I continue working my way through the ISO 27001 Standard Document.  When I look at Appendix A, it appears I may be about to make a breakthrough in terms of understanding.  The title is Controls and Objectives.  For this first time this looks like a list of practical things one has to do to comply with the ISO 27001 Information Security standard.

For example, at A.5.1.1 is declares “An information security  policy document shall be approved by management, and published and communicated to all employees and relevant external parties.”  What this practically means is that at minimum I need find a model Information Security policy, insert my company’s name, sign it and stick it  up on the company website and wahey - route one compliance with A5.1.1!  To do things properly, I will have to tailor the policy to the specific requirements of a secure data erasure company.    I am starting to understand what is practically being asked for by ISO 27001 the information security standard.

The next four controls up to A6.1.3 aren’t as easy  A5.1.1. but they could be met with a bit of thought and paperwork.  I turn the page and there are more controls.

A6.1.4 I says I need an authorization process for new information processing facilities.  I get this but how do it in a small organisation?  Does this mean mandatory testing process for any new bit of kit or software?  Would my company  have the resources for that?  Maybe it would just apply to secure data erasure software or hard drive destruction equipment.

A6.1.5 talks about the need to have Confidentiality Agreements or NDAs in place which is fair enough and clearly understood.

A6.1.6   and A6.1.7 require the maintenance of contacts with authorities and special interest groups in security forums or specialist associations.  I don’t know what this means in practice though.  What kind of authorities are they talking about?  Does this means government, police or what?  Is one meant to have meetings with them?  I am also not part of any security related professional associations- and, if I was going to be, which ones should I try and be an member of?  And again what does “maintain contact” mean exactly?

Having recently been spurred on by the appearance of my “Control of Documents and Records” friends I am now getting bogged down again.  I wonder what lies in the pages ahead.  So turn over and see more controls. I turn again and there are more.  And again - more.  I gulp - it feels like I am desperately reaching for air in the face of a massive wave of controls which is about to overwhelm me.

I turn the page 5 more times before I get to the end of the list of ISO 27001 Controls and Objectives - I am just looking at the page numbers now - closer focus is detrimental to my well-being.  The wave is right on top of me - what do I do to escape?

My information sources for developing an ISO 14001 manual include:

• A copy of the Standard itself (which arrived by email a couple of days ago)
• My Arthur-shredded or approved Compact 9001 Manual
• The Acorn Course Book which cost me £50
• A Handout provided written by NQA, the UKAS approved system auditors, but actually given to me by Adrian.

I begin by creating a complete stand alone ISO 14001 manual – even though I know there is going to be duplication between ISO 9001 and ISO 14001. This way might seem more long-winded but I need to learn each standard one at time before I merge them. Otherwise it gets too confusing and complicated.

Sovereign Certification provides a useful but wordy version of an ISO 14001 manual. For Data Eliminate’s version, I exclude from the first section of my ISO 14001 manual all Sovereign’s wording which is similar or equivalent to what Arthur deleted from my ISO 9001 manual.

I still find it hard to make sense of the “Interaction of Processes” – but I think its probably because is so simple I can’t understand it - if you know what I mean. The examples of Interaction of Processes charts I have are more concerned with the process of implementing the environmental standard (Plan, Do, Check, Act I suppose) rather than featuring specific Data Eliminate customer service processes.

I work out a number of things in order to keep the ISO 14001 documentation to a minimum. The first is that the six standard procedures required by ISO 14001 (Corrective Action, Preventative Action etc) are almost identical to those required for ISO 9001. In addition, you need a Training Needs Assessment Form to track training you believe your employees need to fill skill gaps. To complement this, you need a Training Record Form to record the details of the actual training.

When compared to the Quality Policy, the Environmental Policy is different in focus but much the same in style. As was the case with ISO 9001, thanks to Supply London I had a morning’s lesson in how to write a policy. However, one could have used someone else’s and created one in a few minutes by making some very minor changes.

The we get onto the bits which are not part of ISO 9001 but which ISO 14001 requires. These include:

• An Environmental Aspects Register
• An Environmental Aspects Analysis
• A Register of Applicable Laws and Regulations
• A Risk Assessment Methodology

I also add some questions to the Supplier Questionnaire which is already part of my ISO 9001 manual and some items to the Management review Agenda. The Environmental policy has to be on our web site with contact details for the manager responsible. We also need documented environmental objectives.

