I set aside my disappointing contacts with FXXP and RTTP and begin crawling the internet again for companies which cover all three standards and who look like they might not take a massive corporate scale approach to things. There aren’t (obviously at least) that many of these.
I have decided to make experience of ISO 27001 the focus of my search for a consultant. ISO 27001 is much larger and more complex than ISO 9001 and ISO 14001 and requires more detailed expertise.
I have learnt by now the difference between a UKAS accredited ISO auditor and a self-certified or on UKAS auditor. The difference is very important but very few people understand it.
All auditors issue kite marks to companies they audit. UKAS approved auditors are third party monitored and certified by UKAS itself. Other ISO Auditors are not independently assessed. The kitemarks issues by each type of auditor look very similar but they are not of the same value.
Public sector bodies and larger companies for the most part who know their stuff will look for the UKAS kite mark. The UKAS ISO kitemark has a crown in it. In fact, one of the companies on the Supply London course did not learn the difference between the UKAS and non UKAS audit until after they had completed self-certification (under the non UKAS route) and found it to be not be good enough for local councils. They had to reaccredit under UKAS.
There are several companies which offer self-certification (non- UKAS route). Probably the best known of these is QMA – of whom I am aware because of the years I have been the recipient of several of their mailers. They offer ISO 9001 for £1,900 or something similar. What they are doing is coaching you on interpreting the ISO and confirming for yourself that you meet the standards. You are then permitted to use a QMA Kitemark. This has a big tick in it like other kitemarks but does not have the UKAS Crown.
On the BSI site I find a list of approved auditors for ISO 27001. The auditors I am reviewing on the BSI website are all going to be UKAS accredited. However, I am aware that the non-UKAS consultants may well have material that is useful to me in interpreting the ISOs. So I phone BSI, NQA, LRQA (all UKAS accredited) and also QMA for an information pack to to see what I get through and how useful it is.
Based on notes from my diary and other records from April 2008.
So I speak to Peter of FXXP and explain how far I have now got. I say that I am after doing ISO 9001, ISO 14001 and ISO 27001. He says that he can only help with ISO 9001 but he’s sure he can sort it pretty quickly. However, I know that he is assuming on sorting it with a few simple word documents and forms and which will not fit in with the way I want Data Eliminate to run, integrate with an ERP system etc. He tells me to speak to Liz which I do.
Liz says FXXP can help with ISO 9001 and ISO 14001 and not with ISO 27001. She says that if I send her over a spec of exactly what I want then she will get back to me. (Incidentally, she never does get back to me.)
FXXP represent a frustrating start. Then out of the blue I receive an email from Adrian – the guy who sat next to me at the “Lack of Quality” seminar. Adrian says that he knows he was going to email me something but he can’t remember what it was. I can’t remember him saying that he was going to email me anything at all! However, what he ends up sending over looks very useful.
He has been talking to an ISO consultant (RPPT Associates) who specialize in doing ISO 9001, ISO 14001 and ISO 18001. ISO 18001 is the Health and Safety standard. Adrian says that RPPT are reasonably priced at about £350 a days which is an introductory offer. He suggests I give Paul from RPPT a call.
I thank Adrian. He suggests we meet up for a drink next week. I accept.
I immediately phone Paul of RPPT and explain my situationto him . When I say I want hand-holding kind of help he says that he’s really booked up for the next few months but if I send something over in writing then he’ll see what he can do. NB – Adrian didn’t have the impression that he was this busy. So far neither of these ISO consultants have been very forthcoming. I will write to them with details of what I need, but I don’t hold out much hope.
Based on notes from my diary and other records from April 2008.
The next salvo of my enquiry and research effort is to try and find someone to coach me through the implementation of these ISOs in a hand-holding kind of way. I think this is gong to be a challenge as I suspect most consultants will want to do most of the work themselves. Perhaps even more challenging will be finding one source of help for all three standards - especially a source which has an SME orientation as as opposed to a corporate one. I know this will cost money. However, as things presently stand I am uncertain if a I am going to make much progress without such assistance initally at least.
I start by trying to get in touch with Peter of FXXP – “ISO 9001 and BS 7858 man” who I had in for a day back in October 07. After our session in October, Peter phoned and asked me if I’d like to do some management consultancy for his company – which was nice but unfortunately the day rate was far too low for me. It reminded me of what template- driven version of management consultancy Peter’s was when compared to mine.
