ISO 16919:2025

International
Standard
ISO 16919
Second edition
Space data and information transfer
2025-03
systems — Requirements for bodies
providing audit and certification
of candidate trustworthy digital
repositories
Systèmes de transfert des informations et données spatiales —
Exigences pour les organismes d'audit et de certification des
référentiels numériques potentiellement de confiance
Reference number
© ISO 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
REQUIREMENTS FOR BODIES PROVIDING AUDIT AND CERTIFICATION
OF CANDIDATE TRUSTWORTHY DIGITAL REPOSITORIES
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national
standards bodies (ISO member bodies). The work of preparing International Standards is
normally carried out through ISO technical committees. Each member body interested in a
subject for which a technical committee has been established has the right to be represented on
that committee. International organizations, governmental and non-governmental, in liaison
with ISO, also take part in the work. ISO collaborates closely with the International
Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of ISO document should be noted (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO takes no position concerning the evidence, validity or applicability of
any claimed patent rights in respect thereof. As of the date of publication of this document, ISO
had not received notice of (a) patent(s) which may be required to implement this document.
However, implementers are cautioned that this may not represent the latest information, which
may be obtained from the patent database available at www.iso.org/patents. ISO shall not be
held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and
does not constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms
and expressions related to conformity assessment, as well as information about ISO's adherence
to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by the Consultative Committee for Space Data Systems (CCSDS)
(as CCSDS 652.1-M-3, December 2024) and drafted in accordance with its editorial rules. It was
assigned to Technical Committee ISO/TC 20, Aircraft and space vehicles, Subcommittee SC 13,
Space data and information transfer systems and adopted under the “fast-track procedure”.
This second edition cancels and replaces the first edition (ISO 16919:2014), which has been
technically revised.
The main changes are as follows:
— updated references to latest versions of documents, ISO 17021:2015, ISO 16363 and ISO 14721;
— updated to be consistent with the structure of the latest version of ISO 17021-1, for example,
removal of section 8.3 Directory of Certified Clients;
— clarified use of remotes audits in Section 9;
— added CCSDS required subsections in Annex B.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html.
CCSDS 652.1-M-3 Page iii December 2024
REQUIREMENTS FOR BODIES PROVIDING AUDIT AND CERTIFICATION
OF CANDIDATE TRUSTWORTHY DIGITAL REPOSITORIES
CONTENTS
Section Page
1 INTRODUCTION . 1-1

1.1 PURPOSE . 1-1
1.2 SCOPE . 1-1
1.3 APPLICABILITY . 1-1
1.4 RATIONALE . 1-2
1.5 STRUCTURE OF THIS DOCUMENT . 1-2
1.6 DEFINITIONS . 1-3
1.7 CONFORMANCE . 1-4
1.8 REFERENCES . 1-4

2 OVERVIEW . 2-1

3 RESERVED . 3-1

4 PRINCIPLES . 4-1

5 GENERAL REQUIREMENTS . 5-1

5.1 LEGAL AND CONTRACTUAL MATTERS. 5-1
5.2 MANAGEMENT OF IMPARTIALITY . 5-1
5.3 LIABILITY AND FINANCING . 5-1

6 STRUCTURAL REQUIREMENTS . 6-1

7 RESOURCE REQUIREMENTS . 7-1

7.1 COMPETENCE OF PERSONNEL . 7-1
7.2 PERSONNEL INVOLVED IN THE CERTIFICATION ACTIVITIES . 7-1
7.3 USE OF INDIVIDUAL EXTERNAL AUDITORS AND EXTERNAL
TECHNICAL EXPERTS . 7-1
7.4 PERSONNEL RECORDS . 7-2
7.5 OUTSOURCING . 7-2

8 INFORMATION REQUIREMENTS . 8-1

8.1 PUBLIC INFORMATION . 8-1
8.2 CERTIFICATION DOCUMENTS . 8-1
8.3 REFERENCE TO CERTIFICATION AND USE OF MARKS . 8-1
8.4 CONFIDENTIALITY . 8-1
8.5 INFORMATION EXCHANGE BETWEEN A CERTIFICATION BODY AND
ITS CLIENTS . 8-1
CCSDS 652.1-M-3 Page iv December 2024
REQUIREMENTS FOR BODIES PROVIDING AUDIT AND CERTIFICATION
OF CANDIDATE TRUSTWORTHY DIGITAL REPOSITORIES
CONTENTS (continued)
Section Page
9 PROCESS REQUIREMENTS. 9-1

