This morning I am firmly back on the shores of http://www.iso27001security.com/ and looking around again.  Apparently, there’s a discussion forum and a members area which you have to join to access.  The membership criteria are written to deter the unworthy from joining or so to speak.  I write an application which explains I am a management consultant who may be doing this kind of work for clients.  I also say that I could add a review of Alan Calder’s book which I have just read.  I am hoping for an immediate reply but I don’t get one - I’ll have to wait.

Having partially cracked the Statement of Applicability puzzle I am now looking for stuff to help me understand Risk Assessment - or  at least risk assessment as it specifically applies to ISO27001.  Continuing with my swimming in the sea analogy, http://www.iso27001security.com/ does seem to be like a desert island with a few trees of fruit in the middle of an vast ocean.  In my anaology, the ocean represents internet or life (depending on how profound you want to be) and it is devoid of any  information about iso27001.)

My mind temporarily skips to BBC Radio 4’s desert island disks which I have always listened to and also wanted to play.  I think that if I was marooned on this desert island, I certainly wouldn’t choose the ISO 27001 standard or even a Statement of Applicability to go alongside the bible and the complete works of Shakespeare.  Would my one luxury on the desert island might be a fully certified, UKAS approved integrated management system for a secure data destruction company?  I think not but I’d love to have one of those on this temperate island (Britain), right now and be at the end of all this!

So begins the start of a refreshed effort to find the practical or working examples of how to implement 27001 which have so far evaded me. What does it mean for the way my shredding business should handle personal data and comply with legislation such as the Data Protection Act and the WEE Directive?

I start to give Google a pummelling. There really aren’t many links that look like they are going to give me what I want. So I end up going very deep – to search results 80 and above and opening tens of documents including ones on information assurance, the Cabinet Office and risk management - in pursuit of my goal.

What I really want to find is an Information Security Manual for a small or mid-size organisation which somebody has published on their website – one which is a bit more friendly that the one from the IT Governance Toolkit trial. I am aware that organisations shouldn’t publish such things on their website –particularly those involved security - as letting the public know about their security systems obviously isn’t a good idea. But I am expecting to find something out there in cyberspace – you can find almost anything else!

The first useful looking document is an Information Security Manual produced by the Pennine Care NHS Trust. This is clearly the kind of thing that I am looking for but it doesn’t strike me as particularly friendly. The first two sides are about “Policy Document Control” and then the index comprises pages 3-5. I have seen this kind of thing before from the Cabinet Office and CESG. The first actual prose appears on page 6:

“1. INTRODUCTION

1.1 The Trust has a duty to protect its information assets and thus to ensure business continuity and minimise the adverse effects of securityincidents. Information assets and the IT systems that support them arebecoming increasingly more vulnerable as the potential for wideraccessibility is facilitated via more powerful computers and communications networks.

1.2 Any loss of the ability to access information could have a significanteffect on the efficient operation of the Trust and may result an inabilityto provide services to patients and financial loss to the Trust.”

These are to me statements of the very obvious, the like of which feature widely in many ISO 27001 documents I have seen. I know they have to be there but doesn’t their continued use and repetition run the risk of making the user, who should be interested in their content, just switch off?

The document continues for 47 pages. There are guidelines here for information assurance practices including the setting of passwords and controlling access to buildings. However, its difficult to determine the structure of the document and how it fits into an overall framework. It is on the right lines of what I am looking for but it is for a very sizeable organisation. I move on.

The next document which catches my eye is an Information Security Business Manual from NHS Wales. This is in Word and is clearly a template with blanks or red text which can be filled in by different NHS branch offices to suit their needs. It’s a lot shorter than the Pennine document at only 24 pages.

Some terms used are ery familiar such as “Senior Management Team”. We then get onto “ISMS Operational Forum Membership” which sounds very corporate and, stone me, Plan/Do/Check/Act (PDCA) model with a little chart makes an appearance on Page 10!

The good thing about this document though is its length. It has some slightly scary headings such as those mentioned above but it strikes me (although I can’t be sure) that somebody has spent a lot of time simplifying things and reducing them down to produce a very well put together template that will save an NHS departmental manager a lot of time in producing an Information Security Manual. Whether the person producing the manual would understand what they were doing beyond filling in the blanks I am not sure. In other words, this document is a bit like doing dot to dot. You join the dots (or fill in the blanks) but can you see the whole picture when you’re finished? Ok, not exactly what I want, but I keep it because it could be useful.

