or calibration certificate after issue shall be made only in the form of a further document, or data transfer, which includes the statement: “Supplement to Test Report [or Calibration Certificate],

serial number ... [or as otherwise identified]”, or an equivalent form of wording. Such amendments shall meet all the requirements of this International Standard.


Requirement

Reference


Compliance Comments

Y N NA

When it is necessary to issue a complete new test report or calibration certificate, this shall be uniquely identified and shall contain a reference to the original that it replaces.


REFERENCE TO STQC APPROVAL STATUS – STQC ADVERTISING POLICY

(ADDENDUM TO THE ASSESSOR CHECKLIST) (Effective June 2010 unless otherwise noted)

STQC-Approval organizations are strongly encouraged to promote their STQC Approval by using the “STQC Approval ” symbol. It is the ethical responsibility of Approval and applicant organizations to describe their Approval status in a manner that does not imply Approval in areas that are outside their actual scope of Approval or for other testing/calibration facilities not covered under STQC Approval. Approval organizations or others are encouraged to advise STQC if a violation of this policy is discovered by actions of other parties. While inclusion of the STQC Approval symbol on test or calibration reports is not mandatory, only test or calibration reports bearing the STQC Approval symbol can benefit from the acceptance established through mutual recognition agreements/arrangements among Approval bodies, and only those calibration reports bearing the STQC Approval symbol can be confirmed to meet STQC Policy on Measurement Traceability. Unless otherwise specified, all requirements related to the use of the “STQC Approval” symbol specified in this document also apply when making any other claims of STQC Approval. The term "certificates and reports" includes calibration certificates, test reports and/or any other certificate or report generated under the organization’s scope of Approval. Failure to comply with these requirements may lead to denial, suspension or revocation of Approval and/or legal remedies. Note: 1: The “STQC” logo is to be used by STQC only. Approval organizations may use the “STQC Approval” symbol and/or may make reference to their STQC Approval, but may not use the “STQC” logo in such references. (Note: Organizations initially applying for STQC Approval must demonstrate compliance with Clause 1.1 and must sign the statement on the last page agreeing to abide by this advertising policy once Approval. The assessor(s) will review these requirements with the organization during the assessment.)


Requirement

Reference


Compliance Comments

Y N NA

1.0 General Requirements

1.1 The organization shall have a policy and procedure for controlling the use of the term “STQC” and the “STQC Approval” symbol.

1.2 The “STQC Approval” symbol shall not be used by an organization that is not STQC Approval.

1.3 The “STQC Approval” symbol shall not be used by applicants for STQC Approval.

1.4 The “STQC Approval” symbol shall be used by an STQC Approval organization only under the name in which it holds STQC Approval.

1.5 When promoting or providing proof of Approval, Approval organizations shall use the scope(s) of Approval, as this document details the specific tests or calibrations which are Approval. The certificate shall be used for display purposes and may also accompany the scope.

1.6 It is the responsibility of the organization to communicate this Advertising Policy and its requirements to the necessary corporate/marketing representatives to ensure that all requirements are met.

2.0 Symbol Reproduction


Requirement

Reference


Compliance Comments

Y N NA

2.1 “STQC Approval” symbol sheets are sent to all Approval organizations, and an electronic version is available upon request.

2.2 Where the STQC name (not to be confused with the “STQC” logo) is used by Approval organizations in a narrative reference to Approval status, it shall always be accompanied by at least the word “Approval.”

2.3 While there are no restrictions on the size and color of the “STQC Approval” symbol reproduction, the symbol must maintain its form.

2.4 The “STQC Approval” symbol may be generated electronically provided that the prescribed formats and forms are retained.

3.0 Use of the “STQC Approval” Symbol on Test/Calibration Reports

3.1 Where the “STQC Approval” symbol is used to endorse test or calibration results on reports or certificates, it shall always be accompanied by the STQC certificate number(s) and an indication of the type of organization Approval (e.g., testing/calibration laboratory, proficiency testing provider, reference material producer, inspection body, product certification body, etc. An example for each Approval program is given in the STQC Advertising Policy itself.

NOTE: This highlighted change to Section 3.1 and the corresponding change to Section 10.2 are effective as of October 1, 2008 for new organizations enrolled in an STQC


Requirement

Reference


Compliance Comments

Y N NA

Approval program as of 12/15/06, and effective as of October 1, 2009 for organizations Approval as of 12/15/06. New organizations applying for Approval after 12/15/06 will be expected to comply with this section in its entirety once Approval is achieved. The requirement to include the STQC certificate number with the symbol on reports or certificates was previously in place and continues to be effective immediately for all Approval organizations.

3.2 The “STQC Approval” symbol may be displayed on all certificates and reports that contain exclusively results from calibrations and tests that have been carried out within the organization’s official STQC Scope of Approval.

3.3 The “STQC Approval” symbol shall not be used on certificates and reports if none of the results presented are from tests or calibrations included on the STQC Scope(s) of Approval.

NOTE: To provide clients with assurance that the quality system under which the contracted work was done meets the Approval requirements, an appropriate reference may be included in a prominent place on the report or certificate when none of the work is covered under the Approval. For example, “This Approval organization maintains STQC Approval to ISO/IEC 17025 for the specific test/calibration listed in STQC Certificate #----. The test/calibration results included in this report/certificate, however, are not covered by this Approval.” Note that inclusion of the “STQC Approval” symbol in this case is prohibited.


Requirement

Reference


Compliance Comments

Y N NA

3.4 Where both Approval and non-Approval tests/calibrations are included on an endorsed report or certificate, non-Approval results shall be clearly and unambiguously identified as such. This can be done by placing an asterisk after each such result along with a footnote stating: “The test/calibration results are not covered by our current STQC Approval”.

3.5 On reports where results are reported within the field where Approval exists but in a technology that is not included in the scope, they must be so indicated. (For example, if an organization is Approval in the Environmental Field for only wet chemistry and metals, any gas chromatographic data reported would need to be identified as non-Approval.)

3.6 If the intent is to ensure that the client meets the requirements of the STQC Traceability Policy, the calibrations performed by an STQC Approval calibration organization must be included on the calibration organization’s STQC Scope of Approval, and the calibration certificate issued must contain the “STQC Approval” symbol (or a reference to STQC Approval) and the STQC certificate number.

3.7 There shall be nothing in the reports, certificates or in any attachments or other materials which implies or may lead any user of the results or any interested party to believe that the work is Approval when it is not.

4.0 Subcontracted Tests and Calibrations


Requirement

Reference


Compliance Comments

Y N NA

4.1 An STQC Approval organization may include the results of subcontracted tests or calibrations in its endorsed reports or certificates only if:

4.1.1 The Approval organization has informed the client in writing of the proposed subcontracting and has obtained prior approval; and

4.1.2 The subcontractor is itself Approval by STQC or an STQC recognized MRA partner for the specific tests or calibrations concerned and the results have been included in the subcontracting organization’s endorsed calibration or test report(s) submitted to the Approval organization. Any non-Approval subcontracted calibrations or tests shall be specified as noted in Section 3.4 of this policy.

4.1.3 The subcontracted calibration or test results shall be clearly and unambiguously identified on the certificate or report.

5.0 Opinions and Interpretations

5.1 Where statements of opinions and interpretations are outside the Scope of Approval, the organization is required to include a disclaimer such as the following in the certificate or report: “The opinions/interpretations expressed in this report are outside the scope of this organization’s STQC Approval.


Requirement

Reference


Compliance Comments

Y N NA

5.2 It is preferable, however, to express opinions and interpretations that are outside the Scope of Approval on a separate letter which is not part of the endorsed certificate or report and that does not carry the “STQC Approval” symbol or other reference to STQC Approval.

6.0 Calibration Labels

6.1 Calibration labels containing the “STQC Approval” symbol may be affixed only to equipment that has been calibrated by the Approval calibration organization under their Scope of Approval.

6.2 Calibration labels containing the “STQC Approval” symbol shall include at least the following information:

6.2.1 The name of the Approval calibration organization or its STQC Certificate number;

6.2.2 The instrument identification;

6.2.3 The date of the current calibration;

6.2.4 Cross reference to the Approval calibration certificate issued with respect to this calibration.

7.0 Inspection Labels (ISO/IEC 17020 Inspection Body Approval only – not applicable to testing and calibration laboratories)


Requirement

Reference


Compliance Comments

Y N NA

8.0 Advertising, Publicity, and Business Solicitation

8.1 Approval organizations may incorporate statements concerning their Approval in publicity and/or advertising materials, including brochures and organization publications, technical literature, business reports, web sites and quotations or proposals for work.

8.2 The use of the “STQC Approval” symbol or other reference to STQC used to promote Approval enhances the reputation and value of Approval for all stakeholders. It is the responsibility of the Approval organizations to ensure that there is no misrepresentation of the Approval status and that the Approval process is not brought into disrepute.

8.3 The Approval claim shall be related only to the testing or calibration that is covered under the STQC Scope of Approval, and not with any other activities in which the organization or its parent organization are involved.

8.4 STQC Approval is site specific. The Approval claim shall be related only to the specific organization location that is covered under the STQC Scope of Approval, and not with any other non-Approval locations.


Requirement

Reference


Compliance Comments

Y N NA

8.5 In proposals or quotations, the Approval organization shall distinguish tests or calibrations that are covered under the STQC Scope of Approval from those that are not covered.

8.6 Where the “STQC Approval” symbol is printed on letterhead or other corporate stationery, such stationery shall not be used for work proposals, quotes, reporting of test or calibration results exclusively outside the STQC Scope of Approval, or certifying a product or other item.

8.7 The “STQC Approval” symbol or Approval claim shall not be affixed to a material, item or product (or related part, including packaging), or used to imply that an item or product has been certified.

8.8 If the “STQC Approval” symbol is included in literature relating to a product, the symbol must appear directly adjacent to the reference to the Approval calibration or testing organization and it must be clearly stated that inclusion of the symbol does not imply certification/approval of the products calibrated or tested.

8.9 The “STQC Approval” symbol shall not be displayed on business cards in a manner that might imply personnel certification.


Requirement

Reference


Compliance Comments

Y N NA

9.0 Misuse of the “STQC Approval” Symbol or Approval Status

9.1 Every circumstance where the principle of accurate representation applies cannot be anticipated and dealt with in this document. Therefore, it is the responsibility of the Approval and applicant organization representatives not to misrepresent their Approval status under any circumstances.

9.2 If there are questions, the organization should submit intended uses of the symbol, draft advertisements, and/or any other Approval claims to STQC Headquarters for advance review.

9.3 Upon suspension or termination of Approval, an organization must immediately cease to issue calibration certificates, test reports, and test certificates displaying the symbol and shall cease publishing documents (including advertisements, websites, etc.) containing the symbol or reference to STQC Approval.

10.0 Use of the Combined STQC Approval Symbol – For use exclusively in conjunction with activities covered under STQC’s Scope of Recognition 10.1 Approval laboratories may use the combined “ILAC MRA – STQC Approval” symbol in order to demonstrate Approval by a signatory of the ILAC arrangement.


Requirement

Reference


Compliance Comments

Y N NA

10.2 When used on test reports or calibration certificates, the combined symbol may be used only in combination with the Approval laboratory’s STQC certificate number and an indication of whether it is a testing or calibration laboratory that is Approval.

10.3 The combined symbol may be used only in the same proportions as contained on the STQC Advertising Policy itself.

10.4 Laboratories wishing to use the combined symbol must present their proposed usage to STQC for review and shall not begin actual use of the combined symbol until they have received written approval from STQC.

10.5 Laboratories wishing to use the combined symbol must also sign a formal sub-license agreement with STQC that will be provided when the laboratory’s proposed usage is submitted to STQC. They may not begin actual use of the combined symbol until this sub-license agreement has been signed.

10.6 All requirements of sections 1.0-8.0 of this Advertising Policy are also applicable to use of the combined symbol (e.g., policy and procedure, reproduction, use on marketing materials, etc.)

11 Approval vs. Non-Approval Work


Requirement

Reference


Compliance Comments

Y N NA

11.1 When a client requests the performance of a test or calibration that appears on a laboratory’s STQC Scope of Approval, the test or calibration must be performed in accordance with all of the STQC requirements for Approval, whether or not the “STQC Approval” symbol is used on the resulting test report or calibration certificate. It is important to note, however, that the “STQC Approval” symbol must be included on any certificate or report intended to demonstrate traceability in accordance with the STQC Policy on Measurement Traceability, Section T2.

11.2 If a client requests performance of a test or calibration that appears on a laboratory’s STQC Scope of Approval but does not want or need the test or calibration to be performed under Approval conditions, these requests and the exceptions to the Approval requirements must be clearly documented in the Approval laboratory’s contract review records (reference ISO/IEC 17025, Section 4.4.1a). When these tests or calibrations are not performed in accordance with all of the STQC requirements for Approval, the resulting test report or calibration certificate cannot be endorsed with the “STQC Approval” symbol.

TO BE SIGNED BY THE AUTHORIZED REPRESENTATIVE OF THE ORGANIZATION AND HIS/HER DESIGNATED DEPUTY:

We understand and agree to abide by the requirements contained in the “Reference to STQC Approval Status – STQC Advertising Policy” once our organization becomes STQC Approval. Authorized Representative Name: _______________________________ Signature: ___________________________ Date: __________________

Deputy Name: _______________________________________________ Signature: ___________________________ Date: __________________


STQC POLICY ON MEAUREMENT TRACEABILITY (ADDENDUM TO THE ASSESSOR CHECKLIST: GENERAL CRITERIA)

(June 2010)

Approval laboratories are required to meet the following additional requirements contained in P102 - STQC Policy on Measurement Traceability

Requirement

Reference


Compliance Comments

Y N NA

STQC Policy on Traceability of Measurement

T1. STQC requires that all calibrations and verifications of measuring and test equipment, reference standards, and reference materials be conducted by a calibration laboratory Approval to ISO/IEC 17025 by a mutually recognized Approval Body; or a reference material producer Approval to ISO/IEC Guide 34 by a mutually recognized Approval Body; or a recognized National Metrology Institute (NMI, i.e. one in which supports the measurement comparison activities of the CIPM, Comité International des Poids et Mesures); or a mechanical testing laboratory Approval by STQC to ISO/IEC 17025 and found to meet the STQC Calibration Program Requirements (as indicated on their Scope of Approval); or a laboratory Approval by STQC to ISO/IEC 17025 and found to meet the T9 requirements for their in-house calibrations.


Requirement

Reference


Compliance Comments

Y N NA

T2. For those external calibrations and verifications, these must be documented in a calibration certificate or report endorsed by the recognized Approval Body’s symbol (or otherwise makes reference to Approval status or endorsed by the National Metrology Institute (NMI). For those internal calibrations and verifications, those requirements outlined in requirement T9 of this document apply.

T3. All STQC-Approval and enrolled organizations shall define their policy for achieving measurement traceability. This policy shall be in compliance with this policy document.

T4. Where measurement uncertainty analysis is applicable, STQC requires laboratories to calculate measurement uncertainty in accordance with the ISO “Guide to the Expression of Uncertainty in Measurement.” These uncertainties, when reported, shall be reported as the expanded uncertainty with a defined coverage factor, k (typically k = 2) and the confidence interval (typically to approximate the 95% confidence level).

*

T5. If a calibration certificate or test report contains a statement of the measurement result and the associated uncertainty, then the uncertainty statement shall be accompanied by an explanation of the meaning of the uncertainty statement. (For example, “This uncertainty represents an expanded uncertainty expressed at approximately the 95% confidence level using a coverage factor of k=2.)


Requirement

Reference


Compliance Comments

Y N NA

T6. TURs shall be calculated using the expanded uncertainty of the measurement, not the “collective uncertainty of the measurement standards”.

T7. Implicit uncertainty statements must be accompanied by words to the effect that the uncertainty ratio was calculated using the expanded measurement uncertainty. In addition the coverage factor and confidence level must be stated.

T8. Calibration reports and certificates issued by STQC-Approval calibration laboratories shall contain a traceability statement.