10 MANAGEMENT SYSTEM REQUIREMENTS FOR
CERTIFICATION BODIES . 10-1

ANNEX A REQUIRED TRUSTED DIGITAL REPOSITORY
MANAGEMENT SYSTEM (TDRMS) COMPETENCIES
(NORMATIVE) . A-1
ANNEX B SECURITY, SANA, AND PATENT CONSIDERATIONS
(INFORMATIVE) . B-1
ANNEX C AUDIT BY NON-CONFORMANT BODIES (INFORMATIVE) . C-1

CCSDS 652.1-M-3 Page v December 2024
REQUIREMENTS FOR BODIES PROVIDING AUDIT AND CERTIFICATION
OF CANDIDATE TRUSTWORTHY DIGITAL REPOSITORIES
1 INTRODUCTION
1.1 PURPOSE
The main purpose of this document is to define a CCSDS Recommended Practice (and ISO
standard) on which to base the operations of the organization(s) which assess the
trustworthiness of digital repositories using the latest version of CCSDS 652.0/ISO 16363
(reference [1]) and provide the appropriate certification. This document specifies
requirements for bodies providing audit and certification of digital repositories, based on the
metrics contained within ISO/IEC 17021-1 (reference [4]) and reference [1]. It is primarily
intended to support the accreditation of bodies providing such certification.
ISO/IEC 17021-1 provides the bulk of the requirements on bodies offering audit and
certification for general types of management systems. However, for each specific type of
system, specific additional requirements will be needed, for example, to specify the standard
against which the audit is to be made and the qualifications which auditors require.
This document provides the (small number of) specific additions required for bodies
providing audit and certification of candidate trustworthy digital repositories. Trustworthy
here means that they can be trusted to maintain, over the long-term, the understandability and
usability of digitally encoded information placed into their safekeeping.
In order improve readability the section numbers are kept consistent with those of ISO/IEC
17021-1. Some subsections are applicable as they stand, and these are simply enumerated;
otherwise additions to subsections are explicitly given. In the former case the sections may
consist of just a few sentences. As a result this document must be read in conjunction with
ISO/IEC 17021-1.
1.2 SCOPE
The requirements contained in this CCSDS Recommended Practice need to be demonstrated
in terms of competence and reliability by any organization or body providing certification of
digital repositories.
1.3 APPLICABILITY
This document is meant primarily for those setting up and managing the organization
performing the auditing and certification of digital repositories.
It should also be of use to those who work in or are responsible for digital repositories
seeking objective measurement of the trustworthiness of their repository and wishing to
understand the processes involved.
CCSDS 652.1-M-3 Page 1-1 December 2024
REQUIREMENTS FOR BODIES PROVIDING AUDIT AND CERTIFICATION
OF CANDIDATE TRUSTWORTHY DIGITAL REPOSITORIES
1.4 RATIONALE
There is a hierarchy of standards concerned with good auditing practice (references [3]-[5]).
This document is positioned within this hierarchy in order to ensure that these good practices
can be applied to the evaluation of the trustworthiness of digital repositories.
ISO/IEC 17021-1 Conformity assessment — Requirements for bodies providing audit and
certification of management systems (reference [5]) is an International Standard which sets
out criteria for bodies operating audit and certification of organizations’ management
systems. If such bodies are to be accredited as complying with ISO/IEC 17021-1 with the
objective of auditing and certifying candidate trustworthy digital repositories in accordance
with reference [1], some requirements that are additional to ISO/IEC 17021-1 are necessary.
These are provided by this document.
The text in sections 4 to 10 in this document follows the structure of ISO/IEC 17021-1, with
specific additions on the application of ISO/IEC 17021-1 for certification of candidate
trustworthy digital repositories.
1.5 STRUCTURE OF THIS DOCUMENT
This document is divided into informative and normative sections and annexes.
Sections 1-2 of this document give a high-level view of the rationale, the conceptual
environment, some of the important design issues and an introduction to the terminology and
concepts.
– Section 1 gives purpose and scope, rationale, a view of the overall document
structure, and the acronym list, glossary, and reference list for this document. These
are normative.
– Section 2 provides an overview of auditing practices. This is informative.
– Section 3 is reserved for future use.
– Section 4 states the principles that apply.
– Sections 5 to 10 provide the normative rules against which an organization providing
audit and certification of candidate trustworthy digital repositories may be judged,
based on ISO/IEC 17021-1 (reference [4]).
– Annex A specifies the trusted digital repository management system competencies for
certification body personnel for specific certification functions.
– Annex B is a CCSDS-required informative discussion of the security implications of
applying this CCSDS Recommended Practice.
CCSDS 652.1-M-3 Page 1-2 December 2024
REQUIREMENTS FOR BODIES PROVIDING AUDIT AND CERTIFICATION
OF CANDIDATE TRUSTWORTHY DIGITAL REPOSITORIES
1.6 DEFINITIONS
1.6.1 ACRONYMS AND ABBREVIATIONS
CAB conformity assessment body
CCSDS Consultative Committee for Space Data Systems
IEC International Electrotechnical Commission
ISO International Organization for Standardization
OAIS Open Archival Information System
TDR Trustworthy Digital Repository
TDRMS Trustworthy Digital Repository management system
