This morning I am firmly back on the shores of http://www.iso27001security.com/ and looking around again.  Apparently, there’s a discussion forum and a members area which you have to join to access.  The membership criteria are written to deter the unworthy from joining or so to speak.  I write an application which explains I am a management consultant who may be doing this kind of work for clients.  I also say that I could add a review of Alan Calder’s book which I have just read.  I am hoping for an immediate reply but I don’t get one - I’ll have to wait.

Having partially cracked the Statement of Applicability puzzle I am now looking for stuff to help me understand Risk Assessment - or  at least risk assessment as it specifically applies to ISO27001.  Continuing with my swimming in the sea analogy, http://www.iso27001security.com/ does seem to be like a desert island with a few trees of fruit in the middle of an vast ocean.  In my anaology, the ocean represents internet or life (depending on how profound you want to be) and it is devoid of any  information about iso27001.)

My mind temporarily skips to BBC Radio 4’s desert island disks which I have always listened to and also wanted to play.  I think that if I was marooned on this desert island, I certainly wouldn’t choose the ISO 27001 standard or even a Statement of Applicability to go alongside the bible and the complete works of Shakespeare.  Would my one luxury on the desert island might be a fully certified, UKAS approved integrated management system for a secure data destruction company?  I think not but I’d love to have one of those on this temperate island (Britain), right now and be at the end of all this!

I spend a while looking for a copy of ISO 27001 on the internet and just when I think I have wasted a my time, I strike gold. On result 26 of the fourth Google search, a copy of ISO 27001 – all 34 pages of it!

Items containing computer hard drives

The security rubric on the document has the words “Uncontrolled Copy” on it. “You can say that again,” I think. It was available as a download off some German student’s website in a directory which was full of photos and videos and other stuff. That’s pretty uncontrolled!

I know when I sit down to read it that understanding it is going to be a challenge (judging from my ISO 9001 experience), but at least I have got a copy. Nice one!

I then email a contact that I have met at the Supply London seminars I have been to recently and ask her for a copy of ISO 14001 which she said she had. She says she will be able to oblige but I might have to wait a while. The point is that I’ve got so much work to do on ISO 27001, I am very happy to wait a while  for for a copy of the ISO 14001 Standard!

Based on notes from my diary in June 2008.

In the last three days I have been to two Supply London workshops.

The first was the Environmental Workshop. This was a real basic level course aimed at getting you to think about the environmental aspects of your business. I feel good when I understand where it fits into the overall ISO 14001 accreditation process. It only covers the very early part of the Acorn book. Including the book, I am now in possession of a significant amount of information on ISO 14001 which I have accrued by my own research and feel I understand what is required.

Computer media including data tapes must be properly recycled.

The second Supply London event I attended is about Wining Public Sector Business. Its the third out of the four free courses I get from Supply London and I have been told by other delegates who have already done this one that this is the best course.  (None of these provide hard disk destruction services.)

Things get underway at about 930 and go through until about 3. This is the first course that we don’t spend the day thinking about policies and being introduced to real common denominator level concepts. Most of the slides/talk was about material I didn’t know.

We are given lots of really useful information including a great 58 page printed A4 booklet. At the back was a list of London councils and the way they took quotes and tenders for different values of contracts from the small under £5k, to the biggies over £144k which apparently have to be offered to all EU companies under some directive.

The course explained what councils typically look for in supplier. The basic is that they have the right balance of skills and experience. Companies are unlikely to win a contract which is worth more than a quarter of their existing turnover. Supply London gave a check list to measure one’s fitness to supply.

This course just confirms the importance of the ISOs and why they have to be tackled. I made sure I took a second copy of the course material from the empty seat next to me. In 17 years of running and being involved in businesses this is the most useful free handout or course I have had from the government. I can’t believe I am saying this considering the grief government generally causes business!

Based on notes from my diary from June 2008.