T9. All in-house calibrations shall be supported by the following minimal set of elements:

a) The in-house laboratory shall maintain documented procedures for the in-house calibrations and the in-house calibrations shall be evidenced by a calibration report, certificate, or sticker, or other suitable method, and calibration records shall be retained for an appropriate, prescribed time;

b) The in-house laboratory shall maintain training records for calibration personnel and these records shall demonstrate the technical competence of the personnel performing the calibrations;


Requirement

Reference


Compliance Comments

Y N NA

c) The in-house laboratory shall be able to demonstrate traceability to national or international standards of measurement by procuring calibration services from Approval calibration labs or a national metrology institute;

d) The in-house laboratory shall have and apply procedures for evaluating measurement uncertainty. Measurement uncertainty shall be calculated for each type of calibration and records of these calculations shall be maintained. (NOTE: Records of these calculations must be maintained for calibrations done as of 8/1/06.) Measurement uncertainty shall be taken into account when statements of compliance with specifications are made;

*

e) Reference standards shall be recalibrated at appropriate intervals to ensure that the reference value is reliable. Policy and procedures for establishing and changing calibration intervals shall be based on the historical behavior of the reference standard.


GENERAL REQUIREMENTS: PROFICIENCY TESTING FOR ISO/IEC 17025 LABORATORIES

(ADDENDUM TO THE ASSESSOR CHECKLIST: GENERAL CRITERIA)

(June 2010)

Approval laboratories are required to meet the following additional requirements contained in General Requirements: Proficiency Testing for ISO/IEC 17025 Laboratories.

Requirement

Reference


Compliance Comments

Y N NA

PT1. Participation in PT

1.1 Unless otherwise specified within General Requirements: Proficiency Testing for ISO/IEC 17025 Laboratories, at a minimum, proficiency testing participation is required for at least two proficiency-testing activities per year, every year.

1.2 As appropriate, the laboratory participates in sector specific PT as described in Annex: Proficiency Testing for ISO/IEC 17025 Laboratories.

1.3 Participation in relevant and available proficiency testing is required at a frequency sufficient to ensure that all major sub-disciplines and materials/matrices/product types (as defined in Annex: Proficiency Testing for ISO/IEC 17025 Laboratories) on the scope of Approval are covered over a four-year period.


Requirement

Reference


Compliance Comments

Y N NA

1.4 The laboratory must have a documented plan of how they intend to cover the applicable program requirements or the major sub-disciplines and materials/matrices/product types on their scope of Approval over a four-year period.

1.4.1 This plan shall cover any commercially available participation and any inter-laboratory organized studies, as applicable.

1.4.2 The laboratory must also be able to explain when proficiency testing is not possible for certain testing and provide a description of what the laboratory is doing in lieu of proficiency testing. This shall be included within the plan.

1.4.3 The plan must also address the laboratory’s process for submission of proficiency testing results and related corrective action responses to STQC promptly upon receipt.

1.5 Applicant laboratories for STQC Approval must be able to demonstrate successful participation in at least one relevant and available proficiency testing activity (i.e. study) prior to receiving Approval.

1.6 Laboratories shall conduct proficiency tests in accordance with their normal testing/calibration and reporting procedures, unless otherwise specified in the instructions from the proficiency test provider.


Requirement

Reference


Compliance Comments

Y N NA

1.6.1 Laboratories shall also ensure that proficiency-testing samples are equally distributed among personnel trained and qualified for the relevant tests.

PT2 Responding with corrective action

2.1 Laboratories are expected to document their analysis of all results and to submit the results, and subsequent analysis, of all relevant proficiency testing participation to STQC promptly upon receipt.

2.2 Detailed corrective action responses for any outlying or unacceptable results related to testing/calibration on their Scope of Approval must also be submitted

2.3 All proficiency testing information must be provided to STQC using Proficiency Testing Data Submission Form along with explanations and corrective action responses for any outlying or unacceptable results.

QAF-02-05-12

Approval criteria (check list)

of

independent auditing body

of 16 DAC-70-02/F2, rev. d

Instructions

Applicant Auditing Body: The applicant shall complete the column "Your Document" by referencing its document that shows they are compliant with the specific requirement. This reference should indicate the document name, page and/or clause(s) in which the compliance can be confirmed. The form and all documentation referenced on the checklist should then be forwarded to the STQC. The clauses of ISO/IEC 17021 are paraphrased in this document, and do not necessarily reflect the complete requirements. The Auditing Body shall refer to the standard for the exact and complete wordings and prove compliance with the full requirements as stated in the ISO/IEC 17021 in their entirety as applicable. Wherever it is mentioned in the standard that a procedure is required, that procedure shall be in the format of a separate document having the following headings as a minimum: (1) Purpose, (2) Scope, (3) References, (4) Definitions, (5) Responsibility, (6) Procedure, and (7) Records STQC Assessor Document Review: STQC assessor is responsibility for doing a document review using the checklist and references given by the Auditing Body. The lead assessor shall confirm the documentation’s compliance with the requirements of ISO 17021, and indicate the Auditing Body’s compliance in the "Document Compliance" Yes and No columns of the form. The assessor can use the Notes column to define any non-compliance, observations, need for further investigations at time of assessment, and positive comments. STQC Assessor Assessment Visit: STQC assessor is responsibility for completing the checklist by indicating the Auditing Body’s compliance in practice to its own policies and procedures, and the requirements of ISO 17021. The Auditing Body’s compliance shall be indicated in the Assessment Compliance Yes and No columns, and comments on compliance, nonconformance, and observations shall be documented in the Notes column.

of 16 DAC-70-02/F2, rev. d

Auditing Body’s Information Client Name

Address

Telephone Number

FAX Number

Contact Person

Date Form Completed

Form Completed by

Signature

Date filled form received by STQC to be filled by STQC

STQC Review of Document Compliance

Name of Assessor

Starting Date Completion Date

Signature

STQC Review of Assessment Compliance

Name of Assessor

Date Form Completed

Signature

of 16 DAC-70-02/F2, rev. d

NO REQUIREMENT YOUR DOCUMENT

(Doc. Ref./Clause No.)

DOCUMENT COMPLIANCE ASSESSMENT COMPLIANCE

Y N NOTES Y N REMARKS/OBJECTIVE EVIDENCE

3 ADMINISTRATIVE REQUIREMENTS 3.1 Is the auditing Body, or the organization, of which it

forms part, legally identifiable?

3.2 Is the auditing body that forms part of an organization involved in functions other than auditing, identifiable within that organization?

3.3 Does the auditing body have documentation which describe the function and the technical scope of the activity for which it is competent?

3.4 Does the AUDITING BODY have adequate liability insurance? (Not required if its liability is assumed by the government in accordance with regulations/laws or by the organization of which it forms part)

3.5 Does the AUDITING BODY have documentation describe the conditions on which it does business? (Not required if it is part of an organization and provides auditing services only to the organization)

3.6 Does the AUDITING BODY or organization it forms a part, have independently audited accounts?

4. INDEPENDENCE, IMPARTIALITY AND ITEGRITY

4.1 GENERAL Does the AUDITING BODY have procedure to ensure that its personnel are free from any commercial, financial and any other pressures that might affect their judgment?

of 16 DAC-70-02/F2, rev. d





Does the AUDITING BODY have procedures to ensure that persons or organizations external to the auditing body cannot influence the results of the auditing carried out?

4.2 INDEPENCENCE Is the AUDITING BODY independent to the extent that is required with regards to the conditions under which it performs its operations? Does the type of AUDITING BODY meet the minimum criteria stipulated in one of the normative Annexes A, B, or C?

5. CONFIDENTIALITY

Does the AUDITING BODY have procedures to ensure confidentiality of information obtained in the course of its auditing activities and to protect proprietary rights?

6. ORGANIZATION AND MANAGEMENT 6.1 Does the AUDITING BODY have an organization

that enables it to maintain the capability to perform its technical functions satisfactory?

6.2 Does the AUDITING BODY define and document the describe and reporting structure of the organization? (Where the AUDITING BODY also supplies certification and/or testing services, the relationship between its functions must be clearly defined.

6.3 Does the AUDITING BODY have a technical manager who is qualified and experienced in operation of the AUDITING BODY and who has overall describe that the auditing activities are carried out in accordance with ISO 17021?

6.3.1 Is the technical manager a permanent employee in the Auditing Body

of 16 DAC-70-02/F2, rev. d





6.4 Does the AUDITING BODY provide effective

supervision by persons familiar with the auditing methods and procedures, the objective of the auditing and the assessment of the examination results?

6.5 Does the AUDITING BODY have named persons who will deputize in the absence of any manager, however named, describe for auditing services?

6.6 Is each auditing category affecting the quality of auditing services describe?

6.6.1 Does the job descriptions include the requirements for education, training, technical knowledge and experience?

7 QUALITY SYSTEM 7.1 Does the auditing body’s management define and

document its policy and objectives for, and commitment to, quality, and do they ensure that the policy is understood, implemented and maintained at all levels of the organization?

7.2 Does AUDITING BODY operate an effective quality system appropriate to the type, range and volume of work performed?

7.3 Is the quality system fully documented

7.4 Does the AUDITING BODY have designated people who, irrespective of other duties, have defined authority and describe for quality assurance within the AUDITING BODY?

of 16 DAC-70-02/F2, rev. d





7.4.1 Does the designated person have direct access to top management?

7.5 Is the quality system maintained relevant and current under the describe of the designated person?

7.6 Does the AUDITING BODY maintain a system of control of all documentation relating to its activities to ensure that:

a) Current issues of appropriate documentation are available at all relevant locations and to all staff?

b) Changes of documents or amendments to documents are covered by the correct authorization and processed in a manner, which will ensure timely availability at appropriate location?

c) Superseded documents are removed from use throughout the organization, but copy is filed for a determined period?

d) Other parties as necessary are notified of changes

7.7 Does the AUDITING BODY carry out a system of planned and documented internal quality audits?

7.7.1 Are the personnel performing the audits suitable, qualified and independent from functions being audited?

7.8 Does the AUDITING BODY have documented procedures for dealing with feedbacks and corrective action whenever discrepancies are detected in the quality system and/or in the performance of auditi?

of 16 DAC-70-02/F2, rev. d





7.9 Does the management of the AUDITING BODY review the quality system at appropriate intervals to ensure its continuing suitability and effectiveness? Are results of such reviews recorded

8. PERSONNEL 8.1 Does the AUDITING BODY have a sufficient

number of permanent personnel with the range of expertise to carry out its normal functions?

8.2 Does the staff of the AUDITING BODY have appropriate qualifications, trainings, experience and a satisfactory knowledge of the requirements of the auditings to be carried out?

8.2.1 Does the staff possesses the ability to make professional judgments as to conformity with the general requirements using examination results and to report thereof?

8.2.2 Does the staff have relevant knowledge of the technology used for manufacturing of the products inspected, of the way in which the product or processes submitted to their auditings are used or are intended to be used, and of the defects which may occur during use or in service?

8.2.3 Does the staff understand the significance of deviations found with regard to the normal use of the products or the processes concerned?

8.3 Has the AUDITING BODY established a documented training system to ensure that the training of its personnel in the technical and administrative aspects of the work in which they are involved, is kept up to date in accordance with its policy? Does training requirements depend upon the ability, qualification and experience of persons involved? (The auditing body shall establish the necessary

of 16 DAC-70-02/F2, rev. d





stages of training of each personnel? 8.4 Are records of academic or other qualifications,

training and experience of each member of its personnel maintained?

8.5 Does the AUDITING BODY provide guidance for the conduct of its staff?

8.6 Does the remuneration of persons engaged in auditing activities depend directly on the number of auditings carried out and/or does depend on the results of such auditings?

9 FACILITIES AND EQUIPMENT 9.1 Does the AUDITING BODY have available to it and

suitable and adequate facilities and equipment to permit all activities associated with the auditing service to be carried out?

9.2 Does the AUDITING BODY have clear rules for the access to and use of specified facilities and equipment?

9.3 Does the AUDITING BODY ensure the continued suitability of the facilities ?

9.4 Are all such equipment properly identified?

9.5 Are the equipment properly maintained in accordance with documented procedures and instructions?

9.6 Does the AUDITING BODY ensure that where appropriate, equipment is calibrated before being out into service and thereafter according to

of 16 DAC-70-02/F2, rev. d





establish program? 9.7 Is the overall program for calibration of equipment

designed and operated so as to ensure that whatever applicable measurements made by the AUDITING BODY are traceable to national and international standards of measurement where available? (Where traceability to national or international standards of measurement is not applicable, AUDITING BODY shall provide satisfactory evidence of correlation or accuracy of results)

9.8 Are the reference standards of measurement held by AUDITING BODY used for calibration only and for no other purpose? Are the reference standards of measure calibration by a competent body that can provide traceability to a national or international standard of measurement?

9.9 Where relevant, are equipment subjected to in-service checks between regular re-calibration

9.10 Are reference materials, where traceability is maintained to national and international reference standards?

9.11 Where relevant to the quality of auditing services, does the AUDITING BODY have procedures for:

• Selection of qualified suppliers • Issuing appropriate purchasing

documents • Auditing of receiving materials • Ensuring appropriate storage facilities

9.12 Where applicable, is the condition of stored items assessed at appropriate intervals to detect

of 16 DAC-70-02/F2, rev. d





deterioration?

9.13 Do the AUDITING BODY use computers or automated equipment in connection with auditing? Does it ensure that?

• Computer software is tested in order to confirm that it is adequate for use?

• Procedures are established and implemented for protecting the integrity of data?

• Computer and automated equipment is maintained in order to ensure proper function?

• Procedures are established and implemented for maintenance of security of data?

9.14 Does the AUDITING BODY have documented procedures for dealing with defective equipment? (Defective equipment shall be removed form service by segregation, prominent labeling or marking. The AUDITING BODY shall examine the effect of defects on previous auditings)

9.15 Is relevant information on the equipment recorded? (This will normally include identification, calibration and maintenance)

10 AUDITING METHODS AND PROCEDURES 10.1 Does the AUDITING BODY use the methods and

procedures for auditing, which are defined in the requirements, against which conformity is to be determined?

10.2 Does the AUDITING BODY have and use adequate documented instructions on auditing planning and on standard sampling and auditing techniques where the absence of such instructions could jeopardize the efficiency of the auditing process? (Where applicable this requires sufficient

of 16 DAC-70-02/F2, rev. d





knowledge of the statistical techniques to ensure statistically sound sampling procedures and the correct processing and interpretation of results)

10.3 When the AUDITING BODY has to use auditing methods or procedures which are non-standard, is such methods and procedures appropriate and fully documented?

10.4 Are all instructions, standards or written procedures, worksheets, checklist and reference data relevant to the work of the AUDITING BODY maintained up to date and be readily available to the staff?

10.5 Does the AUDITING BODY have a contract or work order control system which ensure that:

• Work to be undertaken is within its expertise and that the organization has adequate resources to meet the requirements?

• The requirements of those seeking the AUDITING BODY services are adequately defined and those special conditions are understood so that unambiguous instructions can be issued to staff performing the duties to be required?

• Work undertaken is controlled by regular review and corrective action?

• Completed work is reviewed to confirm that requirements are met?

10.6 Are observations and/or data obtained in the course of auditings recorded in a timely manner to prevent loss of relevant information?

10.7 Are all calculations and data transfers subjected to appropriate checks?

of 16 DAC-70-02/F2, rev. d





10.8 Does the AUDITING BODY have documented instructions for carrying out auditings safely?

11 HANDLING OF AUDITING SAMPLES AND ITEMS

11.1 Does the AUDITING BODY ensure that samples and items to be inspected are uniquely identified to avoid confusion regarding the identity of such item at any time?

11.2 Are any apparent abnormalities notified to or notified by the inspector recorded before commencement of auditing? (Where there is any doubt as to the items suitability for the auditing to be carried out, or when the item does not conform to the description provided, the auditing body shall consult the client before proceeding)

11.3 Does the AUDITING BODY establish whether the item has received all the necessary preparation, or whether the client requires preparation to be undertaken or arranged by the AUDITING BODY?

11.4 Does the AUDITING BODY have documented procedures and appropriate facilities to avoid deterioration or damage to auditing items while under its responsibility

12 RECORDS 12.1 Does the AUDITING BODY maintain a record

system to suit its particular circumstances and to apply with applicable regulations?