The first version of my Environmental Management System manual is 25 pages long – a lot more compact than my 53 page long ISO 9001 Quality Manual first starter effort.

I then spend an hour or so removing the items from my ISO 14001 manual that are duplicated in my Arthur approved ISO 9001 manual. After that the Environmental Manual is down to about 14 pages.

Things are coming together nicely. ISO 9001 and ISO 1400 are integrated. I will now need to merge ISO 27001 with them.

I contact Arthur to arrange another session. This time I am going to get him to review my combined manual for ISO 9001 and ISO 14001.   I hope that I have pre-weeded it this time so that he doesn’t need to tear it apart or tell me I like detail.  If he does that again after all this effort it will take more than one flapjack in my mouth to keep me quiet!

Based on notes from my diary from June 2008.

Today, Arthur the Supply London advisor comes to assess my draft ISO 9001 Manual. For mutual convenience, we arranged for him to come to my home.

I go up the road before Arthur’s meant to arrive to buy him a flapjack – all part of the PR offensive. I get back 15 minutes before he’s meant to be there but he’s already standing outside the front door looking slightly irritated. He’s come from some way away. I say, “You’re early aren’t you? I just went up the road to buy you a flapjack.” He didn’t break into a grateful smile.

He asks for a coffee. I only have instant coffee but he doesn’t seem to be phased. He enquires about Data Eliminate’s CCT Mark. I explain that it was given to us by CESG and the Cabinet Office. He asks what CESG is. I explain that it’s the Information Assurance arm of the Cabinet Office. He nods but I am not sure he is any the wiser. Perhaps I haven’t explained it properly. Perhaps I am turning into an information security head and losing my ability to communicate with normal mortals.

I put my 53 page pile in front of him and ask him to review the information. He flicks through the document and confirms that we are destroying data on hard disks and data tapes and then recycling them in line with the WEEE Directive? I nod.

My manual is divided into four sections. Below is the outcome of Arthur’s assessment of the first of its four sections point by point:

“Is this good or is this bad?” I am wondering.

Arthur interrupts, ”Julian you really like details don’t you!”

I don’t. I really, really hate detail. If he read my blog he wouldn’t say this. But I maintain my composure because I know that although Arthur is effectively shredding almost half my work, he is helping me a lot.

So that I don’t speak, I reach forward for a flap jack and take an enormous bite out of it which completely fills my mouth. I begin to chew. Arthur continues through the next section. He starts to talk about the Data Protection Act or something but doesn’t finish his point. He continues his review:

He hasn’t touched his flapjack.

“So many people think their manual has to repeat what the Standard says,” he exclaims “you don’t need to do it!”

Arthur is more impressed by the rest of the content. A lot of it he says though is just repeating the standard again. He also says that when the manual is applied in practice that it will make things more straightforward.

He excuses himself. He leaves the room with me smarting from the “Julian=detail” accusation. I exact revenge by demolishing his flapjack too.

The contrast between the ultra-wordy material I have waded through on ISO standards and information security and Arthur’s approach is marked. Perhaps this is one of those few cases where its better to have less information!

I am still chewing intensively when he returns. He is not phased.

Ironically, Arther has shredded last part of my ISO Manaual for a secure data destruction or hard drive shredding business!  However, in sum Arthur approves of the stuff I have originated myself. Where I have text dumps, he says they are too wordy.

I will take on board most of what he says but I am aware that different experts/auditors on these Standards are likely to have different views of these things. For example, if they come from an information security background they might have a different view to Arthur’s.

So far so good then with ISO 9001. I’ll need to do the same with  ISO 14001 down to a similar minimum.

Based on notes from my diary from June 2008.

I am shortly scheduled to attend Supply London Course on writing an Environmental Policy.  Assuming the format is the same as the other courses, it will be about writing a policy which should be underpinned by and environmental management system.  I don’t really have time to wait for the course.  Adrian has told me that there was a Welsh grant to help small business achieve accreditation when he was working in Wales. A similar scheme in England could be useful to me.

I contact Supply London HQ and ask for advance copies of the slides for the course which apparently they can’t give me .  However, they do give me the name of the organisation running the course.  I speak to Charlotte at www.globalactionplan.org.uk and explain what I am trying to do.  Charlotte is helpful and explains that there is an “Acorn scheme” aimed at helping small businesses achieve an environmental standard.  Acorn is divided into six stages – the sixth stage of which is equivalent to full 14001 certification.