Chapter 7 of a Manager’s Guide to Data Security and ISO27001/ISO27002 is about countering risks from external parties. Subsequent chapters cover different subjects and the book moves to giving informed and solid advice about what one should consider in determining how to secure one’s organisation under each of these headings. It breaks down the options clearly and it gives links to further information from directly within the text as opposed to having to hop to an appendix the whole time. It tells you what to consider, where to get information and how to balance priorities.

It gives very little in the way of examples of how these factors have been assessed and applied in a particular situation and the resulting policy, control or document that arises. This is what is preventing me from getting a clear picture of what I need to do from Mr Calder’s book or any other sources. I know enough about IT and about running businesses to see the value in these chapters but I need a hard examples to cement my understanding.

I  remain unable to picture exactly what the Risk Assessment  or Statement of Applicability should look like in reality from the description in Mr Calder’s book. It is a well written book but at this stage it is of limited help to me.

Continuing to plough through the book isn’t going to get me where I want to be so I am going to need to look elsewhere for these hard examples.

Based on notes from my diary from June 2008.

I am shortly scheduled to attend Supply London Course on writing an Environmental Policy.  Assuming the format is the same as the other courses, it will be about writing a policy which should be underpinned by and environmental management system.  I don’t really have time to wait for the course.  Adrian has told me that there was a Welsh grant to help small business achieve accreditation when he was working in Wales. A similar scheme in England could be useful to me.

I contact Supply London HQ and ask for advance copies of the slides for the course which apparently they can’t give me .  However, they do give me the name of the organisation running the course.  I speak to Charlotte at www.globalactionplan.org.uk and explain what I am trying to do.  Charlotte is helpful and explains that there is an “Acorn scheme” aimed at helping small businesses achieve an environmental standard.  Acorn is divided into six stages – the sixth stage of which is equivalent to full 14001 certification.

Charlotte puts in touch with her colleague James.  James is similarly helpful and offers two solutions.  He explains that his organisation does run courses on implementing Acorn or ISO 14001 in conjunction with different regional authorities for the benefit of small business.  There isn’t one in London for another four of five months but there is one in Taunton next week.  My sister lives in Taunton and this a four day course which I could attend while staying with her.

The other alternative James offers is one to one coaching. He says I would probably need 3 days to cover stages 1 to 3 of the six stages of Acorn.  This would comprise the same material as that covered on the courses.

I decide to search around on line for other Acorn courses.  In the process, I discover the workbook used on this course is available for £50.  At first its hard to get hold of, but then I order it form the BSI Bookshop in Chiswick.  Its entitled “BS8555 Acorn Scheme Workbook -  Phased Implementation of Environmental Management Systems” by Chris Sheldon.

 I am confident that this book, some of the material at sovereigncertifcation.com, and the hardcopy of  ISO 14001 that has been promised me will enable me to make progress working alone on ISO 14001.

Based on notes from my diary and other records from May 2008.

My books arrive from Amazon.  When I get a new business book, I like to read it in its entirety and check out everything in it and then distill it down to the bits that interest me.  I think this comes from dealing with software.  I used to read the entire manual or help system for each bit of software so I knew everything that it was (supposedly) able to do even if I didn’t know exactly how to make it do it.  These two books  I have bought from Amazon are going to get the same treatment.

After half an hour looking at Ray Tricker’s book I am agog.  His book is making the subject matter more confusing rather than simplifying it.  I find chapter titles such as “Interoperability of Quality Management Systems” dinstinclty demotivating. 

I read on.  The book goes though the standard clause by clause and talks in general terms about what most companies should do but it is not very precise about how they should do it.

I know this book is a best seller on Amazon but to me the language is far too close to that of the standard itself.  For example it explains that “Quality Assurance personnel are members of the organisation judged competent to carry out quality assurance duties”.

I know that a sentence like this as a stand alone makes sense but what it tells you is self evident.  If three of four sentences of this type are packed into the same paragraph then I find myself going nowhere.  Tell me something I don’t know or something that isn’t obvious.  Please distill it down.  Don’t make it so complex and wordy that I can’t make head or tail of it.  It’s just exhausting.