12.2 Does the records include sufficient information to permit satisfactory evaluation of auditing?

12.3 Are all records safely stored for a specific period, held secure and in confidence to the client, unless otherwise required by law?

of 16 DAC-70-02/F2, rev. d





13 AUDITING REPORTS AND CERTIFICATES

13.1 Is the work carried out by the AUDITING BODY covered by a retrievable auditing report/certificate?

13.2 Does the auditing report/certificate include all the examination results needed to understand and interpret them? (All these information shall be reported correctly, accurately and clearly. Where the auditing certificate contains results supplied by subcontractors, these results shall be clearly identified)

13.3 Are the auditing reports/certificates signed or otherwise approved by authorized staff members?

13.4 Are the corrections or additions to an auditing report or auditing certificate after issue recorded and justified in accordance with the relevant requirements of this section?

14 SUBCONTRACTING 14.1 Does the AUDITING BODY itself normally perform

the auditing which it contracts to undertake?

14.2 When the AUDITING BODY subcontracts any part of auditing, does it ensure and is it able to demonstrate that its subcontractor is competent to perform the service in question and where applicable complies with the criteria stipulated in the relevant standards of EN 45000 series? (The AUDITING BODY shall advise the client of its intention to subcontract any part of the auditing. The subcontractor shall be acceptable to the client).

14.3 Does the AUDITING BODY record and retain details of its investigation of the competence and compliance of subcontractors? Does the AUDITING BODY maintain a register of all subcontracting?

of 16 DAC-70-02/F2, rev. d





14.4 Where the AUDITING BODY subcontracts certain

specialized activities, does it have access to a qualified and experience person who is able to perform an independent assessment of the results of the subcontracted activities? (The responsibility for the determination of conformity with the requirements rest within the AUDITING BODY itself)

15 COMPLAINTS AND APPEALS 15.1 Does the AUDITING BODY have documented

procedures for dealing with complaints received from clients or other parties?

15.2 Does the auditing body have documented procedures for the consideration and resolution of appeals against the results of its auditing, where these are carried out under legally delegated authority?

15.3 Is record maintained for all complaints and appeals and of the actions taken by the AUDITING BODY?

16 COOPERATION Does the AUDITING BODY participate in an

exchange of experience with other Auditing Bodies and in the standardization processes as appropriate?

Other Accreditation Requirements

1 The AUDITING BODY shall have procedures for maintaining safe working conditions and reporting work-related accidents

2 The AUDITING BODY shall have procedures for handling of toxic wastes in accordance with

of 16 DAC-70-02/F2, rev. d

relevant DM regulations. Other Remarks (To be filled by DM)

QAF-02-05-16


for eGovernance

Compliance checklist with IT specific laboratory requirements based on generic checklist ISO/IEC17025


Ministry of Communications & Information Technology,

Electronics Niketan, 6 CGO Complex, Lodi Road, New Delhi – 110003

SPECIFIC CHECKLIST

INFORMATION TECHNOLOGY TESTING LABORATORY

(June 2010) The following pages present the requirements from Specific Requirements: Information Technology Testing Laboratory in a checklist format. The policies, procedures and activities of laboratories performing any type of information technology testing must meet these requirements. Quality system documentation and supporting records must be available for the assessor’s review.

Before the assessment, the laboratory is asked to complete all of the document reference identifiers associated with the each of the shaded requirements.

This helps both the laboratory and the assessor(s) prepare for the assessment and may save a significant amount of assessment time and cost. The appropriate “document reference” should include quality manual, laboratory manual, SOP, etc. references. The noted references should specify procedure number, page number and section number, if possible, where each checklist item is addressed.

Assessor Instructions: Review the laboratory’s documented management system to verify compliance with the applicable requirements. Assess to verify that the documented management system is indeed implemented as described. Place a tick mark in the yes (Y), no (N) or not applicable (NA) space for each requirement (shaded and unshaded). Record comments related to any requirement on the space provided. Assess the laboratory’s technical competence to perform specific tests or specific types of tests. Record comments related to tests/calibrations on Method Matrix: ISO/IEC 17025. Verify that all field testing/calibration personnel and methods have been identified and submitted to STQC. All deficiencies must be identified and explained in the assessor deficiency report.

Laboratory Name: _______________________________________________________________

City: ________________________________________________ State: _____________

Date: ________________________

Lab Code: ______________________

Assessment Ref: ______________________

Certificate #(s): ______________________

SPECIFIC CHECKLIST: INFORMATION TECHNOLOGY TESTING LABORATORY APPROVAL PROGRAM

(June 2010)

CHECKLIST


Requirement

Document Reference

Compliance

Y N NA

Comments

4.1 Organization

4.1 IT.1 The management system requirements of ISO/IEC 17025 and the additional requirements of this document apply to the laboratory’s permanent facilities, testing performed at the customer’s facility, and on any testing performed via a remote connection to the customer’s or subcontracted (such as an ASP) facility.

4.4 Review of requests, tenders and contracts

4.4 IT.1 The contract shall define which components of the * test environment are being supplied by the laboratory and which are being supplied by the client. This includes hardware and software. The test environment boundary interface points shall also be clearly defined.

4.4 IT.2 When ASP services are utilized for testing, it shall be agreed to in writing by the client in the contract review.

4.6 Purchasing services and supplies

4.6 IT.1 For the purposes of Approval in the IT field of testing, the requirements in this section of ISO/IEC 17025 also apply to the purchase of any ASP services that are used to conduct the testing

4.9 Control of nonconforming testing and/or calibration work

4.9 IT.1 Errors detected in the SUT do not constitute nonconforming work, but are an aspect of the overall results of the test. These errors shall be documented in the test report in accordance with ISO/IEC 17025 section 5.10.

4.9 IT.2 Any other aspect of testing not associated with results, that do not conform to the documented test methodologies (see section 5.4) shall be considered nonconforming work and subject to the requirements of this section.

4.13 Control of records

4.13 IT.1 Technical records shall include, as far as possible, * the correct and complete identification of the test environment used for the SUT; this includes complete configuration management identification for all system components (both hardware and software).

5.3 Accommodation and environmental conditions

5.3 IT.1 IT testing should be separated from any design/development or production environments. There should be no other concurrent activities occurring during testing that could affect or invalidate the results.

5.3 IT.2 Any virtual environments or other special configurations shall be fully documented in the test records (as per 4.13.1 (IT) above) along with a justification as to why it is believed not to affect or invalidate the results.

5.3 IT.3 When ASP services are utilized for testing, any outside system influences that could be contributed from other ASP users shall be documented in the technical records.

5.3 IT.4 When a computing hosting center is utilized to house the lab-owned system hardware it is considered within and part of the lab environment.

5.4 Test and calibration methods and method validation

Note: Discussion of test methods as defined in ISO/IEC 17025 section 5.4 are referred to as testing methodology(s) in these program requirements.

5.4 IT.1 The lab shall define and document a testing * methodology which shall address the following topics:

(a) Test preparation and setup

(b) Test coverage and traceability to requirements.

(c) Assurance that test case results are not ambiguous and have single thread of execution with objective results relating to expected outcomes.

(d) Assurance that any automated test suites will produce valid results.

(e) Test document approval prior to testing.

(f) Completed test case review and approval.

(g) Test reporting with anomaly severity classifications.

(h) Test Candidate configuration management.

It may also include the following, subject to contract review:

(i) Test anomaly characterization and priority.

(j) Criteria for running partial testing or re-testing candidates.

(k) Any other topics with agreement with the customer.

5.4 IT.2 IT Testing work shall be defined in Test Plans, Test * Specifications, Test Cases, or other test suite deliverables as defined in the testing methodology. These can also be encompassed in an overall Validation Plan with matching Validation Report as defined by the methodology.

5.4 IT.3 The test suites/plans/specifications/cases shall be technically reviewed and approved prior to execution. This can be considered the validation of test method as defined in ISO/IEC 17025 clause 5.4.5. This review shall include:

(a) Confirmation of adequate test coverage of all requirements. (b) Confirmation that test case results are not ambiguous and have objective pass/fail criteria. (c) Confirmation that any automated test suites will produce valid results.

5.4 IT.4 The concept of Measurement Uncertainty (MU) typically is not applicable as IT testing executes digital logic on a pass/fail basis. MU may be applied to IT under the following conditions:

(a) When the SUT is performing mathematical operations or using approximations and rounding in statistical analysis, calculus, or geometry, an uncertainty may be introduced by the algorithms themselves. Where this becomes significant to the output or functioning of the SUT, MU shall be documented

5.4 IT.5 Computers as described in section 5.4.7 of ISO/IEC 17025 are considered test equipment and are managed per the requirements of ISO/IEC 17025 section 5.5.

5.5 Equipment

5.5 IT.1 Software test tools significant to testing are considered equipment and shall follow the appropriate ISO/IEC 17025 section 5.5 clauses.

5.5 IT.2 Software Tool validation confirms that the software * tools meet the specified requirements. The software tools shall be validated, documented and include the following objective evidence:

(a) Custom software testing tools – Full validation effort.

(b) COTS software tools used as is – Acceptance testing for each installed instance.

(c) MOTS software tools – Acceptance testing for each installed instance along with validation of the modification or tailoring.

5.5 IT.3 Each software test tool installation (instance) shall undergo a documented installation/operational qualification prior to use. There shall be documented evidence of the configuration and inventory of each specific installed software or system and suitable tests to confirm functionality.

5.5 IT.4 Software test tools can be installed on many systems. Each instance of test tool software shall be uniquely identified on each target environment and be under configuration management.

5.5 IT.5 The equipment records requirements in ISO/IEC * 17025 are defined here as follows:

(a) Identity – each instance of software/hardware. (b) Manufacturer – includes manufacturer name, program name, and version number. (c) Checks - installation/operational qualifications (d) Location – target system name or location. (e) Manufacturers instructions – user manuals. (f) Calibrations - as discussed in 5.5.2 (g) Maintenance Plan – N/A this is not applicable (h) Damage – N/A this is not applicable.

5.5 IT.6 When software test tools are used by others outside of the laboratory’s control, configurations and adaptations shall be checked and possibly reset to ensure proper functioning.

Note: For example - when another group outside of the labs’ control has access rights to the testing environment.

5.5 IT.7 Software test tools should be reset or logs emptied between test candidates to ensure that only current test data is recorded.

5.5 IT.8 Automated test cases should be checked for validity between test candidates to ensure valid test results.

5.5 IT.9 Software test tool configurations shall be safeguarded by user roles or other appropriate means.

5.6 Measurement traceability

5.6 IT.1 Traceability is not applicable for software test tools that operate in relation to hardware processor clock cycles and /or counters with no dependence on real time.

5.8 Handling of test and calibration items

5.8 IT.1 Laboratories shall maintain software test candidates (SUT samples) under configuration management with appropriate metadata to ensure it is unique.

5.8 IT.2 SUTs maintained under a common configuration management system accessible by customers shall be controlled and isolated.

5.9 Assuring the quality of test and calibration results

5.9 IT.1 The quality control monitoring in this clause consists of software quality control efforts documented by the lab. No other monitoring is applicable.

5.10 Reporting the results

5.10 IT.1 When test reports contain multiple tests or partial * tests, the test report shall describe how they interrelate to show a complete accredited test.

5.10 IT.2 Test reports containing open errors shall have them described in an unambiguous way and should include severity descriptions in user terms.

5.10 IT.3 Any discussion of workarounds or resolution status are considered opinions and shall be denoted as such.

QAF-02-05-17

Minimum Requirements for approval of

Software Test Laboratory

Contents

1. Introduction 2. Objectives and Scope of software test laboratory 3. Organization Structure of software test laboratory 4. Infrastructure required

4.1 General Guidelines 4.2 Physical Layout and Furnishings 4.3 Hardware/Software 4.4 Test Tools 4.5 Minimum Reference Standards Annexure

1.0 Introduction With the invasion of Information Technology in all walks of life, high quality software and systems are becoming a prerequisite for the success of any Mission or Project. To assess the quality of these software an environment is required which can ensure the objective evaluation with reliability, reproducibility and repeatability. The test lab is an engineering laboratory where testing is conducted. The test lab is also a physical location. To create an environment and operate test lab on which confidence can be generated a set of requirements needs to be met. This document highlighted a set of these requirements, which are essential to operate reliable and professional software Test Lab. The complexity of software makes complete testing an impossible goal, a well-conceived methodology and use of state-of-the-art tools helps to improve the productivity and effectiveness of the software testing laboratory. This can be achieved by combination of processes and tools. The test laboratory shall have necessary infrastructure, environment, competencies and resources to design, architect and conduct software test and evaluate the test results objectively. This document highlights a minimum requirements of Software and System Test Laboratory to get approval for Testing eGovernance Solutions. 2.0 Objectives and Scope of Software Test Laboratory The objective of software test laboratory is to assess software product quality by:

• Finding and documenting defects in software • Providing information about perceived software quality • Providing the validity of the assumptions made in design and requirements specifications

through concrete demonstration. • Validating the software product functions as designed. • Validating that the requirements have been implemented appropriately

The laboratory shall define its policy for conducting various levels and classes of tests e.g. Testing Levels

- UNIT Testing - Integration Testing - System Testing - Acceptance Testing

Classes of Test

- User Acceptance Tests - Functional Test - Non Functional Testing

i. Usability Test ii. Performance Test

iii. Security Test etc. The laboratory can develop various competencies and acquire tools, methodologies, process to conduct test for various quality characteristic like Functionality, Usability, Reliability, Performance, Maintainability, Portability, Security and Documentation. The test architect and test case designer should have basic domain knowledge to perform their job effectively.

The common domains are finance, management information system & ERP packages, language products and other e-Governance applications. 3.0 Organization Structure of software test laboratory A software test laboratory is headed by a Technically Competent Manager (generally designated as Director) with Project Teams executing various testing projects. Testing: Project 1 Testing: Project 2 Testing: Project 3 * Laboratories recognized official contact with accreditation body Role & Activities: Role Qualification Activities Responsibilities Test Manager

Bachelor’s Degree in Engineering/MCA + 4 Years of relevant experience as a team member/Manager in the area of software Development with at least 2 years in software testing

• Agree on Mission • Identify Test Objectives • Test Configuration &

Test site • Review of Documents,

Defect Log & Test Report observed

• Primary Interface to the stakeholders

• Test Plan • Review &

approval of test cases/Scenarios

• Approval of software Documents, Defect & Final Test Report

• Approval of Test Report

• Test Evaluation Summary

Director Administrative Support QA/Authorized Representatives*

Test Manager

Test Designer Test Report Analyst

Test Architect

Software Tester

Test Designer

Bachelor’s Degree in Engineering/MCA & + 2- 3 years experience in software testing. The certifications in software testing such as CSTE(ASQ)/ CSTP(Level1)/ISTQB(Level1)/CST(STQC) is preferred.

• Define Test Approach • Develop Test Procedure

& Test cases

• Test Automation Architecture

• Test Interface Specification

• Test Environment Configuration

• Test Scenario and test cases document

• Test Procedure Test Architect

Bachelor’s Degree in Engineering/MCA & + 2- 3 years experience in software testing. The certifications in software testing such as CSTE(ASQ)/ CSTP(Level1)/ISTQB(Level1)/CST(STQC) is preferred.

• Define Test Environment Configurations

• Identify Testability Mechanisms

• Structure The Test Implementation

• Define Testability Elements

• Test Automation Architecture

• Test Interface Specification

• Test Environment Configuration

• Test Scenario and test cases document

• Test Procedure Tester Bachelor’s Degree in

Engineering/MCA & + 1 years experience in software testing. Or Diploma in Engineering with 3 years of experience in software testing. The certifications in software testing such as CST (ISTQB)/CST (STQC) is preferred.

• Implement Test Scenario • Executive Test cases • Prepare the defect log • Prepare the Defect

Report • Prepare the test Report

• Defect Log • Defect Report • Test Report

4.0 Infrastructure 4.1 General Guidelines: The test laboratory should be designed for maximum efficiency and control - some of the ways to achieve this are:

• All testers should operate in close proximity to one another- this promotes communication and mutual observation of on-screen anomalies

• Computers should be set up with multiple operating system/configuration capability - this allows to test and confirm software in a wide variety of environments

• Each one of computers should be set up with multiple means of communication – one can vary ISPs, connection modalities (including T1, DSL, dial-up, and more), and communication protocols at will.

• Laboratory shall establish large groups of PCs that facilitate the automated testing .