I am aware that the NHS has a lot of data handling procedures and it computers hold a lot of personal data. No central, London based government department seems to have produced similar guidance. The NHS are good potential customer for our CCT Mark Certified service which we have just  formally submitted to CESG and the Cabinet Office office as our “Secure Destruction of Data on Hard Drives and Magnetic Media v1.0”!

Based on diary entries from June 2008.
<–>

I spend a while looking for a copy of ISO 27001 on the internet and just when I think I have wasted a my time, I strike gold. On result 26 of the fourth Google search, a copy of ISO 27001 – all 34 pages of it!

Items containing computer hard drives

The security rubric on the document has the words “Uncontrolled Copy” on it. “You can say that again,” I think. It was available as a download off some German student’s website in a directory which was full of photos and videos and other stuff. That’s pretty uncontrolled!

I know when I sit down to read it that understanding it is going to be a challenge (judging from my ISO 9001 experience), but at least I have got a copy. Nice one!

I then email a contact that I have met at the Supply London seminars I have been to recently and ask her for a copy of ISO 14001 which she said she had. She says she will be able to oblige but I might have to wait a while. The point is that I’ve got so much work to do on ISO 27001, I am very happy to wait a while  for for a copy of the ISO 14001 Standard!

Based on notes from my diary in June 2008.

In the last three days I have been to two Supply London workshops.

The first was the Environmental Workshop. This was a real basic level course aimed at getting you to think about the environmental aspects of your business. I feel good when I understand where it fits into the overall ISO 14001 accreditation process. It only covers the very early part of the Acorn book. Including the book, I am now in possession of a significant amount of information on ISO 14001 which I have accrued by my own research and feel I understand what is required.

Computer media including data tapes must be properly recycled.

The second Supply London event I attended is about Wining Public Sector Business. Its the third out of the four free courses I get from Supply London and I have been told by other delegates who have already done this one that this is the best course.  (None of these provide hard disk destruction services.)

Things get underway at about 930 and go through until about 3. This is the first course that we don’t spend the day thinking about policies and being introduced to real common denominator level concepts. Most of the slides/talk was about material I didn’t know.

We are given lots of really useful information including a great 58 page printed A4 booklet. At the back was a list of London councils and the way they took quotes and tenders for different values of contracts from the small under £5k, to the biggies over £144k which apparently have to be offered to all EU companies under some directive.

The course explained what councils typically look for in supplier. The basic is that they have the right balance of skills and experience. Companies are unlikely to win a contract which is worth more than a quarter of their existing turnover. Supply London gave a check list to measure one’s fitness to supply.

This course just confirms the importance of the ISOs and why they have to be tackled. I made sure I took a second copy of the course material from the empty seat next to me. In 17 years of running and being involved in businesses this is the most useful free handout or course I have had from the government. I can’t believe I am saying this considering the grief government generally causes business!

Based on notes from my diary from June 2008.

Chapter 7 of a Manager’s Guide to Data Security and ISO27001/ISO27002 is about countering risks from external parties. Subsequent chapters cover different subjects and the book moves to giving informed and solid advice about what one should consider in determining how to secure one’s organisation under each of these headings. It breaks down the options clearly and it gives links to further information from directly within the text as opposed to having to hop to an appendix the whole time. It tells you what to consider, where to get information and how to balance priorities.

It gives very little in the way of examples of how these factors have been assessed and applied in a particular situation and the resulting policy, control or document that arises. This is what is preventing me from getting a clear picture of what I need to do from Mr Calder’s book or any other sources. I know enough about IT and about running businesses to see the value in these chapters but I need a hard examples to cement my understanding.

I  remain unable to picture exactly what the Risk Assessment  or Statement of Applicability should look like in reality from the description in Mr Calder’s book. It is a well written book but at this stage it is of limited help to me.

Continuing to plough through the book isn’t going to get me where I want to be so I am going to need to look elsewhere for these hard examples.

Based on notes from my diary from June 2008.

I continue perusing the ISO 27001 Sample Toolkit. 