It’s beginning to dawn on me that maybe that is what this industry is about.  The consultants, auditors and others keep things deliberately complicated so they can bamboozle customers and charge lots of money for providing some very simple solutions - like Peter of FXXP’s forms and procedures.  (Peter himself  though is not a bamboozler.)

It reminds me of many people’s attitudes to accountants.  People who don’t understand accounts are so deferential to accountants.  As soon as an accountant mentions a word like ‘debit’ or ‘credit’ , his client often switches off.  The client can’t tell when the account is talking a load of baloney and when he’s not.  The accountant sits there uses lots of long words, is able to cover up bits he doesn’t know and then sends a nice fat invoice afterwards.  In my role as management consultant, I have often helped clients in these kind of situations. 

Ray Tricker provides something that I am really interested in getting hold of – an example Quality Management Manual for an SME.   However, Ray Tricker’s version is a whopping  160 sides long.  Sovereign Certifcation’s was more like 20 sides.  How can I possibly wade through this lot? 

Right now I am very frustrated and disappointed.  This book is a best seller – probably because it’s the only one on the subject.  Maybe its useful to some management academics really into the theory and MBAs etc.  For me it’s just compounded the situation.  Its  saving grace is the 5 page appendix listing the minimum documents required by standard.  This is useful – at this stage worth the £40 I paid for the book. 

It also says within the book that purchasers of it can buy word versions of some of the documentation featured within a book on a CD.  I visit the website (http://www.herne.org.uk/).  The amateurish design of the site does not instill confidence.

I send an email enquiring about the CD.

Based on notes from my diary and other records from May 2008.

My search for hold-your-hand type consultants, my on line searching has uncovered two websites which seem of particular interest – www.sovereigncertification.co.uk and www.iso9000.co.uk.

If you dig into the site a bit, Sovereign has a lot of information and downloads on ISO 9001 and ISO 14001 – but not on ISO 27001.  The consultant(s) at www.iso9000.co.uk  deals with all three standards – and on the basis of my searching experience, this is unusual.

I speak to Mark Helm the senior consultant at Sovereign who is very helpful and sends over a lot of supplementary information.  Mark himself operates within a business model of remote coaching companies through ISO 9001 and ISO 14001 and providing a series of downloadable templates which the client can amend to suit their particular business.  The downloads include a sample ISO 9001 manual .  This is the first version of one I have seen and I am sure will be very helpful in deciphering the legalese of the ISO itself into what is practically required within the company.

I also make several unsuccessful attempts to speak to Terry Russell of www.iso9001.co.uk.

Despite this temporary chink of light, I am getting increasingly anxious at the lack of clear progress.  So I decide to write down exactly what I want from these consultants – to write a spec.  This is what most of the unforthcoming ones have requested.  It takes a while but in the end I come up with the one below. 

I write a pretty formal letter and talk about decisions of the Board etc which is in line with the way in which I perceive these “ISO types” communicate!

My letter is thus:

REQUEST FOR INFORMATION ON ISO CONSULTANCY SERVICES

We are writing to you to enquire about your services relating to the acquisition by Data Eliminate Ltd of certain ISO Standards.

ISO CERTIFICATION REQUIREMENTS

Data Eliminate (www.dataeliminate.com) has researched a range of accreditations and standards.  With regards to Standards, this has comprised a day of advance consultancy from an UKAS approved consultant specializing in the security industry,  the reading of substantive books on ISO 9001 and ISO 27001, 3 days desk research and attendance at 2 courses run by Supply London and participation in its business support scheme.  We have also spoken to business associates who have implemented various standards and obtained telephone overviews from a handful of experienced individuals.

On the basis of our research and information to date, the Board has decided that the following should be Data Eliminate’s priorities:

The Board has concluded that ISO 18001 has no obvious commercial or practical benefit at present and its introduction would be too burdensome at this stage of the company’s development.
Data Eliminate is aware of the type of premises, equipment and personnel it is going to have.  The objective is to complete as much Standards-related documentation and planning as is practicable before the company focus shifts to servicing customers.  (In saying this, we acknowledge that adhering to Standards is an on-going responsibility).