• Testing labs should contain multiple networks so that testing can be isolated between predetermined groups of machines

• Computers should have the ability to conduct real-time packet "sniffing" analysis, either on the LAN or over the internet

• Computers on a specific network should be time-synchronized to allow for packet • Sniffing on multiple machines to be compared and analyzed with one another • Computers should have been equipped with screen capture and video capture software

to allow to graphically document "difficult" bugs

4.2 Physical Layout and Furnishings: The layout of the test laboratory should be such that optimum lab space can be used, keeping in mind the kinds of tables and equipment racks needs to be installed. Remember to leave enough open space to allow people to come and go freely and accommodate Benches, Desks, Stools, and Chairs. Climate Control: The test lab must have sufficient air conditioning and heating to preserve a stable, normal operating temperature and humidity for testers and equipment. Copiers and Printers: Test lab needs its own printer (shouldn't count on using test printer) and a copier. Mouse Pads and Static Pads: Few static pads to minimize the possibility of static-discharge damage to hardware. Fire Safety and Prevention: Every workplace should have a smoke or fire detector, either battery powered or backed up by a battery, and this detector must be tested regularly. 4.3 Hardware/Software Hardware: a) Network:

Multiple networks in the laboratory may be prepared for executing the test on multiple projects. It should contain the Router, Switches, firewalls, Internet connectivity with proper configuration.

b) Servers:

Availability of application & data servers with latest configuration. c) Test Systems:

Availability of PCs & Laptop of different configuration. d) Other Requirements:

Availability of Data storage devices, Printers/scanners, Web camera, Biometric sensing devices etc.

Software:

• Different type of Operating system (mostly used) • Application Software

• Database Software • Antivirus/Firewalls with latest updates • Utilities etc.

4.4 Test Tools:

• Tools for Functional Testing e.g. Regression Test tool • Tools for Performance Testing • Tools for Security Testing • Tools for Website testing • Static Testing tools • Tools for Defect Management

Annexure A

Functional Testing Functional Testing ensures about correct operation of the application. This includes:

• Assessment of all business critical transactions • Selection of most-critical transactions, and the building of appropriate test cases • Requirements analysis and discovery • Development of a test plan • Delineation of testing procedures and expected results for selected test cases • Test execution • Report test results

Test Automation Laboratory shall develop test automation expertise for switching from Manual Testing to Automated Testing; Creating and Maintaining the Test scripts with capture playback tools; Recording and Playback; Test script Development and Maintenance, Capture/Playback Tools for Regression Testing; Lab shall include all the necessary hardware and software to simulate most environments. Typical list of Test Labs hardware and software operating systems:

• More than 100 Intel-based workstations and servers, ranging from 486’s to Pentium IV with memory from 1MB to 80GB

• Sun E450 enterprise server • Sun Ultra SPARC 5 workstations • Apple Macs in several configurations • Operating systems including Microsoft Windows 3.1, 3.11WfW, Win 95, Win 98, Win

2000 beta, NT 3.5 NT 4.0, Solaris 2.5 and 7, Linux • Full range of Microsoft Office applications, all Netscape and Microsoft browsers, Lotus

Notes and more • CAT 5 100BaseT LAN network • T1 Internet connectivity, plus dial-up support and dial-in remote access

Test Assets: The laboratory shall maintain a repository of the test assets.

• Test Plan • Test Hierarchy • Test Procedures • Test Cases • Defect Tracking • Customized Reports

Usability Test Laboratory Usability Testing Usability testing provides an analysis on the quality of the user experience including site navigation, site organization and ease of use. Aspects of our Usability analysis include:

o Readability of content o Site consistency/accessibility (navigation, language, etc.) o Consistency of m-commerce site with e-commerce site o User response time o Handling of user errors

General Description and Layout of the usability Laboratory The laboratory consists of two test rooms with one-way glass windows through to a single large control and observation room. There is also a one-way window between the test rooms. Adjusting the lighting levels in the various areas sets the direction of viewing. Controlled lighting is used throughout. Drop down blinds on all windows allow the rooms to be visually isolated if necessary. These arrangements provide a highly flexible and adaptable observation space. Both test rooms can be used simultaneously, and one can serve as a secondary observation room. This allows designers, developers or company executives to observe tests while not interfering with the main observation & recording team in the control room.

The laboratory should have extensive video and sound recording capabilities including:

• Unobtrusive, wall mounted TV cameras • Additional, tripod mounted cameras, if needed • Flexible location and shot composition for all cameras • Unobtrusive, whole of room sound pick up • Multiple display / observation monitors in control

room • A S-VHS / VHS time code capable VCR for each test

room • Video mixing of multiple camera view onto a single

observation tape • Picture in picture (PIP), 4 quadrant and 3 way mixes

possible • mix can include a scan converted version of the screen display on the test PC

Most routine testing is carried out on a "standard" Windows 2000 or Windows XP based PC. The test PC is equipped with a 17" touch screen monitor and can therefore be used for testing prototypes of kiosk software and other touch-based interfaces. It is possible to install other operating systems on the test PC if this is needed for a particular study. The lab is suitable for a range of activities including:

• Formal, experimental usability testing • Rapid turnaround user interface development and testing • Observation of small group meetings with or without a technology or communications

component

• "Touch and try" prototype and product evaluations • "Executive" and /or designer observation of real users in action + usability tests in progress

Performance Test Laboratory The features of performance testing are:

• Use of an automated tool to simulate a web site’s expected transaction load • Automated measurement and monitoring of web application software performance

under load including:

• CPU utilization • User response time • Server capacity • Database query utilization • Software Application Transaction Response • Network Bandwidth Utilization

The performance testing of web application include:

• Detailed transactional analysis (thread analysis) of all application requests and responses and overlaying network routing

• Bounce diagram of the web site’s application showing the actual transaction path and associated processing times

• Graphical charts and diagrams representing your web site’s systems performance • A graphical picture of your most troublesome areas allowing your development staff a

quick picture of where your trouble sports may be Load and stress testing delivers web user traffic load to determine if your web site can handle the spikes in transactions and user load. Validates your applications scalability ad user/transaction breaking point. Major activities of the performance test laboratories are: Refining Load Testing Goals; stress Testing; Performance Testing, Creating Load Testing Scenario; Proper Load Generation; Tool Selection; Load Testing Environment; Designing Performance Evaluation Criteria etc. Stress tests are carried out on Web applications, including WAP gateway and backend systems, to determine system performance and scalability under different user loads. This testing will help customers/clients to identify, isolate and fix performance bottlenecks in Web infrastructure both before they launch their site and after the site goes live.

Technical Information Centre Technical Information Centre of Software Test Laboratory should maintain the following books

Sr. No.

Title Author Publication

1. Software Engineering – A Beginner’s Guide Roger Pressman McGraw Hill

2. Software Engineering – A Practitioner’s Approach Roger Pressman McGraw Hill 3. An Integrated Approach to Software Engineering Pankaj Jalote Norsa Publishing

House 4. The Art of Software Testing G.J. Mayers John Willey & Sons

5. Software Testing Techniques Boris Beizer Van Nostrand ReinHold, NY

6. Software Testing & Quality Assurance Boris Beizer International Thompson Press

7. Black Box Testing Boris Beizer John Willey & Sons 8. Testing Computer Software Cem Kaner The Coriolis Group 9. Effective Methods of Software Testing William Perry Addison-Wesley

10. Software Testing in the Real World E. Kit Longman Addison-Wesley 11. Testing Client Server Systems Kelly Broune McGraw Hill 12. Applied Software Measurements Capers Jones McGraw Hill 13. Metrics & Model Stephen Kan

14.

Software Measurements Dick Simmons, Newton C. Ellis

HP Professional

15. CMM in Practice Pankaj Jalote Addison-Wesley 16. CMM Implementation Guide Kim Caputo Addison-Wesley 17. Managing the Software Process Humphrey Watts SEI Publication

Useful IEEE Standards

Customer and Terminology:

• 610.12, Standard Glossary of Software Engineering Terminology • 1062, Recommended Practice for Software Acquisition • 1220, Standard for Application and Management of the • Systems Engineering Process • 1228, Standard for Software Safety Plans • 1233, Guide for Developing System Requirements Specifications • 1362, Guide for Concept of Operations Document • 12207, Software Life Cycle Processes • 12207.1, Guide to Software Life Cycle Processes—Life Cycle Data • 12207.2, Guide to Software Life Cycle • Processes—Implementation Considerations •

Process: • 730, Standard for Software Quality Assurance Plans • 730.1, Guide for Software Quality Assurance Planning • 828, Standard for Software Configuration Management Plans • 1008, Standard for Software Unit Testing • 1012, Standard for Software Verification and Validation • 1012a, Software Verification and Validation Content Map to IEEE/EIA 12207.1 • 1028, Standard for Software Reviews • 1042, Guide to Software Configuration Management • 1045, Standard for Software Productivity Metrics • 1058, Standard for Software Project Management Plans • 1059, Guide for Software Verification and Validation Plans • 1074, Standard for Developing Software Life Cycle Processes • 1219, Standard for Software Maintenance • 1490, A Guide to the Program Management Body of Knowledge

Product:

• 982.1, Standard Dictionary of Measures to Produce Reliable • Software • 982.2, Guide for the Use of Standard Dictionary of Measures to Produce Reliable

Software • 1061, Standard for a Software Quality Metrics Methodology • 1063, Standard for Software User Documentation • 1465, IEEE Standard Adoption of ISO/IEC 12119: 1994 (E) • International Standard--Information Technology - Software • Packages - Quality Requirements and Testing • 14143.1, Approved Draft - Standard Adoption of ISO/IEC 1443- • 1:1998 - Information Technology - Software Measurement - • Functional Size Measurement - Part 1: Definition of Concepts

Resource and Technique: • 829, Standard for Software Test Documentation • 830, Recommended Practice for Software Requirements Specifications • 1016, Recommended Practice for Software Design Descriptions • 1044, Standard Classification for Software Anomalies • 1044.1, Guide to Classification for Software Anomalies • 1320.1, Syntax and Semantics for IDEF0 • 1320.2, Syntax and Semantics for IDEF1X97 (IDEFObject) • 1348, Recommended Practice for the Adoption of CASE Tool • 1420.1, Software Reuse—Data Model for Reuse Library Interoperability: • Basic Interoperability Data Model • 1420.1a, Software Reuse—Data Model for Reuse Library Interoperability: • Asset Certification Framework • 1420.1b-1999, Trial Use Supplement - Software Reuse—Data Model for • Reuse Library Interoperability: Data Model for Reuse Library Interoperability: • Intellectual Property Rights Framework

Guidelines for Third Party Conformity Assessment Service Charges


for eGovernance

(QAF-02-05-18)




Guidelines for Third Party Conformity Assessment Service Charges Third Party Conformity Assessment Services: It covers the following Independent Third Party Conformity Assessment services for IT systems & software: A. Reviews B. Software Testing & Evaluation C. Security Testing & Audit D. Service Level Agreement (SLA) Measurement E. Audits A. Reviews: A.1 Review of System & Software Documentation: • Requirements Documentation (System Study Report, Gap Analysis Report, SRS, etc.) • Design & Development Documentation (High Level (Architecture) Design Document, Low

Level (Detailed) Design Document), etc.) • User Documentation (Installation Guide, User Manual, System Manual, etc.) • Policy, Procedures and Templates used for ISMS & ITSM A.2 Review of System & Software Artifacts/ Work Products: • Solution Architecture Review • Code Review/ Static Analysis (Only Limited) B. Software Testing & Evaluation: The software testing covers software applications and Websites/ Portal/ Web Applications. B.1 Software Functional Testing & Evaluation: The software is tested against functional requirements & evaluated for functionality characteristic. B.2 Software Non-Functional Testing & Evaluation: The software is tested for Usability, Efficiency, Reliability, Security, Maintainability, Portability & Documentation requirements and evaluated of non-functional characteristics. Testing & evaluation of software for integration, interoperability, scalability, load, volume, configuration, compatibility etc. is also undertaken. C. Security Testing & Audit: • Vulnerability Assessment (VA) • Penetration Testing (PT) D. Service Level Agreement (SLA) Measurement: SLA measurements are carried out on the deployed/ production IT system delivering services to verify that the system is adhering to the agreed upon Service related (i.e., User Centric) as well as System related (i.e., Technology Centric) service quality requirements such as availability, performance, problem resolution, etc. While service related SLAs take care of the services delivery issues, the system related SLAs address IT technology (hardware, software and network) used in delivering the services. E. System and Software Audits: E.1 Process Audit: • Development Life Cycle Processes (Design, Development, Operation & Maintenance) • Information Security Management System (ISMS) Processes • Information Technology Service Management (ITSM) Processes

Audit of processes is done as per international standards/ Best practices such as ISO/IEC 12207, IEEE Software Engineering Standards, ISO 15504 (SPICE), ISO 27000, ISO 20000 E.2 IT Infrastructure Audit: Audit of critical IT Infrastructure deployed at Data Center, Disaster Recovery Site, Network, Gateway, Front-Offices and Back Office locations is undertaken to verify that they are in compliance to Bill-of-Material and defined architecture. The audit also covers operationalization aspects of IT infrastructure: • Hardware Configuration and Operationalization Audit • Software Configuration and Operationalization Audit • Deployed Solution Architecture and Operationalization Audit • Gateway Audit Third Party Conformity Assessment Service Charges: The man-day rate for services is Rs. 10,000 per man-day. Compulsory costs include cost of system study, planning & preparation, result analysis, report compilation, verification & closure etc. Proposal for Third Party Conformity Assessment Services: Based on the request from client, broad requirements about the project and scope of conformity assessment are obtained to estimate effort required and prepare a proposal. In order to estimate the effort involved in conformity assessment, a clear-cut scope of third party conformity assessment is required. The following minimum information is obtained from the client for estimating the efforts and charges: • Scope of third party conformity assessment • RFP/ FRS describing the Project requirements • Up-to-date SRS document clearly defining functional and well non-functional software

requirements including: o Work flows, Navigation, Business Rules & Validation Rules related to software o Interdependencies & interfaces between software modules of the application.

• Project documents to be reviewed: o List of documents (such as Requirements, Design, Architecture, User Manual, etc.) o List of artifacts / work products (such as Solution Architecture, Source Code, etc.)

• Processes to be audited: o List of applicable processes o List of project locations (where processes are implemented)

A detailed proposal for Third Party Conformity Assessment covering following items is prepared: • Scope of Third Party Conformity Assessment Services • Details of Activities, Responsibility, Inputs Required from client & Outputs of Activities • Deliverables • Time Period (Approximate) • Service Charges • Mode of Payment • Terms & Conditions These services are offered on offside as well as onsite basis as per customer requirement. In case of onsite services, cost of travel, accommodation & local logistics for the assessment team deputed on job shall be borne by client.

Annexure I

1.0 Purpose and Scope The purpose of this Annexure/document is to provide guidance for allocating mandays concerning certification assessment, surveillance and reassessment of ISMS.

2.0 Definitions Organizational structure

The arrangement and interrelation of an organization and its parts and possible co-operating third parties in terms of business activities, research and development, production, services, marketing and sales functions, locations and geographical spread.

Organization size

Number of employees in the organization under consideration. IT infrastructure

The basic installations and facilities of the information processing systems used in the organization, including computer platforms, servers, workstations, personal computers, network equipment, networks, operating systems, application programs, utilities, etc.

3.0 Procedure

3.1 Determination of Audit Mandays :

The audit mandays are estimated based on the preliminary information provided by organisation and facts reported by lead assessor/assessor during adequacy audit. Various factors that are considered for estimation of audit effort are :

• Organisation size • Number of locations • Nature of processes ( e.g. repetitive in case of call centers, H/W and application

support of same type of CI ) • Complexity of IT infrastructure • Existing Management certifications ( e.g. ISO 27001, ISO 9001 etc)

Based on these parameters following matrix has been evolved

Orgn. Size

No. of Locations

Nature of Processes/Activities

Complexity of IT Infrastructure L/M/H

No. of Mandays

Up to 200

Single Repetitive L/M 05

Single Non-Repetitive L/M 06 Multiple Repetitive L/M 06 Multiple Non-Repetitive L/M 08

Single Repetitive H 06 Single Non-Repetitive H 07 Multiple Repetitive H 07 Multiple Non-Repetitive H 09 201-500 Single Repetitive L/M 07 Single Non-Repetitive L/M 08 Multiple Repetitive L/M 08 Multiple Non-Repetitive L/M 10 Single Repetitive H 08 Single Non-Repetitive H 09 Multiple Repetitive H 09 Multiple Non-Repetitive H 11 > 500 Single Repetitive L/M 08 Single Non-Repetitive L/M 09 Multiple Repetitive L/M 09 Multiple Non-Repetitive L/M 12 Single Repetitive H 09 Single Non-Repetitive H 10 Multiple Repetitive H 10 Multiple Non-Repetitive H 12

The above list showing audit mandays is for guidance purposes only. Though efforts shall be

done for adherence to this yet keeping in view the other management certifications scheme

being complied with by organisation (e.g.ISO 27001, ISO 9000, SOX, COBIT) and the

recommendation of Lead assessor/Assessor, the number of mandays can be altered.

