I set aside my disappointing contacts with FXXP and RTTP and begin crawling the internet again for companies which cover all three standards and who look like they might not take a massive corporate scale approach to things. There aren’t (obviously at least) that many of these.
I have decided to make experience of ISO 27001 the focus of my search for a consultant. ISO 27001 is much larger and more complex than ISO 9001 and ISO 14001 and requires more detailed expertise.
I have learnt by now the difference between a UKAS accredited ISO auditor and a self-certified or on UKAS auditor. The difference is very important but very few people understand it.
All auditors issue kite marks to companies they audit. UKAS approved auditors are third party monitored and certified by UKAS itself. Other ISO Auditors are not independently assessed. The kitemarks issues by each type of auditor look very similar but they are not of the same value.
Public sector bodies and larger companies for the most part who know their stuff will look for the UKAS kite mark. The UKAS ISO kitemark has a crown in it. In fact, one of the companies on the Supply London course did not learn the difference between the UKAS and non UKAS audit until after they had completed self-certification (under the non UKAS route) and found it to be not be good enough for local councils. They had to reaccredit under UKAS.
There are several companies which offer self-certification (non- UKAS route). Probably the best known of these is QMA – of whom I am aware because of the years I have been the recipient of several of their mailers. They offer ISO 9001 for £1,900 or something similar. What they are doing is coaching you on interpreting the ISO and confirming for yourself that you meet the standards. You are then permitted to use a QMA Kitemark. This has a big tick in it like other kitemarks but does not have the UKAS Crown.
On the BSI site I find a list of approved auditors for ISO 27001. The auditors I am reviewing on the BSI website are all going to be UKAS accredited. However, I am aware that the non-UKAS consultants may well have material that is useful to me in interpreting the ISOs. So I phone BSI, NQA, LRQA (all UKAS accredited) and also QMA for an information pack to to see what I get through and how useful it is.
Based on notes from my diary and other records from April 2008.
So I speak to Peter of FXXP and explain how far I have now got. I say that I am after doing ISO 9001, ISO 14001 and ISO 27001. He says that he can only help with ISO 9001 but he’s sure he can sort it pretty quickly. However, I know that he is assuming on sorting it with a few simple word documents and forms and which will not fit in with the way I want Data Eliminate to run, integrate with an ERP system etc. He tells me to speak to Liz which I do.
Liz says FXXP can help with ISO 9001 and ISO 14001 and not with ISO 27001. She says that if I send her over a spec of exactly what I want then she will get back to me. (Incidentally, she never does get back to me.)
FXXP represent a frustrating start. Then out of the blue I receive an email from Adrian – the guy who sat next to me at the “Lack of Quality” seminar. Adrian says that he knows he was going to email me something but he can’t remember what it was. I can’t remember him saying that he was going to email me anything at all! However, what he ends up sending over looks very useful.
He has been talking to an ISO consultant (RPPT Associates) who specialize in doing ISO 9001, ISO 14001 and ISO 18001. ISO 18001 is the Health and Safety standard. Adrian says that RPPT are reasonably priced at about £350 a days which is an introductory offer. He suggests I give Paul from RPPT a call.
I thank Adrian. He suggests we meet up for a drink next week. I accept.
I immediately phone Paul of RPPT and explain my situationto him . When I say I want hand-holding kind of help he says that he’s really booked up for the next few months but if I send something over in writing then he’ll see what he can do. NB – Adrian didn’t have the impression that he was this busy. So far neither of these ISO consultants have been very forthcoming. I will write to them with details of what I need, but I don’t hold out much hope.
Based on notes from my diary and other records from April 2008.
The next salvo of my enquiry and research effort is to try and find someone to coach me through the implementation of these ISOs in a hand-holding kind of way. I think this is gong to be a challenge as I suspect most consultants will want to do most of the work themselves. Perhaps even more challenging will be finding one source of help for all three standards - especially a source which has an SME orientation as as opposed to a corporate one. I know this will cost money. However, as things presently stand I am uncertain if a I am going to make much progress without such assistance initally at least.
I start by trying to get in touch with Peter of FXXP – “ISO 9001 and BS 7858 man” who I had in for a day back in October 07. After our session in October, Peter phoned and asked me if I’d like to do some management consultancy for his company – which was nice but unfortunately the day rate was far too low for me. It reminded me of what template- driven version of management consultancy Peter’s was when compared to mine.
It takes me a good half an hour to dig out Peter’s mobile. I could have gone via Liz (the savvy office manager at FXXP previously mentioned) but I am in the kind of mood where I need immediate results and I don’t want to wait for him to call me tomorrow.