SANA Space Assigned Numbers Authority
1.6.2 TERMINOLOGY
1.6.2.1 General
Digital preservation interests a range of different communities, each with a distinct
vocabulary and local definitions for key terms. A glossary is included in this document, but it
is important to draw attention to the usage of several key terms.
In general, key terms in this document have been adopted from the Open Archival
Information System (OAIS) Reference Model (reference [2]). One of the great strengths of
the OAIS Reference Model has been to provide a common terminology made up of terms
‘not already overloaded with meaning so as to reduce conveying unintended meanings’.
Because the OAIS has become a foundational document for digital preservation, the common
terms are well understood and are therefore used within this document.
The OAIS Reference Model uses ‘digital archive’ to mean the organization responsible for
digital preservation. In this document, the term ‘repository’ or phrase ‘digital repository’ is
used to convey the same concept in all instances except when quoting from the OAIS, and is
used to denote any type of digital repository; it may be a Trustworthy Digital Repository
(TDR), a candidate TDR, a lapsed TDR, or one not seeking certification. It is important to
understand that in all instances in this document, ‘repository’ and ‘digital repository’ are used
to convey digital repositories and archives that have, or contribute to, long-term preservation
responsibilities and functionality.
1.6.2.2 Glossary
For the purposes of this document, the terms and definitions given in ISO/IEC 17021-1
(reference [4]), references [1], [2], and [3], and the following apply.
Trustworthy Digital Repository, TDR: A repository which has a current certification.
CCSDS 652.1-M-3 Page 1-3 December 2024
REQUIREMENTS FOR BODIES PROVIDING AUDIT AND CERTIFICATION
OF CANDIDATE TRUSTWORTHY DIGITAL REPOSITORIES
1.6.3 NOMENCLATURE
The following conventions apply throughout this Recommended Practice:
a) the words ‘shall’ and ‘must’ imply a binding and verifiable specification;
b) the word ‘should’ implies an optional, but desirable, specification;
c) the word ‘may’ implies an optional specification;
d) the words ‘is’, ‘are’, and ‘will’ imply statements of fact.
1.7 CONFORMANCE
An organization which provides audit and certification for TDRs conforms to this
recommended practice if it fulfils all the binding and verifiable specifications in this document.
1.8 REFERENCES
The following publications contain provisions which, through reference in this text,
constitute provisions of this document. At the time of publication, the editions indicated
were valid. All publications are subject to revision, and users of this document are
encouraged to investigate the possibility of applying the most recent editions of the
publications indicated below. The CCSDS Secretariat maintains a register of currently valid
CCSDS publications.
[1] Audit and Certification of Trustworthy Digital Repositories. Issue 2. Recommendation
for Space Data System Practices (Magenta Book), CCSDS 652.0-M-2. Washington,
D.C.: CCSDS, December 2024 or later. [Equivalent to ISO 16363:2012 or later]
[2] Reference Model for an Open Archival Information System (OAIS). Issue 3.
Recommendation for Space Data System Practices (Magenta Book), CCSDS 650.0-M-
3. Washington, D.C.: CCSDS, December 2024 or later. [Equivalent to ISO 14721:2012
or later]
[3] Quality Management Systems—Fundamentals and Vocabulary. 4th ed. International
Standard, ISO 9000:2015. Geneva: ISO, 2015.
[4] Conformity Assessment—Requirements for Bodies Providing Audit and Certification of
Management Systems—Part 1: Requirements. International Standard, ISO/IEC 17021-
1:2015. Geneva: ISO, 2015.
[5] Conformity Assessment—Vocabulary and General Principles. 2nd ed. International
Standard, ISO/IEC 17000:2020. Geneva: ISO, 2020.
CCSDS 652.1-M-3 Page 1-4 December 2024
REQUIREMENTS FOR BODIES PROVIDING AUDIT AND CERTIFICATION
OF CANDIDATE TRUSTWORTHY DIGITAL REPOSITORIES
2 OVERVIEW
This document addresses issues arising from applying good audit practice to auditing and
certifying whether and to what extent digital repositories can be trusted to look after digitally
encoded information for the long-term, or at least for the period of their custodianship of that
digitally encoded information.
It covers principles needed to inspire confidence that third party certification of the
management of the digital repository has been performed with
– impartiality,
– competence,
– responsibility,
– openness,
– confidentiality, and
– responsiveness to complaints.
This document specifies the ways of ensuring that the body providing such third party
certification can inspire this confidence. It does this by building on the more general
specifications of references [3]-[5].
Section 5 deals with the legal aspects and guarantees of impartiality and avoidance of
conflicts of interest.
The structure and management of the organization is specified in section 6, which is
supported by the competences of the management and personnel, specified in section 7.
Section 8 sets out how the information about which organizations have been certified is made
available.
The requirements in the procedures for defining the scope and performance of the audit, the
initial certification decision, and the ways in which that certification may be confirmed,
reduced in scope, suspended, or withdrawn are given in section 9. This section also specifies
how complaints are dealt with.
The management system of the auditing body itself is specified in section 10.