3.2 Complexity of IT infrastructure

Complexity IT infrastructure

H

Several externally connected Extra-Nets. A number of non-standard real-time applications on several platforms. Potential interaction with critical information systems or information systems processing sensitive information.

M

External, fixed connection from home work places. Sharing of facilities (e. g. computers, telecommunication systems, etc.) with others. Complex information systems. Development and use of own software applications.

Single or several connected LANs. Fixed connection to the Internet (ISDN, broadband, etc.). Own web pages with information for clients. Standard applications on one type of platform.

L

Single local area network with some workstations and/or personal computers. E-mail handling via the Internet by means of dial-up modem connection.

No network. Stand-alone personal computer or small single local area network with some workstations. No external connections.

For more guidance ISO/IEC 27006 should be referred.

Annexure II 1.0 Purpose and Scope The purpose of this Annexure/document is to provide guidance for Test Effort Estimation(allocating man-days) concerning Software Testing and Evaluation. 2.0 Procedures 2.1 Test Effort Estimation Using Use Case Points

It is known that a use case to test case mapping is possible. This means that the Use Case Point (UCP) figure for development can be indirectly used to provide a Figure for the number of test cases. Using organisational test execution time metrics it is now possible to arrive at a figure for the total test effort. This is a viable and systematic approach towards test effort estimation. Software Test Engineering Test Engineering covers a large gamut of activities to ensure that the final product achieves some quality goal. These activities must be planned well in advance to ensure that these objectives are met. Plans are based on estimations. Different organizations use different methods depending on the type of projects , the inherent risks in the project, the technologies involved etc. 2.2 From the function point estimates

It is estimated that the number of test cases can be determined by the function points estimate for the corresponding effort. The formula is Number of Test Cases = (Function Points )1.2 The actual effort in person-hours is then calculated with a conversion factor obtained from previous project data. The disadvantage of using FP is that they require detailed requirements in advance. Another issue is that modern object-oriented systems are designed with Use Cases in mind and this technique is incompatible with them.

3.0 Use Cases Description of a use case

A use case captures a contract between the stakeholders of a system about its behavior. The use case describes the system’s behavior under various conditions as it responds to a request from one of the stakeholders, called the primary actor. The primary actor initiates an interaction with the system to accomplish some goal. The system responds, protecting the interests of all the stakeholders. Different sequences of behavior, or scenarios, can unfold, depending on the particular requests made and conditions surrounding the requests. The use case collects together those different scenarios.

Mapping Use Cases to Test Cases Use cases in their most primitive forms are basically representative of what the user wants from a system. The advantages of Use cases are that they start becoming available early on in the project lifecycle. 4.0 UCP Approach to Estimation Determine the number of actors in the system. This will give us the UAW – the unadjusted actor weights. Actors are external to the system and interface with it. Examples are end-users, other programmes data stores etc. Actors come in three types: simple, average and complex. Actor classification for test efforts estimation differs from that of development estimation.

End users are simple actors. In the context of testing, end-user actions can be captured easily using automated tool scripts. Average actors interact with the system through some protocols etc. or they could be Data Stores. They qualify as average since the results of test case runs would need to be verified manually by running SQL statements on the store etc. Complex users are separate systems that interact with the SUT through an API

The test cases for these users can only be written at the unit level and involves a significant amount of internal system behavioral knowledge. Actor Weights Actor Type Description Factor Simple GUI 1 Average Interactive or protocol-driver

interface 2

Complex API/low-level interactions 3 The sum of these products gives the total unadjusted actor weights Determine the number of use cases in the system. Get UUCW. The use cases are assigned weights depending on the number of transactions/scenarios.

Use-case Weights Use case Type Description Factor Simple <=3 1 Average 4 – 7 2 Complex >7 3

The sum of these products gives the total unadjusted actor weights UUCP= UAW+UUCW The calculation of the unadjusted UCP is done by adding the unadjusted actor weight and the unadjusted use case weights determined in the previous steps. Compute technical and environmental factors

The technical and environmental factors for a test project are listed in the table below: To calculate one needs to assign weights and multiply them with the assigned values to give the final values. The products are all added upto given the TEF multiplier. The TEF multiplier is then used in the next step. Technical Complexity Factor Factor Description Assigned Value T1 Test Tools 5 T2 Documented inputs 5 T3 Development Environment 2 T4 Test Environment 3 T5 Test-ware reuse 3 T6 Distributed system 4 T7 Performance objectives 2 T8 Security Features 4 T9 Complex interfacing 5

Compute adjusted UCP We use the same formula as in the UCP method for development AUCP = UUCP Arrive at final effort We now have to simply multiply the adjusted UCP with a conversion factor. This conversion factor denotes the man-hours in test effort required for a language/technology combination. The organization will have to determine the conversion factors for various such combinations. E.g Effort = AUCP * 20 Where 20 man-hours are required to plan, write and execute tests on one UCP when using EJB.

Participation Record

Name of the Client (H.O.) : M/s. Location of the Unit (Assessed): Opening meeting:

Date: Time: Closing meeting:

Date: Time:

Opening meeting

Closing meeting

Name Sign Name Sign

STQC Certification Services

Client Location

Assessors 1 2

3 4

Opening Meeting Closing Meeting

1 2 3 4

0900 AM√ √ √ √

√ √ √ √

1830 hrs

*Time indicated is approximate & may vary based on assessment progress F15, Issue 1

√ Page 1/2

Date / Time* Clause ref.Assessor

Opening Meeting

Meeting of Assessors

Standard

Area / Activity

ISO /IEC 17025: 2005

Client Reference

Meeting of Assessors

Assessment Plan

Closing Meeting

Conformity Assessment Requirements - Administration

Scheme for recognizing Conformity Assessment Bodies for eGovernance

eGovernance Conformity Assessment- Business of Confidence

To have confidence on the eGovernance solution, Administrators and funding agencies look for an affirmative indication or judgment by independent agency that a product or service has met the requirements of contract and applicable regulation. The process for determining the degree of compliance of the solution characteristics (as delivered) with the requirements (as desired) by means of objective evaluation is known as the conformity assessment. It provides the information on the fulfillment of the provisions of ”Request for Proposal” and “Contract Agreement”. The techniques used for conformity assessment are sampling, testing, inspection, review,

Assessment, evaluation and certification.

eGovernance Conformity Assessment- Business of Confidence

Conformity Assessment Requirements(CARE) is a Framework to ensure eGovernance systems and its components has incorporated “Best Practices” while conforming to the contractual agreements

Purpose and Objective

Purpose • Define administrative procedure and requirements for Third

Party Independent Testing & Auditing agencies to get recognized as a “Conformity Assessment Bodies (CAB)” for assessing, testing and evaluating eGovernance Solutions.

Objective • To proliferate Quality Assurance of eGovernance by

making it market driven and self-sustaining Goal • Citizens should get Quality assessed eGovernance

Services and have high confidence in eGovernance system

Conformity Assessment Bodies

For e-Governance two types of Conformity Assessment Bodies are required

1. Recognizing independent Test Laboratories for “Software and System Testing”

2. Independent Auditing bodies

Scope Recognizing independent Test Laboratories for “Software and System Testing” Functional Testing Usability Testing Application Security Testing Performance/ Scalability Testing Reliability/ Availability Testing Maintainability Testing Portability Testing Code Review Network Testing (Performance and Security) National Requirements of Website Quality

Independent Auditing bodies Assessment of System & Software Life Cycle Processes (ISO 12207) Assessment of information Security Management System (ISMS-ISO 27001) Assessment of information Technology Service Management System (ITSM-ISO20000-1)

Approach The recognisition system should be credible to ensure Test and Assessment Results

are – Repeatable Reproducible Reliable The scheme ensures- Internal Control - Quality Manual & procedures to be followed by approving body (STQC) External Control – Procedures to be followed by applicant CAB Compliance with International Standards

o ISO/IEC 17011: 2004 Conformity Assessment-General requirement for accreditation bodies accrediting conformity assessment bodies

o ISO/IEC-17020: 1998 general criteria for the operation of various types of bodies performing inspection

o ISO/IEC 17025: 2005 General requirements for the competence of testing and calibration laboratories

Process STQC will be the nodal agency managing the Conformity Assessment

activities The independent third party testing & auditing agencies will be assessed

and empanelled against established criteria to work as CAB with defined scope

Solution Provider can get their solution assessed against RFP from any of the empanelled CAB based on the mutually agreed terms and conditions

Solution provider will submit the test report along with application to STQC for analysis of test results

STQC will also carryout limited audit on sample basis to re-confirm the test/ audit results

If found satisfactory a statement of conformity will be issued.

Approval Framework Govt Organisation

(Buyer)

Solution Provider (Seller)

Independent Test Lab

STQC Certificate

Issuer

Copy of test Report

Needs Conformance Test of product

Pass

Rep: Govt. (Buyer)

: Industry

: STQC/DIT

Requires certified product as per RFP/Contract

Certificate of Validation

Pass

Interpretation/Disputes

Fail

Test report to Solution provider

E-Governance Confirmation Assessment

Approval Framework Govt Organisation

(Buyer)

Solution Provider (Seller/Supplier)

Independent Assessment Body

STQC Certificate

Issuer

Copy of Assessment Report

Needs Conformance Test of product

Pass

Rep: Govt. (Buyer)

: Industry

: STQC/DIT

Requires certified product as per RFP/Contract

Certificate of Validation

Pass

Interpretation/Disputes

Fail

Assessment report to Solution provider

E-Governance Confirmation Assessment

Schedule of Charges

• Application Fee : Rs. 10,000/- • Assessment Fee : Rs. 10,000/- per manday (+ logistics)\ (Laboratory of average size takes 9 mandays & audit)

• Annual Fee : Rs. 50,000/- • Surveillance Charges: Rs. 10,000 per manday (Annual) (average size takes 5 mandays for audit)

Thank you

STQC IT Certification Services IT Manual

Document : IT CERT/D01 Issue : 04 Revision : A Date : 21-11-2008 Page : 1of 45

List of Contents Page Section 0 : Preface 0.1 Introduction 3 0.2 Approval and Issue 4 0.3 Amendment Record 5

Section 1: General 6 1.1 Purpose & Scope 6 1.2 References 6 1.3 Definitions 7

Section 2: Certification Body - Requirements 10 2.1 Name & Office Locations 10 2.2 Legal Status 10 2.3 IT Certification Policy and Objectives 10 2.4 General Provisions 11 2.5 Quality System 12

2.5.1 Management Representative 12 2.5.2 Authorities of Management Representative 13 2.5.3 Structure 13 2.6 Organisation 14

2.6.1 Organization Chart and Reporting Structure 14 2.6.2 Organization Description 14 2.6.3 List of Appointments 21 2.7 Internal Audits & Management Reviews 22 2.8 Documentation 23 2.9 Criteria for Certification Personnel 24

(recruitment, training & monitoring) 2.9.1 General 24 2.9.2 Qualification Criteria for Auditors and Technical Experts 24 2.9.3 Selection Procedure 25 2.9.4 Assignment for a Specific Assessment 25 2.9.5 Contracting of Assessment Personnel 26 2.9.6 Training 26 2.9.7 Assessment / Personnel Records 26 2.9.8 Procedures for Audit Teams 27 2.10 Sub-contracting 27 2.11 Non-conformance Handling and Corrective/Preventive Action 27 2.12 Records 28 2.13 Confidentiality 29



Page

2.14 Liability 29 2.15 Appeals, Complaints and Disputes 29 2.16 Changes in the Certification Requirements 30 Section 3: Requirements for Certification 31 3.1 Application for Certification 31

3.1.1 Information on the Procedure 31 3.1.2 The Application 32 3.2 Preparation for Assessment 32 3.3 Assessment 33 3.4 Assessment Report 33 3.5 Decision on Certification 35 3.6 Surveillance & Re-assessment 36 3.7 Suspension & Withdrawal/Cancellation of Certification 37 3.8 Use of Certificates/Licences and Logos/Mark of Conformity 38 3.9 Access to Records of Complaints to Clients 39 Annexures Annexure I Documentation Structure 40 Annexure II Organisation Chart /Figures 41



Section 0 : Preface

0.1 Introduction

Ministry of Communication & Information Technology is the nodal agency for all activities related to policy and promotion of IT, internet and E-Commerce. STQC Directorate, as a part of Ministry , is mandated to align itself w.r.t. The objectives of Ministry and provide support and services to the users in line with these objectives. Over the years STQC’s Core Competence has been around Standardisation, Test & Calibration and Certification.

With the Indian IT Act 2000 coming into existence, Ministry has taken up several initiatives to facilitate the spread the use of IT and promotion of E-Commerce. Owing to its Core Competence, STQC is providing IT related services concerning Standardisation, Test & Certification. The “IT Certification Services” is one such focussed effort on certification. This Certification service is slated to cover a range of services starting with Information Security Management System Certification and might cover other certification as they progress. Through this manual, it is sought to lay down broad parameters with which the `IT Certification services’ operate. The policies and procedures contained in this manual are generic enough to allow a modular approach in adding more services later on. Besides this, it reflects STQC’s endeavour to comply with applicable international standards and guidelines to be able to provide its services in a competent and credible manner.



0.2 Approval and Issue

This document is the property of STQC IT Certification Services and should not be reproduced in part or full without the written consent.

Reviewed by : Advisory Board

Approved by : Chairman, Advisory Board

Note:

1. Management Representative is responsible for issue and distribution of this document including amendments.

2. Holder of this copy is responsible for incorporation of all the amendments

and currency of the document.



0.3 Amendment Record: Amendment to last issue

Ammendment

No. Ammendment

Date Description Page Ref

1 2 3 4 5 6 7 8 9

14-09-2007 14-09-2007 14-09-2007 14-09-2007 14-09-2007 14-09-2007 14-09-2007 12-11-2007 21-11-2008

Legal Status Impartiality Requirement Certified Client Information Preparation for Assessment(Short Notice auditing) Stage1 for recertification, Information for granting recertification Suspending, withdrawing or reducing certification Replacing ISO/IEC 17021with ISO/IEC 17021 Terms of reference of AB modified to include impartiality as part of agenda in the AB minutes. Frequency of Surveillance audits changed from three to two in between a certification cycle

10 10-11 24 37 37 38 6 16 37



Section 1: General

1.1 Purpose & Scope

1.1.1 The purpose of this document is to lay down the policies and procedures for all

the IT certification Schemes operated by "STQC IT Certification Services” as per the applicable national/international standard or normative document.

1.1.2 This document describes the organisation of Certification Body and process of

certification, which, by means of assessment and subsequent surveillance provides an adequate level of confidence that the certified system is conforming to the specified requirements of the applicable standard or normative document. It will also ensure consistent and reliable operation of Certification Body thereby facilitating their acceptance on national/international basis in the interest of national /international trade.

1.1.3 The Certification Body will take all steps necessary to assess and determine

conformance of applicant organisation's system to all the applicable requirements as defined in respective scheme specific documentation. This documentation will include: - Definition of scope of operation for each scheme - Identification of applicable standards/normative documents - Assessment criteria - Criteria for suitability and competence of personnel and facilitative

1.1.4 The products of STQC IT Certification Services are identified in document

IT CERT/D02.