I look at a  sample policy. There are 3 or 4 bullet points covering the specifics of the policy itself. Two thirds of the document is made up of the same or very similar standard blurb which appears atop and afoot all the other sample policies.    Other information includes who the author is and where the document can be found. 

Explanations provided with in the sample document templates include ones such as “the Organisation protects it networked services in line with it Access Control Policy from unauthorised Access”.  This is exactly the same type of sentence as I took Ray Tricker to task for.  Is anyone really any the wiser after a sentence like this?  Why do you need to state that the purpose of an Access Control policy is to prevent unauthorised access?   Isn’t that just common sense?

Even more scarily these templates have big gaps in them where one is meant to insert text to suit one’s organisation. It strikes me that filling in the blanks is not going to be straightforward.  I was hoping more for a “delete the text that doesn’t apply to your organisation” approach.  There is no example text provided that one could lift and adapt to fill these gaps. 

Hints about what might rightly fill the gaps are not straighforward.   In one of them, the Toolkit it advises me to enter “details of appropriate authentication mechanisms…”.   I think this could simply be a requirement for a password.  The answer, despite all the documented complexity, is probably that straightforward, but the whole thing is so bamboozling I don’t know!

There is a Policies and Procedures Diagram.  I am really expecting overload here.  As I double click it I am cringing in anticipation of seeing much compexity before me and how mind boggling it is going to be.  My cringe turns to broad smile as my PC tells me that it doesn’t have the software to open the document up!  I happily move on.

Based on entries in my diary from May 2008.

I am shortly scheduled to attend Supply London Course on writing an Environmental Policy.  Assuming the format is the same as the other courses, it will be about writing a policy which should be underpinned by and environmental management system.  I don’t really have time to wait for the course.  Adrian has told me that there was a Welsh grant to help small business achieve accreditation when he was working in Wales. A similar scheme in England could be useful to me.

I contact Supply London HQ and ask for advance copies of the slides for the course which apparently they can’t give me .  However, they do give me the name of the organisation running the course.  I speak to Charlotte at www.globalactionplan.org.uk and explain what I am trying to do.  Charlotte is helpful and explains that there is an “Acorn scheme” aimed at helping small businesses achieve an environmental standard.  Acorn is divided into six stages – the sixth stage of which is equivalent to full 14001 certification.

Charlotte puts in touch with her colleague James.  James is similarly helpful and offers two solutions.  He explains that his organisation does run courses on implementing Acorn or ISO 14001 in conjunction with different regional authorities for the benefit of small business.  There isn’t one in London for another four of five months but there is one in Taunton next week.  My sister lives in Taunton and this a four day course which I could attend while staying with her.

The other alternative James offers is one to one coaching. He says I would probably need 3 days to cover stages 1 to 3 of the six stages of Acorn.  This would comprise the same material as that covered on the courses.

I decide to search around on line for other Acorn courses.  In the process, I discover the workbook used on this course is available for £50.  At first its hard to get hold of, but then I order it form the BSI Bookshop in Chiswick.  Its entitled “BS8555 Acorn Scheme Workbook -  Phased Implementation of Environmental Management Systems” by Chris Sheldon.

 I am confident that this book, some of the material at sovereigncertifcation.com, and the hardcopy of  ISO 14001 that has been promised me will enable me to make progress working alone on ISO 14001.

Based on notes from my diary and other records from May 2008.

I take stock of the situation regards the ISO Consultants I have contact.

Terry Russell of www.iso9001.co.uk replied to my requirements letter today but it wasn’t encouraging. He said he could supply everything I wanted – and he is UKAS accredited -but didn’t seem that keen to oblige. 

He said

(a) your Invitation to Tender asks for copies of work that we have produced for others. I simply will not provide the procedures of any of our clients to another organisation, under any circumstances
(b) we normally only provide services to applicants who are referred to us by existing clients. You’ll understand that the risks go both ways. If we provide services to you, I need assurance that you are financially sound and are the sort of client that would want.

I know this sounds very fussy, but we are fussy about our clients. With your timescales, it would not provide me with sufficient time to conduct our checks on your organisation.

Sorry about that.

I phoned Paul from RPPT Associates but he said the he was too far away and too busy to get involved. He said he could provide from coaching from a distance but he suggested I look for someone more local.

