Perhaps my knowledge of ERP systems makes me pay particular attention to this issue.  But one of the central reasons for finding out about International Standards and what they mean of this stage of the business development is so that I don’t start using an ERP system which turns out not to be compatible with the requirements of ISO’s further down the line.

As a confidential data shredding business, Data Eliminate must be totally scaleable – in that whatever systems, processes and software it starts with can grow with the company up to 200 employees plus.  I had assumed that a reasonably complex software configuration would be required by the ISO but this is not the case.

An additional challenge remains – that is to find a software package suitable for on site data destruction services.  I know that vehicle tracking/ route planning and bar coding of data tapes, usb sticks, hard drives and the like are going to be demanding requirements.  On completing my initial research on ISOs, I will focus on software selection. 

I now realize that ISO 9001 in itself is not going to require advanced automated systems and processes and therefore advance and expensive software.    A few weeks ago I thought this might be a showstopper in that the ISO would be so demanding.  The task is more to fit Peter’s simple forms in with the way an ERP software works rather than having to configure the software to fit the standard.  Much of the box functionality of an ERP system provides automatic compliance in ways which a fully manually system wouldn’t.

Now I need to look more closely at a potential joint venture with a US company  and the actual method to be used to deliver the data destruction service.

Based on an account recorded in my diary from November 2007.

I am curious that about retaining a management consultant – or at least someone doing something close to that.  I have not often been on the receiving end of one but have spent the last few years dispensing advice as just that – a Management Consultant.

Peter arrives with a big plastic folder for me containing the full text of ISOs 9001 and BS 7858.  This is very naughty – the origin/ copyright info is blacked out in the margin.  It’s a good start for me though – approximately £180 worth of documents.

I assume that we are going to start going through the standards, read each clause and learn what it means and how it applies to Data Eliminate.  Peter has no such plan.  He asks me a number of questions – he wants to see copies of customer orders and enquiries.  I have none.    Eventually he says that doesn’t matter and that we can draft up the necessary documentation. 

What astounds me about what Peter did (and charged me £500 for) was its simplicity. That is not a criticism of Peter.  He did a full day’s work, was obliging and he knew his subject area – but perhaps in a way which was slightly blinkered.  He offers value for money and is an obliging guy.  But compared to the type of “management consultancy” I am used to providing – it was so, so simple and based on the reproduction of standard material as opposed to creative thinking.

He had some set of form templates (Word documents) on his laptop – some relating to ISO 9001 and some relating to BS 7858.  Some of these are forms you fill in and others are processes.  It becomes apparent as Peter goes through these that he is giving a template for the paperwork you need to present to an ISO Auditor to prove you comply.

I am still expecting to go through the ISO requirements and work out how I need to configure Data Eliminate’s accounts, CRM, ERP and customer service workflows and processes so I can accommodate the needs of ISOs.  It seems its almost the case that if you have a few manual forms you comply.

BS7858 is about vetting your staff’s employment history before they start work.  For this you need a documented process which starts something like this

1. Requirement to Vet security personnel in accordance with BS 7858

2. All applicants must complete an application form and be interviewed

3. Collate completed application forms

4. Set up personnel fie

 And so on…..

It is completely common sensical.

Another document is a Quote Register done in Excel.  This features fields which would be collected automatically by the most basic quickbooks or Sage software package.

ISO 9001 requires you measure the satisfaction of some (but not all) your customers?  To prove this you have to ask them the questions in writing “Were you satisfied with our service” and thats about it.

As the day progresses, Peter spends increasingly more time working on his own without my input – he is amending more and more templates.  He is heading them with “Data Eliminate Ltd” and making minor amendments.  I keep expecting in depth discussions about processes etc and how they’ll fit in with ERP systems but this doesn’t happen.  I take the decision to let Peter provide as many as these forms as possible to maximise my vale for money by the time the day is out.

I am given a useful sheet on what do next for BS7858 which included the name of a Credit Agency and am advised to register under the Data Protection Act.

By the end of the day I am satisfied that I can move on to look at other aspects of the business idea like the practicalities and machinery for crushing hard drives.  What I don’t have is an understanding of the correlation or interpretation of the long legal like documents Peter gave me at the start of the meeting (the Standards themselves) with the simple forms he gave me at the end.

Based on an account recorded in my diary from October 2007.

After work I cycle from Moorgate to meet FXXP’s Consultant, Peter.  A man is his sixties is waiting outside, he sees me get off by bike and take it into reception for storing in the luggage room.  I wait 5 minutes in the lobby but already know that they guy outside was Peter.

I buy Peter a beer (this doesn’t happen often and should be appreciated!) and I explain what I want.  He does the basic job in explaining the service he provides.  He tells me that most of the work he has done is in personnel security eg security companies who have to vet their staff.   This means he knows most about BS7858 and has only done one or two BS8470 Secure Destruction of Confidential Material implementations.  Moreover, he explains that the vertical industry standards (like 7858 and 8470) often sit on top of ISO 9001.  He says ISO 9001 is a good starting point and recommends we discuss this to start with BS7858 on top.