1.1.5 This document is applicable to all those involved in providing the certification services.

1.1.6 The term “System” is used generically to represent "Management System”.

1.2 References

ISO/IEC Guide 2,1996 - General terms and their definitions concerning standardisation and related activities ISO/IEC 17021 - Conformity Assessment-Requirements for bodies

providing audit & certification of Management system

ISO 9000, 2000 - Quality management systems-Fundamentals and vocabulary

ISO - 19011 - Guidelines for auditing Quality System (all parts)



ISO27006 - ISO guidelines for the Accreditation of Bodies

operating Certification/Registration of ISMS

1.3 Definitions

For the purpose of this document, the following definitions, in addition to those given in ISO/IEC Guide 2 & ISO 9000 shall apply.

1.3.1 Organisation

Company, Corporation, firm enterprise, authority or institutions, or part or combination thereof, whether incorporated or not, public or private, that has its own functions and administration and is able to ensure that the compliance to the specific standard for certification is maintained.

1.3.2 Certification of Conformity

Action by a third party, demonstrating that adequate confidence is provided that the client’s product and/or system are in conformity with specified requirements of applicable standard or normative document.

1.3.3 Certification System

System that has its own rules of procedure and management for carrying out certification of conformity.

1.3.4 Certification Body

The body which conducts certification of conformity with respect to published standards and any supplementary documentation required under the system.

1.3.5 Registration

Inclusion of the client’s particulars and field of assessed capability by the Certification Body in an appropriate register or list.

1.3.6 Certificate of Conformance or certification/registration document



Document issued under the rules of a Certification System indicating conformance to the specified requirements of the applicable standard or normative document.

1.3.7 Certification Agreement

An agreement which is part of the Certification System and which details the mutual rights and obligations of the certificate holder and the Certification Body, and which includes the right to use the certification mark and/or logo and certificate.

1.3.8 Assessment

All activities related to the system certification of an organization to determine whether the organization meets all the requirements of the relevant clauses of the specified standard necessary for granting certification and whether they are effectively implemented, including documentation review, audit, preparation and consideration of the audit report and other relevant activities necessary to provide sufficient information to allow a decision to be made as to whether system certification shall be granted.

1.3.9 Appeal

A formal expression of dissatisfaction by any party that feels affected by a decision of a Certification Body.

1.3.10 Complaint

A formal expression of dissatisfaction with some matter related to a Certification Body, a certified client, or an individual.

1.3.11 Dispute

Expression of difference of opinion between two parties in relation to some matter related to a Certification Body, a certified client, or an individual.

1.3.12 Logo

A symbol used by a body as a form of identification, usually stylized. A logo may also be a mark.

1.3.13 Mark A legally registered trade mark or otherwise protected symbol which is issued under the rules of a certification body indicating that adequate confidence is



provided that the relevant product, process or service is in conformity with a specific standard or other normative document.

1.3.14 Major Non-conformance

• The absence of, or the failure to implement or maintain a required element of the standard for certification, or objective evidence of a situation that would raise significant doubts as to the capability of the organization to achieve its policy and objectives.

Minor Non-conformance

• A single observed lapse or imperfection or weakness in fulfilling a requirement specified in the standard.

1.3.16 Licence (for certification)

Document issued under the rules of a Certification System, by which a Certification Body grants to a person or body the right to use certificates processes or services in accordance with the rules of the relevant Certification Scheme.



Section 2 : Certification Body - Requirements

2.1 Name and Office Locations

“STQC IT Certification Services” of STQC Directorate, herein referred as

‘Certification Body’, operates from New Delhi .

2.2 Legal Status

“STQC IT Certification Services” of STQC Directorate is a part of Ministry of Communication & Information Technology, Government of India. (See Org. Chart Figure 1 at Annexure II) . STQC being an attached office of DIT, DG, STQC is empowered for adequate administrative & financial authorities which ensures its independent existence & relationships with other constituent of Ministry.

2.3 IT Certification Policy and Objectives

Goal

To provide IT certification services in a consistent, competent, credible and reliable manner thereby facilitating their acceptance on a national/international basis in the interest of trade.

IT Certification Policy

To continuously improve and sustain quality of IT certification services, consistent with market requirements and technological developments to provide better value to the clients.

IT Certification Objectives

The certification body seeks to achieve its organisational goal by following means :

- Establishing a system in line with internationally accepted norms (e.g.

ISO/IEC Guides, - Certifying systems as per applicable norms - continuously review and upgrade technical content of the activities in

line with market need - Seeking strategic alliances with other national/international agencies

engaged in similar work - adopting innovative methods/practices to provide better value to the

clients



STQC IT Services shall ensure the objectivity of its management systems certification activities & shall impart due importance to impartiality in carrying out various activities of management system certification .STQC shall identify , analyze & to the possible extent avoid the conflict of interest arising from provision of certification. In case any relationship with DIT & its other constituents creates a threat to impartiality all efforts shall be done to eliminate such threats. This information shall be made available to CC as well as AB. In case impartiality can not be ensured, the certification activity shall not be undertaken with such entity. The management is committed to ensure that the policy is understood, implemented and maintained at all the levels of the certification body through regular interactions. To be in line with the policies and objectives the management committee of IT Certification Services will determine, on a regular basis, the need for specific objectives and pursue their compliance.

2.4 General Provisions 2.4.1 The Certification Body provides unhindered access to all the applicants seeking

certification of their System, whose activities fall within its declared field of operation, without undue financial or other conditions. However, it is conditional for certification that certified organisations are regularly involved in the activities for which they have been certified.

2.4.2 All the procedures adopted by the Certification Body are administered in a non-

discriminatory manner. The Certification Body makes its services accessible to all applicants, without any undue financial or other conditions.

2.4.3 The Certification Body confines its assessment and decision on certification to

those matters specifically related to the scope of certification being considered. 2.4.4 The Certification Body has defined criteria (covered under scheme specific

documentation) against which the system of an applicant is assessed. 2.4.5 The Certification Body is responsible for its decisions relating to the granting,

maintaining, extending, reducing, suspending and withdrawing certifications. 2.4.6 The Certification Body has an identified management structure which has the

overall responsibility for the operation of Certification System. Details are covered in subsequent paragraphs.

2.4.7 The Certification Body has a documented structure which safeguards

impartiality, of the operation of Certification Body. It further enables participation of all interested parties in the content and functioning of certification system.



2.4.8 The Certification Body ensures that each decision on certification is taken by

persons different from those who carried out the assessment. 2.4.9 The Certification Body has rights and responsibilities relevant to its certification

activities. 2.4.10 The Certification Body has adequate arrangements to cover liabilities arising

from its operations and/or activities (in the form of certification agreement). 2.4.11 The Certification Body has financial stability and resources required for the

operation of the certification system, in the form of budgetory support from Government of India. The financial administration of the scheme including determination of charges is the responsibility of Chief Executive Officer (CEO) under the authority of Management Committee.

2.4.12 The Certification Body has sufficient number of personnel having the necessary education, training, technical knowledge and experience for performing certification functions under the overall responsibility of CEO.

2.4.13 The Certification Body has a documented management system to provide

confidence in its ability to operate a certification system. 2.4.14 The Certification Body is not engaged in any activity other than Certification.

STQC Directorate is not involved in any consultancy activities. 2.4.15 The Certification Body’s personnel alongwith CEO & staff are free from any

commercial, financial and other pressures, which might influence the results of Certification process.

2.4.16 The Certification Body has defined criteria for appointment and operation of

all the committees needed for Certification process. These committees are free from any commercial, financial and other pressures that might influence decisions.

2.4.17 The Certification Body ensures that activities of related bodies do not affect the

confidentiality, objectivity or impartiality of its certification. It does not offer or provide:

- Those services that it certifies others to perform - Consultancy services to obtain or maintain certification - Services to design/development of system it certifies 2.4.18 The Certification Body has a defined policy and procedure for resolution of

Complaints, Appeals and Disputes received from clients or other parties about the handling of certification or any other related matter.

2.5 Quality System of IT Certification Services 2.5.1 Management Representative (MR)



The management representative is a person having

- adequate academic qualifications (preferably a Science/Engineering graduate) with adequate knowledge in Information Technology

- QA experience of atleast 10 years - training, qualification and experience of a Management System Lead

Assessor - knowledge and awareness in matters related to Certification and

Accreditation See “List of appointments” Doc No IT CERT/D03 for the identified person as MR.

2.5.2 Authorities of Management Representative

- ensure that a system is established, implemented and maintained in

accordance with this document - report on performance of the system to the management of the Certification

Body for review and as a basis for improvement - review system related procedures and forms / formats

2.5.3 Structure

The Certification Body has a documented system defining its policy, including objectives and its commitment. The Certification Body ensures effective implementation of documented system procedures. The structure of the system documentation is as given in figure 2 at Annexure I. The following paragraph identifies the broad contents of various categories of System Documentation.

* IT Manual

- Certification policies and objectives as per the requirements of ISO/IEC

Guides 17021 and ISO27006.

- Adequate references to system procedures and scheme specific manuals/ Procedures

- Process flow (System Certification)

* System Procedures

- Details about certification system elements as applicable to all schemes (Ex :Internal Audit, Management Review, Doc. Control etc.).

* Scheme Specific Manuals and Procedures



* Manual - scheme description (including scope of operation, relevant standards or

parts thereof and any other requirements such as risk assessment and references to scheme specific procedures, forms/formats.

- information on certification process, resources requirements etc.

* Procedures - Detailed information on scheme specific process.

* Forms/Formats

- Both system & scheme specific forms/formats. 2.6 Organisation

2.6.1 Organisation Chart & Reporting Structure are in Figure 1,2 & 3, at Annexure III.

2.6.2 Organisation Description

2.6.2.1 The certification body has

I a Chairman II an Advisory Board III a Management Committee IV Technical Advisory Committee(s) V Certification Committee VI Certification Personnel i) Chief Executive Officer

ii) Operations personnel iii) Management Representative

iv) Assessors/Specialists v) Certification support staff

2.6.2.2 Criteria, Composition and Terms of Reference

I) Chairman, Certification Body

Director General, STQC is the ex-officio chairman of Certification Body acting under the authority of Secretary, Ministry of Communication and Information Technology, Govt. of India. He is responsible for overall functioning of the ‘STQC IT Certification Services’ in line with the objectives of STQC Directorate, as well as Ministry.

II) Advisory Board i) Object



The object of the Advisory Board is to safeguard the impartiality of the Certification Operations to provide confidence in certification by the Certification Body.

ii) Structure & Composition

The Advisory Board will have members not exceeding 15 including the Chairman and Member Secretary.

- DG, STQC is the ex-officio chairman of Advisory Board. - Members are chosen from among those interested parties involved

in the process of certification. - The members have adequate academic and professional experience in

the field they represent. - In general the following is deemed as representing the interested

parties:

Interested parties

- Customers and clients of products and services provided by

certified organisations - Regulators - Trade bodies - IT Professionals - Government

The members are appointed by the Chairman, Certification Body, in consultation with respective interested parties, for a period of 3 years. At the end of the tenure, the Chairman, Certification Body may re-appoint the members for further period. Depending upon the need, the Board may co-opt for more members. In any case the number of co-opted members will not exceed three and their tenure of membership will not exceed the tenure of the current Advisory Board. The Chief Executive Officer is the Member Secretary of the Board.

iii) Terms of Reference of Advisory Board

- formulation of policy matters relating to the operation of Certification

Body and approval for adoption of policy related documentation (IT Manual ).

- an overview of the implementation of its policies. - setting up of committees as required to which defined activities are

delegated or delegate such authority to Management Committee. - safeguarding impartiality and enabling participation of all parties

concerned regarding the content and functioning of the Certification System.



- ensuring that the Certification Body operates in a non

discriminatory manner. - Issues related to any conflict of interest/ impartiality shall

be discussed in the Advisory Board meetings for review on annual basis or in case of any change in the present status of STQC vis-à-vis DIT.

The Advisory Board has power to obtain from the Management Committee all such information on the conduct of its policy to enable it to discharge its duties properly. The Management Committee provides all the necessary information, including the reasons for all the significant decisions and actions , and the selection of the persons for particular activity. The advice of the board is binding on the Management Committee on certification related matters.

iv) Business Procedure Meetings of the Advisory Board are held atleast once a year. The date and place will normally be decided during the previous meeting. The Chairman of the Advisory Board may at his discretion or at the request of atleast three members call for a special meeting giving prior intimation to the members sufficiently in advance.

The quorum of the meeting is obtained when more than half members are present at the meeting. If there is no quorum, the meeting shall proceed but in such circumstances where decisions require confirmation, voting by correspondence will take place subsequent to the meeting. However, in all cases of voting, the Chairman, Advisory Board and Member Secretary do not have the right to vote, either in favour or against the matter under consideration for voting.

Depending upon the importance of the matter under consideration during a meeting, the Chairman, Advisory Board may decide for voting at the meeting itself or voting by correspondence. The proposal on the subject matter is adopted when no opposing vote is received within the time specified in the correspondence, otherwise the matter shall be dealt with at the next meeting.

The Certification Body is maintaining records of confidentiality and background experience of the board members.

III) Management Committee

i) Object



The object of the Management Committee is to manage the certification activities in line with the charter of STQC Directorate and advice of Advisory Board.


* Chairman

STQC person of sufficiently senior level, appointed by Chairman, Certification Body. Chief executive officer, IT Certification is the ex officio Chairman.

* Members - Do not exceed 10 in numbers excluding Chairman and Member Secretary, - Belong to STQC Directorate of sufficiently senior level, preferably unit/activity

head, - Active professionals in certification related fields, administration & finance, - The committee shall include representative for each IT certification scheme

e.g. (ISMS) at least one person with appropriate competence in that field of certification.

- Appointed by Chairman, Certification Body in consultation with Chairman Management Committee

- Depending on the need the committee may co-opt more members up to a maximum of 2 persons,

- Management Representative is the member secretary of the committee.

iii) Terms of Reference

While being accountable to Advisory Board, the Management Committee will: - formulate and oversee the implementation of the business plan for STQC

certification services, - decide on approval of decisions made by the Chief Executive Officer and

relating to the granting, maintaining, extending, reducing, suspending and withdrawing of certification in case of equal vote in the Certification Committee, or in case the Chief Executive Officer not being in agreement with the advice of Certification Committee,

- provide all requisite information and support to the Advisory Board to enable it to fulfill its obligations,

- ensure compliance with the advice of the Advisory Board, - carry out periodic reviews of the certification systems/operations to ensure

compliance with all applicable requirements, - seek Advisory Board’s concurrence on the technical contents of policy nature

for adoption into the certification system, - set up committees as required to deal with the technical content of the

certification system, - review and approve all scheme specific documentation (except forms / formats), - make efforts for satisfactory resolution of complaints/disputes received from

clients or other parties.



iv) Business Procedure

Meetings of the Management Committee are held generally twice a year. Special meeting of the Management Committee can further be held as and when required by the Chairman or at the request of any of the members. The business transacted at the meeting is recorded in the minutes by Management Representative.

IV) Technical Advisory Committee(TAC)

i) Object

The object of the Technical Advisory Committee(TAC) is to provide technical interpretation on need to know basis to Advisory Board, Management Committee, CEO, Certification Committee etc. TAC is also responsible for evaluation of technical documentation of certification scheme. The advice of the TAC is not binding to these committees, it is only recommendatory in nature.

ii) Structure & composition

The TAC consists of a convenor and members from various sectors including Industry, Institution, Govt & Experts, who - have adequate academic background or experience in Information Technology and Infrastructure related issues. - involved/engaged in IT/IT Security related projects/activities.


While advising on technical interpretation to various committees, they are required to be - independent in opinion - confidential - impartial - objective - technological relevant ec. - Accountable to the committees

iv) Business procedure

The Committee meets on need basis. The task is made known to the committee before starting the issue. Convenor is provided with all the relevant information alongwith supporting documents. The Committee will examine the inputs and advises the committee on their interpretation.

V) Certification Committee



i) Object

The object of the Certification Committee is to advise the Chief Executive officer on decisions relating to - certification of systems - certification of assessor/specialist resource for empanelment,


The composition of the Certification Committee should have competence in Management system auditing and subject expertise, represented by one or more persons individually or collectively. The Certification Committee consists of a convener representing the Certification Body (operations personnel) and up to five members from STQC Department or otherwise who meets at least one of following:

- adequate academic background (preferably graduate in science/engineering) with adequate knowledge in information Technology

- criteria and qualifications of a Lead Assessor in QMS and / or EMS and / or ISMS or IT expertise (e.g. Network Management, Web security, e-mail security, Malicious codes, expertise on OS like windows NT, Unix etc.)