Our foremost requirement in a supplier of consultancy services is flexibility and the ability to provide services in a way which is compatible with our needs and modus operandi.

We have an intense, fast-moving and thorough approach to the Data Eliminate project and have done considerable homework on this subject. We need a consultant who can take a running start from the position we have already reached.

The purpose of engaging a consultant is to benefit from external advice and experience and to save time and internal resource.

We are aware that many of the Standards’ clauses will not apply to us and that our documentation relating to them can be comparatively concise.  With this in mind, we are seeking the services of a consultant who can provide among other things:

• A list of the Standards’ elements which are obligatory for all businesses and a separate list for organisations in our line of business.
• Advice on other non-compulsory elements which may be beneficial to our business in the medium and longer term.
• Policy, procedure and other templates for the compulsory elements that we can adapt for our own use.
• Guidance on the wording of Standard elements which are particular to our business.  For example, we believe we have the body of an ISO 9001 Policy Manual of suitable size and style for a business of our size.  However, we require specific advice on the completion of clauses 7.3.1 through 7.3.7.

Before we engage your services, our principal requirement is that we are convinced of your professionalism and efficiency - and that you want our business.

We would also like to be informed of the following - where appropriate in writing:

• An estimate of consultancy days required from you to help us achieve our short term objectives, over what time period and at what intervals those days will be given.  Associated costs and travel expenses.
• The amount of internal Data Eliminate man days which will be required working in parallel with your consultant(s) and at what internals.
• A similar estimate of man days (external and internal)  and costs pertaining to the medium term objective above.
• An explanation of the work that will be completed by you and that you  will expect Data Eliminate to do.
• Copies of documents such as policy manuals and procedures you have previously prepared (or extracts therefrom) which you believe are similar in length and style to those you would assist us in developing.
• A brief outline of your experience in dealing with the above Standards. 
• Two references from existing customers who we may contact briefly over the phone to confirm the efficacy of your service.
• The names and brief backgrounds of the person(s) providing the consultancy, when they are able to start the project and advance notification of any absences or unavailability of key personnel over the next 4 months.
• A copy of your Terms and Conditions.
• Details of your professional indemnity insurance (if applicable)

Finally,

• Please acknowledge receipt of this email by close of business on date in 2008 or by phoning Tel: 0845-1234-400. 
• Responses are required by close of business on xxxx. 
• Data Eliminate requires UKAS approved certification of its Standards.

If you wish to contact us to discuss the above, please call and speak to me on etc

We look forward to hearing from you.

Regards

Julian Fraser

I feel that this really explains the situation.  I send it to Sovereign Certification, www.iso9001.co.uk,  FXXP Associates and Paul from RPPT Associates – recommended by Adrian.

Based on notes from my diary and other records from April 2008.

I set aside my disappointing contacts with FXXP and RTTP and begin crawling the internet again for companies which cover all three standards and who look like they might not take a massive corporate scale approach to things.  There aren’t (obviously at least) that many of these.

I have decided to make experience of  ISO 27001 the focus of my search for a consultant.  ISO 27001 is much larger and more complex than ISO 9001 and ISO 14001 and requires more detailed expertise.

I have learnt by now the difference between a UKAS accredited ISO auditor and a self-certified or on UKAS auditor.  The difference is very important but very few people understand it. 

All auditors issue kite marks to companies they audit.   UKAS approved auditors are third party monitored and certified by UKAS itself.  Other ISO Auditors are not independently assessed.  The kitemarks issues by each type of auditor look very similar but they are not of the same value.

Public sector bodies and larger companies for the most part who know their stuff will look for the UKAS kite mark.  The UKAS ISO kitemark has a crown in it.   In fact, one of the companies on the Supply London course did not learn the difference between the UKAS and non UKAS audit until after they had completed self-certification (under the non UKAS route) and found it to be not be good enough for local councils.  They had to reaccredit under UKAS.