Despite this good underlying advice, I get the message that he can’t  or won’t give me what I want – namely advice about setting up ISO processes for a company which adoesn’t as yet (October 07) have any customers.  I arrived on a bike, I am not wearing a suit and also he thinks he’s giving me free advice and he’s not going to get paid.  He’s also apparently booked out for most of the next month.

During this meeting, I realize that faced with an internet which has been unforthcoming with the kind of information I want - and  now a reluctant consultant – I am hitting my head against a brick wall and have to be bold to get what I want and part with some cash get it.

To end the uncertainty and overcome his reluctance I say to Peter, “Ok, well I’ll take one day’s consultancy and the payment will be cheque on visit.”  As if by magic Peter’s pendulum swings from scepticism to a desire to please.  I am taken more seriously

“Do you work Saturday?” I ask.  “No, but I can do he says.”  So we are fixed for Saturday coming.

Based on on account recorded in diary from October 2007.

Security Industry ISO Consultants Required for PC Disposal Company

FXXP call me back. I can tell from this conversation that my challenge is going to be that I am asking for consultancy about a future secure data destruction business when these consultants are used to dealing with pc disposal businesses that exist. I forecast that some of the consultants are going to have a problem getting their head round this.

 FXXP focus on security in general. They deal more with security guard companies and facilities management than pc disposal and IT recycling. The first point of contact at FXXP is open minded and offers me an intro meeting with one of her consultants.

 She tells me that as a client I will get free copies of the ISOs. The day rate for a consultant is £500 but when you take the £180 cost of the ISO copies of this it suddenly seems more reasonable! The pity is that I have just paid £110 to join the BSI!

 I speak to Peter, the nominated consultant, on the phone and he happens to be in London staying in Docklands on in a few days time. We arrange to meet up.

 Based on account recorded in diary of October 2007.

Copies of each standard are available from the people that write them - namely the BSI – the British Standards Institute (not the same as the BSIA) but they cost about £90 a shot and I need two of them. It doesn’t seem possible to buy them on other sites significantly cheaper.

 I contact the Library of the IOD (Institute of Directors) who (as per normal come back) with some<!–[if !supportAnnotations]–><!–[endif]–>useful information after a few hours delay. They send me a list of libraries where you can see the ISO documents. These include City Business Library and Sutton Library (in Surrey). However, on the same sheet it gives the restrictions of the access you get to the documents. Eg. You can only photocopy 10% of any particular document and at other libraries you have to book appointments. This seems unlikely to get me the information destruction material I want at the speed I need it.

You get a significant discount off copies of the standards if you become a member of the BSI. Peronsal membership is the cheapest at £100 a year. Due to a quirk on the web site one cannot join and then pay for and get access to the standards in one go. You have to wait for your membership to be confirmed.

I apply for BSI Individual Membership and part with approx £110.

 I decide to open up and second channel of enquiry – hoping to find out more rather than expecting to engage a service. On the BSIA web site is a firm of ISO consultants who have experience in the security sector. I phone FXXP Associates and speak briefly to a lady who sounds like she knows what she is talking about. She arranges to call me back.

Based on account recorded in personal diary in October 2007.

I have been surfing the internet for hours about BS7858 (Employee Vetting) and BS8470 (Secure Information Destruction). There is plenty of information about generic descriptions of the standards – in other words what they are trying to achieve in terms of security and data destruction and the business case for them. There is no sign of a free copy of the standard itself or any information on what practically one has to do to comply in terms of procedures for computer disposal or WEEE recycling etc.

 There are plenty of sites which feature quotes from the standards – it sounds like legalese - but there are no views of standard as a whole.

 There is also little evidence of a central point of contact or a trade association within the UK. Several trails have taken me to the British Security Industry Association which has a broad remit covering anything from night club bouncers through to burglar alarm installers. There is an Information Destruction section and at first this seems like a good potential source of information. On closer investigation, this is much more for established data destruction businesses. I appreciate and understand the BSIA’s reasons for this – but it doesn’t serve me right now.

Based on diary entries from October 2007.

You don’t need to work in the secure data destruction industry to know that councils and other bodies have been losing sensitive data.  Here’s what is meant to be happening to local authority information security.

The National Information Assurance Strategy (NIAS) was published in 27th June 2007 to chart a way to expanding e-government across departments. This was published before the HMRC leak which took place on 22nd November 2007.

In light of both of these, the Data Handling Procedures in Government Final Report Review –SPF70 Security Policy Framework  – was produced by the Cabinet Office in November 2008.

Presently, the Information Assurance Maturity Model must be complied with by local authorities before they are given access to csgx (a big secure network essentially managed by the Department of Work and Pensions).  In order to be connected, local authorities must comply with a COCO – Code of Connection.

There are five stages in local authority compliance with the Code of Connection.  The first are a basic set of information assurance measures called the Minimum Mandatory Measures.  Only two thirds of these met this first information security goal.   More on this in the next post.