- possess knowledge and awareness of certification related matters including national/ international standards and other normative documents.

Chairman, IT Certification Services appoints members of the Certification Committee in consultation with the CEO & Chairman Management Committee.


While advising the CEO on certification related decisions, the Certification Committee will: - ensure compliance of assessment to the defined criteria, - review the reports of assessment for adequacy of their content, - provide feed back for improvement, - seek expert opinion where necessary for determining the technical basis for

granting certification, - be accountable to Management Committee.

iv) Business Procedure

The committee normally meets once a fortnight or as required. The committee shall include, for each of the schemes QMS, ISMS etc.-in which certification decisions will be taken during the present session of the committee, at least one appropriately qualified member.



The independence of the committee in each decision is ensured by not involving committee members who took part in the assessment process on which a decision has to be made. The minimum quorum of the committee should consist of atleast three independent members. If excluding one or more committee members should result in inappropriate expertise in ISMS, or empanelment not being present while needed to make a certification decision, the convener shall arrange for participation of independent experts during the relevant parts of the meeting. Convener is not a party to the decision of the committee. The convener of the committee presents all requisite information along with supporting documentation to the committee. The committee will examine the inputs and advises the Chief Executive Officer on certification decision. The Certification Committee should not normally overturn a negative recommendation of the assessment team. If such a situation should arise, the Certification Committee shall document and justify the basis for the decision to overturn the recommendation. In case of equal vote in the Certification Committee, or the Chief Executive Officer is not in agreement with the advice of Certification Committee, the Chief Executive Officer may take decisions, as appropriate, subject to the approval of Management Committee.

VI) Certification Resources

a) Personnel

i) Chief Executive Officer (CEO)

- is an active professional in QA, belonging to STQC Directorate and of sufficiently senior level.

- has sufficient work experience (preferably not less than 10 years) in certification and accreditation matters.

- meets qualifications and criteria of a lead assessor in QMS and / or EMS.

- is appointed by Chairman, Certification Body. - alongwith his team (certification personnel) is responsible

to the Management Committee and thereby to the Advisory Board for day to day operation of the Certification System.

- will act on the advice of Certification Committee on certification decisions. In case of equal votes the Certification Committee or conflict of opinion with the decision of the Certification Committee, he may take decision, as appropriate, subject to the approval of the Management Committee.



- is the member secretary of the Advisory Board.

- is responsible for approval of System Procedures and Forms/Formats.

ii) Operations Personnel

- The personnel looking after the certification operation Certification Body.

- are having adequate academic background (preferably graduate/diploma in Engg. or science graduate)

- having sufficient work experience (preferably not less than 2 years) in quality assurance & Information Technology

- preferably meet training & qualification related to relevant scheme and criteria of an assessor.

- are appointed by CEO - are responsible for day-to-day operations of all pre-

certification activities of product/ system certification. - all activities connected with organising assessor/specialist

empanelment. - all liaison/co-ordination within and outside the certification

body. - have adequate procedure and instructions/guidelines for

carrying out their activities.

Details of specific responsibilities are available in respective scheme documentation.

The activities & functional responsibilities of the parts of STQC are defined in IT CERT/D09

iv) Management Representative

See clause 2.5.1 of this document.

v) Assessors/Specialists

- The policies and procedures for the recruitment & training

of assessors/specialists and monitoring of their performance are described in the scheme specific document.

- Responsible for carrying out their assigned activities on the advice of Certification Body.

- Clearly documented procedures/instructions are available for carrying out assigned activities.

- Records of training, experience and background information of individual assessors/specialists are maintained.



vi) Certification Support Staff The support staff at HQ are responsible for:

- maintenance of files, records and website related to - certification matters. - secretarial support to Certification Personnel - maintenance of data base.

2.6.3 List of Appointments

The Doc No. IT CERT/D03 on list of appointments identifies the personnel & other resources involved in the activities of Certification Body as follows - Members of Advisory Board - Members of Management Committee - Members of the Technical Advisory Committee - Chief Executive Officer - Members of Certification Committee - Management Representative - Certification Operations personnel * At STQC Directorate - Assessors/Specialists - Support staff The responsibilities of all personnel involved in the certification activities are indicated in Doc No. IT CERT/D04 (Responsibility Matrix).

2.7 Internal Audits and Management Review 2.7.1 Internal Audits

- For the purpose of verifying that the system is implemented and effective,

Internal Audits are carried out covering all procedures in a planned and systematic manner.

- Audits are conducted by trained personnel independent of the area/activity being audited.

- It is ensured that

* Personnel responsible for the area audited are informed of the outcome of the audit.

* Corrective action is taken in a timely and appropriate manner. * Results of the audit are recorded for periodic review.



- Internal audits of the entire system will be carried out at least once a year. - Detailed procedures for carrying out internal audits are covered in the Doc

No. IT CERT/P03.

2.7.2 Management Review

- Management reviews are conducted at least twice a year to ensure continuing suitability and effectiveness of the certification system.

- Management Review includes assessment of the results of Internal Audits,

Appeals, Complaints etc. - The Management Reviews are conducted by the Management Committee. - Records of the reviews are maintained.

- Detailed proceedings for conducting Management Review are covered in the

Doc No. IT CERT/P04. 2.8 Documentation

2.8.1 The Certification Body has established and is maintaining procedures to control all

documents and data that relate to its certification functions. (The documentation structure is given in para 2.5.3 of this document). These documents are reviewed and approved for adequacy by authorised and competent personnel prior to issue (either on initial development/or any subsequent amendment). The following table identifies reviewing and approving authorities for various types of documents within the system :

Sl. No. Type of Doc. Review Approval

1. IT manual A B Chairman, AB

2. Scheme specific manual TAC

CEO

3. System procedures/forms MR

CEO

4. Scheme specific Procedures/forms TAC

CEO



The review and approval of the documents by CEO is on the authorisation of Management Committee. A list of all documents with the respective issue and/or amendment status is maintained. The distribution of all these documents is controlled to ensure that appropriate documentation is made available to personnel of certification body or client when required to perform any function relating to the activities of an applicant or the certified client. Detailed procedure for document control is described in the document No.

For the control of external documentation, such as standards, interpretations, EA guidelines, reference material, etc. MR is the custodian and is responsible to regularly update the documents of the external origin, the others can refer on need basis.

IT CERT/P05.

2.8.2 The Certification Body, documents, updates at periodic intervals and makes

available, on request, the following a) Information about the authority under which the Certification Body is

operating. (Approval of Govt. of India). b) For each certification scheme, a brochure containing a documented

statement on the certification system incorporating the rules and procedure for granting, maintaining, extending, reducing, suspending and withdrawing certification. (Ref. ISMS /D03).

c) Leaflets/handouts on the scheme specific process of certification. d) Published schedule of charges (Doc No. IT CERT/D06) available to

applicants and certified clients. e) Certification Agreement describing the rights and duties of applicants

and certified clients, including requirements, restriction or limitation on the use of Certification Body’s logo (Doc No. IT CERT/D05).

f) Information on procedures for handling of Complaints, Appeals and Disputes (in the brochures and Certification Agreement and Doc No. IT CERT/P07 & IT CERT/P08).

g) Quarterly updated list of Certified Clients including their locations, and scope of certification (Ref. IT CERT/D08) & website. List of clients suspended/withdrawn is updated on website and the format of certified clients to be revised. As a policy, information regarding certificate withdrawl shall be maintained for one year duration from the date of withdrawl.

2.9 Criteria for Certification Personnel (Recruitment, Training and Monitoring) 2.9.1 General

2.9.1. The personnel of the Certification Body involved in certification are competent for the

functions they perform, such as



a) review of contracts with the clients (application handling) b) select and verify the competence of auditors c) brief auditors and arrange any necessary training d) decide on the granting, maintaining, withdrawing, suspending, extending or

reducing of certification e) set up and operate appeals/complaints procedure

2.9.1.2 Information on the relevant qualifications, training and experience of each

member of the personnel involved in the certification process is maintained by the Certification Body. Records of training and experience are kept up-to-date.

2.9.1.3 Clearly documented instructions are available to the personnel describing their duties and responsibilities. These instructions are maintained up-to-date.

2.9.2 Qualification Criteria for Auditors and Technical Experts

2.9.2.1 In order to ensure that assessments are carried out effectively and uniformly,

the minimum relevant criteria for competence is defined by the Certification Body.

2.9.2.2 Auditors meet the requirements of the appropriate international documentation.

For the assessment of a system, the relevant guidelines for auditing are those defined in ISO 19011 and the relevant criteria for auditors are those defined in ISO 19011. The qualification criteria for auditors for each certification scheme is defined separately e.g. ISMS doc

ISMS/D02

2.9.2.3 Technical experts are not required to comply with the requirements for auditors covered in ISO 10011-1. However their personal attributes are to be as per ISO 19011,clause 7. The qualification criteria of technical experts for each certification scheme is defined separately e.g. ISMS doc ISMS/D02 for qualification and ISMS/P04 for Use of Technical expert.

2.9.3 Selection Procedure

2.9.3.1 Selection of auditors and technical experts.

The Certification Body has a procedure (Doc No. IT CERT/P01) for selection of auditors and technical experts.

a) selecting auditors and, technical experts, on the basis of their

competence, training, qualifications and experience; b) initially assessing the conduct of auditors and technical experts c) (if required) during assessments and subsequently monitoring their

performance.



2.9.4 Assignment for a Specific Assessment

When selecting the audit team for a specific assessment the certification body will ensure that the skills for each assignment are appropriate. The team will

a) be familiar with the applicable legal regulations, certification procedures

and certification requirements. b) have a thorough knowledge of the relevant assessment method and

assessment documents c) have appropriate technical knowledge of the specific activities for which

certification is sought and where relevant, with associated procedures and their potential for failure (technical experts who are not auditors may fulfill this function)

d) have a degree of understanding sufficient to make a reliable assessment of the competence of the client to provide products, processes or services in its certified scope

e) be able to communicate effectively, both in writing and orally in the required languages

f) be free from any interest that might cause team members to act in other than an impartial or non-discriminatory manner, for example ;

- audit team members or their organization shall not have

provided consulting services to the applicant or certified client which compromise the certification process and decision

- in accordance with the directives of the Certification Body, the

audit team members shall inform the Certification Body, prior to the assessment, about any existing, former and envisaged link between themselves or their organizations and the client to be assessed.

The requirement for the assignment of specific assessment by assessors and experts are defined in specific doc e.g. ISMS/P01.

2.9.5 Contracting of Assessment Personnel The Certification Body requires all the personnel involved in the assessment to sign a contract by which they commit themselves to comply with the rules defined by the Certification Body, including those relating to confidentiality and those relating to independence from commercial and other interests and any prior and/or present link with the clients to be assessed. The Certification Body, in the event of using any sub-contracted assessment personnel, documents the way those personnel satisfy all the requirements for assessment personnel outlined in this document and ensures compliance with the same.

2.9.6 Training



Training to facilitate continuing Professional development is as per Doc: IT CERT/P02.

2.9.7 Assessment / Personnel Records

2.9.7.1 The Certification Body possesses and maintains up-to-date records on

assessment personnel consisting of

a) name and address b) affiliation and position held in the organization c) educational qualification and professional status d) experience and training in each field of competence of the certification

body e) date of most recent updating of record f) performance appraisal g) Area of Technical Expertise e.g. NACE codes.

2.9.8 Procedures for Audit Teams

Audit teams are provided with up-to-date assessment instructions and all relevant information on certification arrangements and procedures.

2.10 Sub-Contracting

2.10.1 Whenever Certification Body decides to sub-contract work related to

certification (e.g. audits) to an external body or person, a properly documented agreement covering the arrangements, including confidentiality and conflict of interests, will be drawn up. The Certification Body will

a) take full responsibility for such sub-contracted work and maintain its

responsibility for granting, maintaining, extending, reducing, suspending or withdrawing certification

b) ensure that the sub-contracted body or person is competent and

complies with the applicable provisions of this document and is not involved, either directly or through its employer, with the design/development of a quality system /product in such a way that impartiality could be compromised

c) obtain the consent of the applicant or certified/registered client in the

form of consent and from the external assessors/ experts in the appointment letters.



2.10.2 Requirements at Cl No. 2.10.1 a) and b) are also relevant, by extension, when

Certification Body uses, for granting its own certification based on the work of another Certification Body with which it has signed an agreement.

2.10.3 Where work related to certification has been undertaken prior to the application

for certification, the certification may take account of it, in which case it takes full responsibility for certification as described in Cl.2.10.1 (a) above and satisfies itself regarding the matters detailed in Cl 2.10.1 (b)).

2.11 Non-conformance Handling and Corrective/Preventive Action

2.11.1 The Certification Body will ensure that any non-conformance detected/reported

at any stage of certification activities by any one, is removed/cleared within the earliest possible time. The control of non-conformance provides for - Identification - Documentation - Evaluation - Segregation (where practical) - Disposition of non-conformance - Notification to all concerned.

2.11.2 The following identifies the responsibility for review and authority for disposition

of non-conformances

Sl. No. Type of Non-conformance

Responsibility for Review

Authority for

Disposition i)

ii)

Documented quality system Related - Non policy issues - Policy issues Certification operations related - Pre-certification - Post-certification

Management Representative Chief Executive Officer Operations Personnel

Chief Executive Officer Management Committee

Chief Executive Officer

2.11.3 Any non-conformance detected within the system will be reported to identified

authorities as in cl. 2.11.2 for review and disposal action. Customer complaints and audits related non-conformances are reported to Management



Representative (MR) who in turn will notify concerned authorities for review and disposal action.

2.11.4 Management Committee is responsible for disposal of any un-resolved non-

conformances. 2.11.5 Identified authorities for disposal action as in 2.11.2 are responsible for initiating

adequate and appropriate corrective/preventive action commensurate with the magnitude of the problems and levels of risks. Any changes to the procedures/practices are recorded and implemented.

2.11.6 Certification Body ensures that identified corrective/preventive actions are

taken and are effective. Relevant information on the actions are submitted for management review.

2.12 Records

2.12.1 The Certification Body maintains a record system to comply with existing regulations. The records demonstrate that the certification procedures have been effectively fulfilled, particularly with respect to application forms, assessment reports, and other documents relating to granting, maintaining, extending, reducing, suspending or withdrawing certification. The records are identified, managed and disposed of in such a way as to ensure the integrity of the process and confidentiality of the information. These records are kept for at least one full certification cycle (i.e. 3 Years).

2.12.2 The Certification Body has procedures (Doc. No IT CERT/P06) for retaining

records for a period consistent with its contractual, legal or other obligations. Access to these records is consistent with the confidentiality requirement of this document.

2.13 Confidentiality

2.13.1 The Certification Body has adequate arrangements, consistent with applicable

laws, to safeguard confidentiality of the information obtained in the course of its certification activities at all levels of its organization, including committees and external bodies or individuals acting on its behalf. All the personnel , except , officials of Ministry of Communication & Information Technology, involved in certification activities as members of the various committees and Board are required to sign a Confidentiality Statement (Form No. ITCERT/F05) , to safeguard confidentiality of the information obtained during their association with certification activities. Ministry officials are already bound by the Code of Confidentiality with Government of India at the time of appointment.

2.13.2 Except as required in this document information about a particular product or

client will not be disclosed to a third party without the written consent of the



client. Where the law requires information to be disclosed to a third party, the client will be informed of the information provided as permitted by the law.

2.14 Liability

2.14.1 The Certificate of Registration given to a client under the scheme shall not be

regarded as in any way diminishing the mutual contractual responsibilities/obligations between the client and his customer. While the Certificate of Registration will normally be a sound indicator of the capability of Client to; implement a management system, e.g. information security, in line with the applicable standard, it should not be taken as a sort of guarantee accorded by the Certification Body.

2.15 Appeals, Complaints and Disputes

2.15.1 Appeals, Complaints and Disputes brought before the Certification Body by

client or other parties are subject to the procedures of the Certification Body. Appeals - Doc No. IT CERT/P07

Complaints/Disputes - Doc. No

IT CERT/P08

2.15.2 The Certification Body will a) Keep a record of all appeals, complaints and disputes and remedial

actions relative to certification

b) take appropriate corrective and preventive action

c) document the actions taken and assess their effectiveness.