There are several companies which offer self-certification (non- UKAS route).  Probably the best known of these is QMA – of whom I am aware because of the years I have been the recipient of several of their mailers. They offer  ISO 9001 for £1,900 or something similar.  What they are doing is coaching you on interpreting the ISO and confirming for yourself that you meet the standards.  You are then permitted to use a QMA Kitemark.  This has a big tick in it like other kitemarks but does not have the UKAS Crown.

On the BSI site I find a list of approved auditors for ISO 27001.  The auditors I am reviewing on the BSI website are all going to be UKAS accredited.   However, I am aware that the non-UKAS consultants may well have material that is useful to me in interpreting the ISOs.    So I phone BSI, NQA, LRQA (all UKAS accredited) and also QMA for an information pack to to see what I get through and how useful it is.

Based on notes from my diary and other records from April 2008.

So I speak to Peter of FXXP and explain how far I have now got.  I say that I am after doing ISO 9001, ISO 14001 and ISO 27001.  He says that he can only help with ISO 9001 but he’s sure he can sort it pretty quickly.  However, I know that he is assuming on sorting it with a few simple word documents and forms and which will not fit in with the way I want Data Eliminate to run, integrate with an ERP system etc.  He tells me to speak to Liz which I do.

Liz says FXXP can help with ISO 9001 and ISO 14001 and not with ISO 27001.  She says that if I send her over a spec of exactly what I want then she will get back to me.  (Incidentally, she never does get back to me.)

FXXP represent a frustrating start.  Then out of the blue I receive an email from Adrian – the guy who sat next to me at the “Lack of Quality” seminar.  Adrian says that he knows he was going to email me something but he can’t remember what it was. I can’t remember him saying that he was going to email me anything at all!   However, what he ends up sending over looks very useful. 

He has been talking to an ISO consultant (RPPT Associates) who specialize in doing ISO 9001, ISO 14001 and ISO 18001.  ISO 18001 is the Health and Safety standard.   Adrian says that RPPT are reasonably priced at about £350 a days which is an introductory offer.  He suggests I give Paul from RPPT a call.

I thank Adrian.  He suggests we meet up for a drink next week.  I accept.

I immediately phone Paul of RPPT and explain my situationto him .  When I say I want hand-holding kind of help  he says that he’s really booked up for the next few months but if I send something over in writing then he’ll see what he can do.  NB – Adrian didn’t have the impression that he was this busy.  So far neither of these ISO consultants have been very forthcoming.  I will write to them with details of what I need, but I don’t hold out much hope.

Based on notes from my diary and other records from April 2008.

The next salvo of my enquiry and research effort  is to try and find someone to coach me through the implementation of these ISOs in a hand-holding kind of way.  I think this is gong to be a challenge as I suspect most consultants will want to do most of the work themselves.  Perhaps even more challenging will be finding one source of help for all three standards - especially a source which has an SME orientation as as opposed to a corporate one.  I know this will cost money.  However, as things presently stand I am uncertain if a I am going to make much progress without such assistance initally at least.

I start by trying to get in touch with Peter of FXXP – “ISO 9001 and BS 7858 man” who I had in for a day back in October 07.  After our session in October, Peter phoned and asked me if I’d like to do some management consultancy for his company – which was nice but unfortunately the day rate was far too low for me.  It reminded me of what template- driven version of management consultancy Peter’s was when compared to mine.

It takes me a good half an hour to dig out Peter’s mobile.  I could have gone via Liz (the savvy office manager at FXXP previously mentioned) but I am in the kind of mood where I need immediate results and I don’t want to wait for him to call me tomorrow.

In the end I leave a message on his mobile but I also contact Liz by email so that she sends him a message too.  This guy is going to know I want to speak to him and speak to him NOW!  I am becoming impatient to make progress and get somewhere!  In the end I do have to wait until tomorrow.

Based on notes from my diary and other records from April 2008.