Inspection reports and certificates – ILAC/IAF Committees FAQs

Is there any procedure or guidance for the use of digital signatures in inspection certificates or inspection reports? When assessing the implementation of requirements relevant to the use of digital signatures, are there aspects that need special consideration?

STANDARD: ISO/IEC 17020 · CLAUSE: 7.4 · TOPIC: Inspection reports and certificates

Answer:

ILAC has not produced any guidance on the use of digital signatures in inspection certificates or inspection reports. The requirements in ISO/IEC 17020 applicable to digital signatures are those specified in 7.4.2e) and 7.4.4. In the former clause it is specified that an inspection certificate/report shall include the signature or other indication of approval by authorized personnel. In the latter clause it is emphasised that this information needs to be correct, accurate and clear. For this to be the case the inspection body would need to have arrangements in place to ensure that the signature applied originate from a person authorised to approve the report/certificate. The wording “or other indication of approval” used in 7.4.2e) indicates that the standard does not expect an advanced arrangement designed to eliminate any conceivable possibility for misuse, but rather expects a safety level on par with that provided by a signature made by pen. It should be noted that the focus of the standard is competence, impartiality and consistency, not the stringent imposition of information security measures.

When assessing the use of digital signatures the following aspects may need to be considered:

1) Is the inspection body using digital signatories of individuals that have left the employment or ceased a contractual relationship with the inspection body? In cases where this individual was the only person in the inspection body with particular competencies supporting part of the scope, there may be incentives in place for this to happen.

2) Is the application of digital signatures appropriately controlled/restricted? E.g. a scanned signature saved on an unrestricted network would not be acceptable.