It takes me a good half an hour to dig out Peter’s mobile. I could have gone via Liz (the savvy office manager at FXXP previously mentioned) but I am in the kind of mood where I need immediate results and I don’t want to wait for him to call me tomorrow.
In the end I leave a message on his mobile but I also contact Liz by email so that she sends him a message too. This guy is going to know I want to speak to him and speak to him NOW! I am becoming impatient to make progress and get somewhere! In the end I do have to wait until tomorrow.
Based on notes from my diary and other records from April 2008.
I attend the Supply London Seminar on how to write a Quality Policy. We are sitting there for 40 minutes before anything happens. The course materials were not biked over the night before apparently . There aren’t even any pens and paper to take notes.
Vain attempts are made to get the venue to provide these and also for the receptionist at the venue to receive the course material by email, print them out and then photocopy them. We are told to start introducing ourselves to the person next to us to kill time. The guy next to me is Adrian. Adrian works for an office equipment company and is planning to implement ISO 9001, ISO 14001 and ISO 18001. Adrian has done this before in Wales working for another company. He says he has some stuff that might be useful to me so we exchange details.
I am getting increasingly irritated with the seminar and perhaps visibly so. The seminar is about Quality, and I and my fellow delegates have thought up some great things to say to the course leader about the lack of quality. She, though, takes the wind out of our sails by repeatedly saying what a poor quality performance she is putting on. No-one disagrees.
I suffer for a further two and a half hours once the seminar is underway but I do get the message loud and clear that public sector buyers are concerned with ISO 9001 – the Quality Standard and ISO 14001 – the Environmental Standard.
I have now done two Supply London seminars and there are two to go. Supply London are training us to write policy documents which are required if your company is going to supply to public sector. What is crucial here is the link between the policy document the ISO Standard. The one sided policy documents (eg. a Quality Policy or and Environmental Policy) should be underpinned by a management system – the structure of which is provided by the relevant ISO.
I originally contacted Supply London to learn how to access the public sector but doing so has diverted my focus back onto ISOs. Getting access to the public sector is about loads of advance spade work, registering as a supplier in various website and directories and patient networking. Clearly if Data Eliminate has the ISOs it will be ahead of the pack.
The importance of this to the business strategy is further underlined by the increasingly parlous state of the economy. Data Eliminate has to been in a position to tender for public sector business as early as is practical.
In light of the Supply London advice and the comment from my Competitor about being only one of two businesses with ISO 27001, the priorities are now ISO 9001 The Quality Standard, ISO 27001 the Information Security Standard and ISO 14001 the Environmental Standard - in that order.
Based on diary entires from April 2008.
I am booked onto the Supply London Health and Safety Seminar today. I attend because I think all these will help me tackle the public sector. The seminar itself is basic centred on writing a one sided HSE policy document. But the notes and suggested additional sources of information are good.
Based on diary entires from April 2008.
I have my first meeting with my Supply London Advisor, Arthur, today. He spends a while telling me what Supply London does and the politics and difficulties or working for a government agency. He used to be a corporate buyer himself.
Arthur expresses some doubt as to whether Data Eliminate can be helped by Supply London as Arthur has to link the work he does to the number of jobs created to satisfy government statistics etc. I get the message the whole thing might be too target driven and not centred on the helping businesses in the most practical way. Arthur has a form analysing his work which he asks me to sign.
The good news is that he says he has ISO 9001 experience and that he can advise with the preparation of documentation and also on the first internal audit. This could be really helpful. He seems unsure about exactly how much he can help. I think the chemistry is ok. I aim to use him when I really need to and save up some sensible questions to maintain the goodwill.
Based on entries from my diary in March 2008.
With regards to the overall development of the business things are now starting to take shape. The company has a website, promotional material and a brand identity. I am settled on an on site data destruction business model and that there will be no US joint venture. Finally, I have preferred ERP package.
I am always conscious of the need to get the phasing of a start- up right. In other words if something is going to take a while to come to fruition then make sure you start it early. One such example is becoming a supplier in the public sector. One part of achieving this is having the accreditations and the ISOs – another is learning your way around the public sector – how to “play the game”. I need to consolidate my knowledge bout the public sector now so I can build it into the business development plan.