On top of this, some considerable time after sending me written requirements to FXXP there is still no reply from them– despite the fact that Liz said she’d look into it.

So it seems that no-one is interested! 

Is it because:

• My requirements are out of scope for these consultants?
• My requirements are too exacting and demanding for them?
• There isn’t really anyone out there who has done what I am trying to do in the way I am trying to do it?

I like to think and hope it’s the latter – if only because it helps me reverse out of this cul-de-sac to spur myself on.

Based on notes from my diary and other records from April 2008.

My books arrive from Amazon.  When I get a new business book, I like to read it in its entirety and check out everything in it and then distill it down to the bits that interest me.  I think this comes from dealing with software.  I used to read the entire manual or help system for each bit of software so I knew everything that it was (supposedly) able to do even if I didn’t know exactly how to make it do it.  These two books  I have bought from Amazon are going to get the same treatment.

After half an hour looking at Ray Tricker’s book I am agog.  His book is making the subject matter more confusing rather than simplifying it.  I find chapter titles such as “Interoperability of Quality Management Systems” dinstinclty demotivating. 

I read on.  The book goes though the standard clause by clause and talks in general terms about what most companies should do but it is not very precise about how they should do it.

I know this book is a best seller on Amazon but to me the language is far too close to that of the standard itself.  For example it explains that “Quality Assurance personnel are members of the organisation judged competent to carry out quality assurance duties”.

I know that a sentence like this as a stand alone makes sense but what it tells you is self evident.  If three of four sentences of this type are packed into the same paragraph then I find myself going nowhere.  Tell me something I don’t know or something that isn’t obvious.  Please distill it down.  Don’t make it so complex and wordy that I can’t make head or tail of it.  It’s just exhausting.

It’s beginning to dawn on me that maybe that is what this industry is about.  The consultants, auditors and others keep things deliberately complicated so they can bamboozle customers and charge lots of money for providing some very simple solutions - like Peter of FXXP’s forms and procedures.  (Peter himself  though is not a bamboozler.)

It reminds me of many people’s attitudes to accountants.  People who don’t understand accounts are so deferential to accountants.  As soon as an accountant mentions a word like ‘debit’ or ‘credit’ , his client often switches off.  The client can’t tell when the account is talking a load of baloney and when he’s not.  The accountant sits there uses lots of long words, is able to cover up bits he doesn’t know and then sends a nice fat invoice afterwards.  In my role as management consultant, I have often helped clients in these kind of situations. 

Ray Tricker provides something that I am really interested in getting hold of – an example Quality Management Manual for an SME.   However, Ray Tricker’s version is a whopping  160 sides long.  Sovereign Certifcation’s was more like 20 sides.  How can I possibly wade through this lot? 

Right now I am very frustrated and disappointed.  This book is a best seller – probably because it’s the only one on the subject.  Maybe its useful to some management academics really into the theory and MBAs etc.  For me it’s just compounded the situation.  Its  saving grace is the 5 page appendix listing the minimum documents required by standard.  This is useful – at this stage worth the £40 I paid for the book. 

It also says within the book that purchasers of it can buy word versions of some of the documentation featured within a book on a CD.  I visit the website (http://www.herne.org.uk/).  The amateurish design of the site does not instill confidence.

I send an email enquiring about the CD.

Based on notes from my diary and other records from May 2008.

My search for hold-your-hand type consultants, my on line searching has uncovered two websites which seem of particular interest – www.sovereigncertification.co.uk and www.iso9000.co.uk.

If you dig into the site a bit, Sovereign has a lot of information and downloads on ISO 9001 and ISO 14001 – but not on ISO 27001.  The consultant(s) at www.iso9000.co.uk  deals with all three standards – and on the basis of my searching experience, this is unusual.

I speak to Mark Helm the senior consultant at Sovereign who is very helpful and sends over a lot of supplementary information.  Mark himself operates within a business model of remote coaching companies through ISO 9001 and ISO 14001 and providing a series of downloadable templates which the client can amend to suit their particular business.  The downloads include a sample ISO 9001 manual .  This is the first version of one I have seen and I am sure will be very helpful in deciphering the legalese of the ISO itself into what is practically required within the company.

I also make several unsuccessful attempts to speak to Terry Russell of www.iso9001.co.uk.