CCSDS 652.1-M-3 Page 2-1 December 2024
REQUIREMENTS FOR BODIES PROVIDING AUDIT AND CERTIFICATION
OF CANDIDATE TRUSTWORTHY DIGITAL REPOSITORIES
3 RESERVED
This section is reserved for future use.

CCSDS 652.1-M-3 Page 3-1 December 2024
REQUIREMENTS FOR BODIES PROVIDING AUDIT AND CERTIFICATION
OF CANDIDATE TRUSTWORTHY DIGITAL REPOSITORIES
4 PRINCIPLES
The principles from ISO/IEC 17021-1:2015, Clause 4 apply.
The term ‘management system’ used in ISO/IEC 17021-1 shall be replaced by ‘trusted digital
repository management system’ in the context of this document.
The following notes are added:
– The organization shall determine whether climate change is a relevant issue.
– Relevant interested parties can have requirements related to climate change.

CCSDS 652.1-M-3 Page 4-1 December 2024
REQUIREMENTS FOR BODIES PROVIDING AUDIT AND CERTIFICATION
OF CANDIDATE TRUSTWORTHY DIGITAL REPOSITORIES
5 GENERAL REQUIREMENTS
5.1 LEGAL AND CONTRACTUAL MATTERS
All the requirements from ISO/IEC 17021-1:2015, Clause 5.1 apply.
5.2 MANAGEMENT OF IMPARTIALITY
5.2.1 GENERAL
The requirements from ISO/IEC 17021-1:2015, Clause 5.2 apply. In addition, the following
TDR audit and certification specific requirements and guidance apply.
5.2.2 CONFLICTS OF INTEREST
Members of certification bodies can carry out the following duties without their being
considered as consultancy or having a potential conflict of interest:
a) arranging and participating as a l
...