2.16 Changes in the Certification Requirements

The Certification Body will give due notice of any changes it intends to make in its requirements for certification. It will take account of views expressed by the interested parties before deciding on the precise form and effective date of the changes. Following a decision on, and publication of, the changed requirements it shall verify that each certified client carries out any necessary adjustments to its procedures within such time, as in the opinion of the Certification Body, is reasonable.



Section 3: Requirements for Certification 3.1 Application for Certification

3.1.1 Information on the Procedure

3.1.1.1 A detailed description of the assessment and certification procedures and the

documents containing the requirements for certified clients are maintained up-to-date as specified in Cl No. 2.8. These are provided to applicants and certified client, appropriate to each certification scheme.

3.1.1.2 The Certification Body requires that a client organisation :

a) always complies with the relevant provisions of the certification

programme b) make all necessary arrangements for the conduct of the assessment,

including provision for examining documentation and the access to all areas, records (including internal audit reports) and personnel for the purposes of assessment, surveillance, re-assessment and resolution of complaints.

c) only claims that it is certified with respect to those activities for which it has been granted certification

d) does not use its certification in such a manner as to bring the

Certification Body into disrepute and does not make any statement regarding its certification which the Certification Body may consider misleading or unauthorized

e) upon suspension or withdrawal of its certification (however determined)

discontinues use of all advertising matter that contains any reference thereto and returns any certification documents as required by the Certification Body

f) uses certification only to indicate that the system or product is in

conformity with specified standards or other normative documents, and does not use its certification to imply otherwise

g) ensures that no certification document, mark or report nor any part

thereof is used in a misleading manner h) in making reference to its certification in communication media such as

documents, brochures or advertising, complies with the requirements of the Certification Body.



3.1.1.3 When the desired scope of certification is related to a specific programme, any necessary explanation is provided to the applicant.

3.1.1.4 If requested, additional application information is provided to the applicant.

3.1.2 The Application

3.1.2.1 The Certification Body requires an official Application Form duly completed, and

signed by a duly authorized representative of the applicant, in which or attached to which

a) the scope of the desired certification is defined b) the applicant agrees to comply with the requirements for certification and to

supply any information needed for its evaluation.

3.1.2.2 At least the following information is to be provided by the applicant prior to the on-site assessment

a) the general features of the applicant such as corporate entity, name addresses, legal status, and where relevant, human and technical resources

b) general information concerning the system and the activities it covers c) a description of the system/ products to be certified and the standards or

other normative documents applicable (if known to the applicant) d) a copy of the system manual and where required, the associated

documentation.

Note

1. The appointed Lead Assessor will examine the information provided by the applicant and will decide on the need for an on-site visit to ascertain the adequacy of preparedness of the applicant.

2. The information gathered from the application documentation and the

system manual review as well as on site visit may be used for the preparation of the assessment and will be treated with appropriate confidentiality.

3.1.2.3 Detailed instructions on application handling are covered in Doc No. IT CERT/P09.

3.2. Preparation for assessment

3.2.1 Before proceeding with the assessment the Certification Body will conduct, and

maintain records of a review of the request for certification to ensure that a) the requirements for certification are clearly defined, documented and

understood b) any difference in understanding between the Certification Body and the

applicant is resolved.



c) the Certification Body has the capability to perform the certification

service in respect to the scope of the certification sought, the location of the applicant’s operations and any special requirements such as the language used by the applicant.

In conclusion, a Certification Agreement in Doc No. IT CERT/D07 is entered into with the applicant. The multi sites sampling procedure under ISMS are defined in doc. ISMS/D05.

3.2.2 The Certification Body will prepare a plan for its assessment activities to allow for the necessary arrangements to be managed.

3.2.3 The Certification Body will nominate a qualified assessment team to evaluate all

material collected from the applicant and to conduct the assessment/evaluation on its behalf. Experts, in the areas to be assessed, may be attached to the Certification Body’s team as advisers.

3.2.4 The client will be informed of the names of the members of the

assessment/evaluation team who will carry out the assessment/evaluation with sufficient notice to appeal against the appointment of any particular auditors or experts.

3.2.5 The assessment/evaluation team will be formally appointed and provided with the

appropriate working documents. The plan for and the date of the assessment/evaluation will be agreed to with the client. The mandate given to the team will be clearly defined and made known to the client, and will require the team to examine the structure, policies and procedures of the client and confirm that these meet all the requirements relevant to the scope of certification and that the procedures are implemented and are effective so as to give confidence in the products, processes or services of the client.

In case of investigation of complaints, or in response to changes or as a follow up of suspended client following shall be done within a short notice taking due care about the lack of opportunity for the client to object to the audit team members. The client shall be informed the conditions under which the short notice visit is to be conducted.

3.2.6 Detailed procedure on preparation for assessment is covered in Doc No.

IT CERT/P10.

3.3 Assessment

3.3.1 The assessment team will assess the system of the client covered by the defined scope against all applicable certification requirements.

3.3.2 Detailed procedure on conduct of assessment is covered in Doc No.



ITCERT/ P11.

3.4 Assessment Report

3.4.1 The certification body has reporting procedures, which will ensure that

a) a meeting takes place between the assessment team and the client’s

management with particular reference to certification requirements and provides an opportunity for the client to ask questions about the findings and their basis :

b) the assessment team provides the Certification Body with a report of its

findings as to the conformity of the client’s system with all of the certification requirements. One copy of the report is also handled over to the client during closing meeting.

c) a report on the outcome of the assessment is promptly brought to the client’s

attention by the Certification Body, identifying any non-conformity to be discharged in order to comply with all of the certification requirements and the extent of any further assessment required.

d) the Certification Body will invite the client to comment on the report and to

describe the specific actions taken, or plan need to be taken within a defined time, to remedy any non-conformity with the certification requirements identified during the assessment. Certification Body will inform the client of the need for full or partial re-assessment or whether a written declaration to be confirmed during surveillance will be considered adequate.

e) The report will contain as a minimum

- date(s) of assessment - the names of the person(s) responsible for the report

- the names and addresses of all sites visited for assessment - the scope of certification or reference thereto including reference to the

standard applied - comments on the conformity of the client’s system with the certification

requirements with a clear statement of non-conformity and, where applicable, any useful comparison with the results of previous assessments of the client

- an explanation of any differences from the information presented to the body at the closing meeting

3.4.2 If the report authorized by the Certification Body differs from the report referred

to in Cl 3.4.1 (c) and (e), it will be submitted to the client, with an explanation of any differences from the previous report.

The report will take into consideration



a) the qualification, experience and authority of the staff encountered: b) the adequacy of the internal organization and procedures adopted by

the applicant body to give confidence in the system c) the actions taken to correct identified non-conformities, including, where

applicable, those identified during previous visits.

3.4.3 Detailed procedure on assessment reporting is covered in Doc No. ITCERT/ P11.

3.5 Decision on Certification

3.5.1 The decision whether or not to certify a client’s system will be taken by the CEO

based on the recommendation of the Certification Committee on the basis of the information gathered during the certification process and any other relevant information. Those who make the certification decision will not have participated in the assessment (i.e. members of the Certification Committee). Where necessary, the Certification Committee will seek expert’s opinion to determine the technical basis for its decisions.

Decision taking in relation to the Certification/registration function

The entity which may be an individual, which takes the decision on granting/withdrawing a certification/registration within the certification/registration body, shall incorporate a level of knowledge and experience in all areas which is sufficient to evaluate the audit processes and associated recommendations made by the audit team.

The entity which has taken the decisions as granting certification should not normally overturn a negative recommendation of the audit team. If such a situation does arise, the certification/registration body shall document and justify the basis for the decision to overturn the recommendation.

3.5.2 The Certification Body will not delegate authority for granting, maintaining,

extending, reducing, suspending or withdrawing certification to an outside person or body.

3.5.3 The Certification Body will provide to each of its clients whose System it certifies,

a certificate signed by CEO or an officer who has been assigned such responsibility. These documents will identify for the client and each of its sites covered by the certification

a) the name and address

c) the scope of the certification granted including



- the standards and/or other normative documents to which

systems/Products are certified - the product, process or service categories (type or range) and, if

appropriate regulatory requirements, product standards or other normative documents against which products are supplied

- the applicable certification system

d) the effective date of certification and the term for which the certification is valid.

Simultaneously, arrangements will be made to update the list of certified clients (IT CERT/D08)

3.5.4 Amendment to Scope of Certification (Extension/Reduction)

3.5.4.1 Any application for extension to the scope of a certification that has already been granted will be processed by the Certification Body. The Certification Body will decide what, if any, assessment procedure is appropriate to determine whether or not the amendment should be granted and will act accordingly.

3.5.4.2 The scope of certification will be reduced under the following circumstances

- at the request of certified client - persistent problem related to compliance to the standard

3.5.4.3 Detailed procedures for amendment of scope of certification are covered in Doc

No. IT CERT/P13. 3.6 Surveillance and Re-assessment

3.6.1 The Certification Body will carry out periodic surveillance and re-assessment at

sufficiently close intervals to verify that its clients whose systems are certified, continue to comply with the certification requirements.

3.6.2 Surveillance and Re-assessment procedures are consistent with those

concerning the assessment and certification of the client’s system as described in this document.

3.6.3 Currently, the following policies (on surveillance and re-assessment) are being

pursued

- Surveillance activities including planning, organising and reporting, are managed through Certification Body.

- The surveillance activities are subject to special provision if a client with

a certified System makes major modifications to the System or if other changes take place which could affect the basis of the certification.



- The assessment carried out by the Certification Body will comply with

ISO 19011/17021 and procedures as per Doc No. IT CERT/P11. - First surveillance visit after certification will be carried before completion

of one year from the date of certification. Regarding subsequent surveillance visits, Lead Assessor will recommend on the period of next visit, which in any case will not be later than 12 months from the date of previous visit. Where sufficient justification exists, including complaints on certified client, the Certification Body will alter the surveillance period as appropriate and inform all concerned.

- It is permissible for each surveillance visit to re-examine part of the

system so that assessment of all elements of applicable system standard/document is completed within each three year cycle. Each on-site surveillance visit will include a review of at least the following:

* Corrective action of previous visit * Customer complaints and client response * Internal audits and management review results and actions

- The surveillance report will clearly show the Part of the system that was assessed on each surveillance visit.

- The entire system will be re-assessed before completion of three years of certification validity prior to renewal and the re-assessment process will be on the same lines as that of certification assessment. Whenever there is a major change in organization process, technology etc. stage-1 audit shall be carried out. Past performance analysis to be conducted to describe the status of the system during the period of previous certification cycle in the process of recertification.

Further, certification body will examine the need for re-assessment in the event of changes significantly affecting

* the activity and operation(such as change of ownership, structure or management, equipment) * the standards for conformance and/or * the product (design change in/specification)

Besides above, the Certification Body may decide to carryout re-assessment if analysis or any other information indicates that the certified system may no longer comply with the requirements of certification.



3.6.4 Surveillance and re-assessment procedures are covered in Doc No.

ITCERT/P12.

3.7 Suspension and Withdrawal/Cancellation of Certification

3.7.1 Suspension

Certification may be suspended for a limited period at the discretion of Certification Body under the following circumstances

- if the surveillance indicates minor non-conformance to the relevant

System/ requirements and the same is not cleared even after lapse of initial time period given for corrective actions

- if the surveillance indicates major non-conformance to the relevant

System/ requirements. - if improper use of the Certificate of Registration or Logo/Mark is not

rectified to the satisfaction of Certification Body; - if the certified client is not regularly involved in the activities for which he

is certified. - - if there has been any other contravention of the applicable

requirements or rules of procedures of certification body. In addition to these following situations might also lead to suspension;

- The client’s certified management system has persistently or

seriously failed to meet the certification requirements, including requirements for the effectiveness of the management system.

- The certified client does not allow surveillance or re-certification audits to be conducted at the required frequencies or

- The certified client has voluntarily requested a suspension.

An official suspension will be confirmed by the Certification Body to the client and will indicate the conditions under which suspension will be revoked. The Certification Body may publish notification of suspension through website.. Upon fulfillment of the indicated conditions within the specified period, the Certification Body will revoke suspension and notify the client accordingly; otherwise, the certification will be cancelled and certificate will be withdrawn.

3.7.2 Withdrawal/Cancellation

The Certification Body will cancel certification, withdraw the Certificate and authorisation for the use of the Logo/Mark under the following circumstances



- if the client under suspension fails to rectify non-conformance within specified period

- if the client either will not or cannot ensure conformance to changed rules of procedure of Certification Body

- if the client ceases to supply the product, process or service - if the client fails to meet the financial obligation to Certification Body - at the former request of the client - any other serious contravention of applicable requirements of rules of

procedures of Certification Body

The official communication by the Certification Body of the withdrawal/cancellation will be either through a registered letter or equivalent means. The Certification Body will publish notification of the withdrawal/cancellation.

3.8 Use of Certificates/Licenses and Logos/Marks

3.8.1 The Certification Body has procedures (Doc No. ITCERT/D05) to exercise

proper control over ownership, use and display of its certificates/licenses and logos/marks of conformity.

3.8.2 If the Certification Body confers the right to use a Logo or Mark to indicate

certification of a system/product the client may use the specified Logo or Mark only as authorized in writing by the Certification Body.

The Certification Body will take suitable action to deal with incorrect references to the certification or misleading use of certificates/licenses and logos/marks found in advertisements, catalogues, etc. Such action could include corrective action, withdrawal of certificate, publication of the transgression and, if necessary, other legal action.

3.9 Access to Records of Complaints to Client

The Certification Body will require the certified client to

a) keep a record of all complaints made known to the client relating to

product’s/services compliance with applicable requirements and to make these records available to the Certification Body when requested

b) take appropriate action with respect to such complaints and any

deficiencies found in products or services that affect compliance with the requirements for certification;

c) document the actions taken.



**********

Annexure-I

Documentation Structure

IT Manual

Procedures

Manual

Procedures

Forms/Formats

Forms/Formats

Document

Document

System Level doc. Scheme specific doc.



Annexure-II

Reporting Structure of 'STQC IT Certification Services'

Figure 1

Minister

Secretary

STQC Directorate

Other divisions of

Ministry

STQC IT Certification Services



Annexure -II Organization Structure STQC Directorate

Figure 2 For details on functional responsibilities of groups other than IT Certification Services - see doc IT CERT/D09 Abbreviations: 1. DG, STQC - Director General, STQC 2. Labs/Centres - Laboratories/Centres 3. STQC HQ - Standardisation Testing and Quality Certification Head Quarter 4. SETE - Society for Electronics Test Engineering 5. LMC - Laboratories Management and Co-ordination 6. IT& S/W - Information Technology and Soft ware 7. Cert Services (Non-IT) - Certification Services (Non-Information Technology)

DG, STQC

Labs/Centres STQC HQ SETE Special institutions

LMC IT & S/W Cert. Services, (Non-IT)

Fin & Admin

IT Cert. Services Standards



8. Fin & Admin - Finance and Administration

Annexure-II

Functional Organisation Structure of STQC IT Certification Services

For details of responsibilities refer document IT CERT/D04

Chairman

Advisory Board (AB)

Management Committee (MC)

Technical Advisory Committee (TAC)

CEO

Certification Committee (CC)

MR

Operations Personnel HQ

Assessors/ Specialists

Exec

utiv

e fu

nctio

ns

Dec

ision

Fun

ctio

ns

Man

agem

ent F

unct

ions

STQC Certification Services

Report no.: Page:

Area Assessed: Assessor:

Client Representative:

NC. Ref Details of Nonconformance Cl. ref. NC class*

Receipt of Nonconformance report acknowledged & contents understood

Signed for client

Signed for STQC Certification Services Date

*Indicate Major/Minor. If minor, please also indicate one of the following.

*A – System not defined *D – Routine action missing/late

*B – Procedure/practice not effective *E – Activity not done

*C – Error (Typographical/otherwise) *F – Key action ignored F17, Issue 1

Original to client, copy to crtification body.

Nonconformance report

00/00/2010

1

Master List of Documents August, 2010 Assessment... · Master List of Documents . August, 2010 ....

Documents

Transcript of Master List of Documents August, 2010 Assessment... · Master List of Documents . August, 2010 ....