Despite this temporary chink of light, I am getting increasingly anxious at the lack of clear progress.  So I decide to write down exactly what I want from these consultants – to write a spec.  This is what most of the unforthcoming ones have requested.  It takes a while but in the end I come up with the one below. 

I write a pretty formal letter and talk about decisions of the Board etc which is in line with the way in which I perceive these “ISO types” communicate!

My letter is thus:

REQUEST FOR INFORMATION ON ISO CONSULTANCY SERVICES

We are writing to you to enquire about your services relating to the acquisition by Data Eliminate Ltd of certain ISO Standards.

ISO CERTIFICATION REQUIREMENTS

Data Eliminate (www.dataeliminate.com) has researched a range of accreditations and standards.  With regards to Standards, this has comprised a day of advance consultancy from an UKAS approved consultant specializing in the security industry,  the reading of substantive books on ISO 9001 and ISO 27001, 3 days desk research and attendance at 2 courses run by Supply London and participation in its business support scheme.  We have also spoken to business associates who have implemented various standards and obtained telephone overviews from a handful of experienced individuals.

On the basis of our research and information to date, the Board has decided that the following should be Data Eliminate’s priorities:

The Board has concluded that ISO 18001 has no obvious commercial or practical benefit at present and its introduction would be too burdensome at this stage of the company’s development.
Data Eliminate is aware of the type of premises, equipment and personnel it is going to have.  The objective is to complete as much Standards-related documentation and planning as is practicable before the company focus shifts to servicing customers.  (In saying this, we acknowledge that adhering to Standards is an on-going responsibility).

Our foremost requirement in a supplier of consultancy services is flexibility and the ability to provide services in a way which is compatible with our needs and modus operandi.

We have an intense, fast-moving and thorough approach to the Data Eliminate project and have done considerable homework on this subject. We need a consultant who can take a running start from the position we have already reached.

The purpose of engaging a consultant is to benefit from external advice and experience and to save time and internal resource.

We are aware that many of the Standards’ clauses will not apply to us and that our documentation relating to them can be comparatively concise.  With this in mind, we are seeking the services of a consultant who can provide among other things:

• A list of the Standards’ elements which are obligatory for all businesses and a separate list for organisations in our line of business.
• Advice on other non-compulsory elements which may be beneficial to our business in the medium and longer term.
• Policy, procedure and other templates for the compulsory elements that we can adapt for our own use.
• Guidance on the wording of Standard elements which are particular to our business.  For example, we believe we have the body of an ISO 9001 Policy Manual of suitable size and style for a business of our size.  However, we require specific advice on the completion of clauses 7.3.1 through 7.3.7.

Before we engage your services, our principal requirement is that we are convinced of your professionalism and efficiency - and that you want our business.

We would also like to be informed of the following - where appropriate in writing:

• An estimate of consultancy days required from you to help us achieve our short term objectives, over what time period and at what intervals those days will be given.  Associated costs and travel expenses.
• The amount of internal Data Eliminate man days which will be required working in parallel with your consultant(s) and at what internals.
• A similar estimate of man days (external and internal)  and costs pertaining to the medium term objective above.
• An explanation of the work that will be completed by you and that you  will expect Data Eliminate to do.
• Copies of documents such as policy manuals and procedures you have previously prepared (or extracts therefrom) which you believe are similar in length and style to those you would assist us in developing.
• A brief outline of your experience in dealing with the above Standards. 
• Two references from existing customers who we may contact briefly over the phone to confirm the efficacy of your service.
• The names and brief backgrounds of the person(s) providing the consultancy, when they are able to start the project and advance notification of any absences or unavailability of key personnel over the next 4 months.
• A copy of your Terms and Conditions.
• Details of your professional indemnity insurance (if applicable)

Finally,

• Please acknowledge receipt of this email by close of business on date in 2008 or by phoning Tel: 0845-1234-400. 
• Responses are required by close of business on xxxx. 
• Data Eliminate requires UKAS approved certification of its Standards.

If you wish to contact us to discuss the above, please call and speak to me on etc

We look forward to hearing from you.

Regards

Julian Fraser

I feel that this really explains the situation.  I send it to Sovereign Certification, www.iso9001.co.uk,  FXXP Associates and Paul from RPPT Associates – recommended by Adrian.

Based on notes from my diary and other records from April 2008.