In the end I leave a message on his mobile but I also contact Liz by email so that she sends him a message too. This guy is going to know I want to speak to him and speak to him NOW! I am becoming impatient to make progress and get somewhere! In the end I do have to wait until tomorrow.
Based on notes from my diary and other records from April 2008.
This afternoon I turned my attention to books I can buy so I have been browsing through anything that Amazon has to offer on any of the three standards. I am focussing particularly on ones written with smaller to mid sized businesses (as opposed to corporates) in mind.
There is a lot on ISO 9001, less on ISO 14001 and comparatively little on ISO 27001. Restricting my searches to books specifically for SMEs but doesn’t yield much. Google Books is handy for peeking inside several of the titles I see on Amazon to see if they are relevant. The majority of the books are academic in their approach or talk about management theory. They talk about the models ones should use and the considerations one should take into account - but there’s so, so little on practical applications - particularly for an SME.
In the end I buy two books for a total price of about £80.
- ISO9001:2000 for Small Business by Ray Tricker and
- IT Governance: A Manager’s Guide to Data Security and ISO 27001/ ISO 27002 by Alan Calder
The big potential advantage with the latter is that is was very recently published so it should be up to date.
Based on diary entires from April 2008.
I remember my session with Peter of FXXP Associates from October 2007 and how simple his BS 7858 and ISO 9001 processes were.
I dig out the folder Peter gave me containing the copies of ISO 9001 and have a look at it. Its 23 sides long and reads like an Act of Parliament. I have no idea how to interpret most of the clauses and no clue as to which ones apply to a secure data destruction company.
To make matters worse, I cannot figure out from the wording which elements are mandatory and which are optional. I refer back to Peter’s processes and forms and can see how they relate to certain clauses of the ISO but that still leaves 80% of the text of the Standard unexplained.
This is like needing a lawyer to interpret a law – as the words can have different meanings and if you don’t have experience of interpreting the clauses then its very hard.
I know I am up against a huge challenge now. I can hardly make head or tail of the ISO 9001 Standard which is supposedly the base or easiest standard, and I haven’t even got copies of ISO 27001 and ISO 14001 yet.
Its time to launch a large salvo of enquiries and research to enable me to move forward and get answers to three key questions:
- What are the minimum compulsory requirements in each standard?
- How are they practically integrated into the procedures and processes of a business?
- How do the different standards fit together?
Based on diary entires from April 2008.
I attend the Supply London Seminar on how to write a Quality Policy. We are sitting there for 40 minutes before anything happens. The course materials were not biked over the night before apparently . There aren’t even any pens and paper to take notes.
Vain attempts are made to get the venue to provide these and also for the receptionist at the venue to receive the course material by email, print them out and then photocopy them. We are told to start introducing ourselves to the person next to us to kill time. The guy next to me is Adrian. Adrian works for an office equipment company and is planning to implement ISO 9001, ISO 14001 and ISO 18001. Adrian has done this before in Wales working for another company. He says he has some stuff that might be useful to me so we exchange details.
I am getting increasingly irritated with the seminar and perhaps visibly so. The seminar is about Quality, and I and my fellow delegates have thought up some great things to say to the course leader about the lack of quality. She, though, takes the wind out of our sails by repeatedly saying what a poor quality performance she is putting on. No-one disagrees.
I suffer for a further two and a half hours once the seminar is underway but I do get the message loud and clear that public sector buyers are concerned with ISO 9001 – the Quality Standard and ISO 14001 – the Environmental Standard.
I have now done two Supply London seminars and there are two to go. Supply London are training us to write policy documents which are required if your company is going to supply to public sector. What is crucial here is the link between the policy document the ISO Standard. The one sided policy documents (eg. a Quality Policy or and Environmental Policy) should be underpinned by a management system – the structure of which is provided by the relevant ISO.
I originally contacted Supply London to learn how to access the public sector but doing so has diverted my focus back onto ISOs. Getting access to the public sector is about loads of advance spade work, registering as a supplier in various website and directories and patient networking. Clearly if Data Eliminate has the ISOs it will be ahead of the pack.
The importance of this to the business strategy is further underlined by the increasingly parlous state of the economy. Data Eliminate has to been in a position to tender for public sector business as early as is practical.
In light of the Supply London advice and the comment from my Competitor about being only one of two businesses with ISO 27001, the priorities are now ISO 9001 The Quality Standard, ISO 27001 the Information Security Standard and ISO 14001 the Environmental Standard - in that order.
Based on diary entires from April 2008.