I’ve still got Steven Regelado’s card from the Lambeth Meet the Buyer Event at the YMCA. So I email him and ask him the name of the lady who presented alongside him which I have forgotten. After a short delay he replies that its Carol Hustler of Supply London.
I speak to Carol. She tells me I need to register with Supply London. I can attend some free training courses aimed at helping become a public sector supplier. One on Health and Safety, one on environmental considerations, one on writing a quality policy and another all day one on supplying the public sector in general. I might also get free help from a consultant.
After my previous dealings with Business Link, I am sceptical about the level and quality of advice one gets from these government agencies. But am going to take full advantage and attend the courses.
Based on entries in my diary from Marh 2008.
Junk mail inspired activity again. Over the past months I have attended a number of information security events and have had my business details recorded thereat.
This morning, a circular email arrives from the company who I judge to be my biggest potential competitor offering tours of their impressive new headquarters and data destruction processing facility.
I am on the phone like a shot. It takes about 3 calls without response but I am then booked in for the following week. A one to one with the sales director, Geoff.
On the day, I have some trouble finding the facility – there’s no sign outside. I am given two hours of one to one treatment including a personal tour of their destruction facility and a slide presentation with lots of interesting information about their business.
I am sure I am asking too many questions but pIuck up the courage ask for copies of the slides to be emailed. I am told this will happen. There is a serious opportunity for partnership here.
Apparently, these guys are one of only two in business of their kind in the country that have ISO 27001. “Give me a little time and there’ll be three I think to myself.” Interesting too that they have gone for ISO 27001 and not BS 8470. I didn’t really register this difference at first as I had assumed that BS 8470 was the standard.
The Managing Director told me some amazing statistic that I can’t remember exactly. But it was something like that during 2007, over 2,000 business had set-up in recycling but only 5 of those had set-up in IT Security. “My strategy is right I thought”.
Based on an account recorded in my diary from January 2008.
One of many bits of (junk) mail I receive as a long suffering company director is an invitation from Lambeth Council to a Meet the Buyer Event aimed at helping local businesses become suppliers to the Council. I accept the invite.
My expectations are not particularly high when I turn up. The YMCA at Stockwell doesn’t sound like the classiest of venues and I get there its fallen down (I later discover it is in fact being rebuilt). There are about 60 people in the audience. I pick up the vibe that most of these people are from very small business.
There are three or four presentations and they are short and to the point. The messages are that Lambeth has a specific initiative to help small businesses become public sector suppliers, and that if you are going to become a small business supplier its more likely to be as a second or third tier supplier to a larger private company which has won a large council contract.
Particularly impressive is a lady called Carol Hustler of Supply London. She presents really well and seems to know her subject. The colourful Steven Regalado from the Lambeth Council procurement department is also very approachable.
Questions from the floor are basic and largely uninspiring. I ask what turnover companies require before they will get council contracts. Stephen explains that most councils won’t give a company an order which is worth more than a quarter of its turnover.
At the end , I get Stephen’s business card but Carol has run out of them. In nearly didn’t respond to the invite but I am glad I came – good event.
Based on an account recorded in my diary from December 2007.
Perhaps my knowledge of ERP systems makes me pay particular attention to this issue. But one of the central reasons for finding out about International Standards and what they mean of this stage of the business development is so that I don’t start using an ERP system which turns out not to be compatible with the requirements of ISO’s further down the line.
As a confidential data shredding business, Data Eliminate must be totally scaleable – in that whatever systems, processes and software it starts with can grow with the company up to 200 employees plus. I had assumed that a reasonably complex software configuration would be required by the ISO but this is not the case.
An additional challenge remains – that is to find a software package suitable for on site data destruction services. I know that vehicle tracking/ route planning and bar coding of data tapes, usb sticks, hard drives and the like are going to be demanding requirements. On completing my initial research on ISOs, I will focus on software selection.
I now realize that ISO 9001 in itself is not going to require advanced automated systems and processes and therefore advance and expensive software. A few weeks ago I thought this might be a showstopper in that the ISO would be so demanding. The task is more to fit Peter’s simple forms in with the way an ERP software works rather than having to configure the software to fit the standard. Much of the box functionality of an ERP system provides automatic compliance in ways which a fully manually system wouldn’t.
Now I need to look more closely at a potential joint venture with a US company and the actual method to be used to deliver the data destruction service.
Based on an account recorded in my diary from November 2007.