Charlotte puts in touch with her colleague James.  James is similarly helpful and offers two solutions.  He explains that his organisation does run courses on implementing Acorn or ISO 14001 in conjunction with different regional authorities for the benefit of small business.  There isn’t one in London for another four of five months but there is one in Taunton next week.  My sister lives in Taunton and this a four day course which I could attend while staying with her.

The other alternative James offers is one to one coaching. He says I would probably need 3 days to cover stages 1 to 3 of the six stages of Acorn.  This would comprise the same material as that covered on the courses.

I decide to search around on line for other Acorn courses.  In the process, I discover the workbook used on this course is available for £50.  At first its hard to get hold of, but then I order it form the BSI Bookshop in Chiswick.  Its entitled “BS8555 Acorn Scheme Workbook -  Phased Implementation of Environmental Management Systems” by Chris Sheldon.

 I am confident that this book, some of the material at sovereigncertifcation.com, and the hardcopy of  ISO 14001 that has been promised me will enable me to make progress working alone on ISO 14001.

Based on notes from my diary and other records from May 2008.

I take stock of the situation regards the ISO Consultants I have contact.

Terry Russell of www.iso9001.co.uk replied to my requirements letter today but it wasn’t encouraging. He said he could supply everything I wanted – and he is UKAS accredited -but didn’t seem that keen to oblige. 

He said

(a) your Invitation to Tender asks for copies of work that we have produced for others. I simply will not provide the procedures of any of our clients to another organisation, under any circumstances
(b) we normally only provide services to applicants who are referred to us by existing clients. You’ll understand that the risks go both ways. If we provide services to you, I need assurance that you are financially sound and are the sort of client that would want.

I know this sounds very fussy, but we are fussy about our clients. With your timescales, it would not provide me with sufficient time to conduct our checks on your organisation.

Sorry about that.

I phoned Paul from RPPT Associates but he said the he was too far away and too busy to get involved. He said he could provide from coaching from a distance but he suggested I look for someone more local.

On top of this, some considerable time after sending me written requirements to FXXP there is still no reply from them– despite the fact that Liz said she’d look into it.

So it seems that no-one is interested! 

Is it because:

• My requirements are out of scope for these consultants?
• My requirements are too exacting and demanding for them?
• There isn’t really anyone out there who has done what I am trying to do in the way I am trying to do it?

I like to think and hope it’s the latter – if only because it helps me reverse out of this cul-de-sac to spur myself on.

Based on notes from my diary and other records from April 2008.

My research effort took a significant step forward this morning.  Last night, I met up with Adrian, my contact from the lack of quality seminar,for a drink.  He does seem to know about ISOs and he might be ok at sales.  I am considering that he may be worth employing.  Still, as a result of last night, he’s sent me a really useful email.  It’s a copy of an integrated management system manual for ISO 9001, ISO 14001 and ISO 18001.

This is the most distilled, concise and integrated document I have seen.  The requirements of the Standards have been merged to such an extent that its not possible to see which elements within ithe manual correspond to which of the three Standards. 

Adrian also sent me a Legal Register which is apparently required by ISO 14001.   This is a huge spreadsheet listing about 100 regulations which can apply to any business.  This will have taken somebody ages to prepare.  I will need to adapt this to my business but having it will saveme a lot of time.  Adrian’s a good guy.

Based on diary entries from April 2008.

My search for hold-your-hand type consultants, my on line searching has uncovered two websites which seem of particular interest – www.sovereigncertification.co.uk and www.iso9000.co.uk.

If you dig into the site a bit, Sovereign has a lot of information and downloads on ISO 9001 and ISO 14001 – but not on ISO 27001.  The consultant(s) at www.iso9000.co.uk  deals with all three standards – and on the basis of my searching experience, this is unusual.

I speak to Mark Helm the senior consultant at Sovereign who is very helpful and sends over a lot of supplementary information.  Mark himself operates within a business model of remote coaching companies through ISO 9001 and ISO 14001 and providing a series of downloadable templates which the client can amend to suit their particular business.  The downloads include a sample ISO 9001 manual .  This is the first version of one I have seen and I am sure will be very helpful in deciphering the legalese of the ISO itself into what is practically required within the company.

I also make several unsuccessful attempts to speak to Terry Russell of www.iso9001.co.uk.

Despite this temporary chink of light, I am getting increasingly anxious at the lack of clear progress.  So I decide to write down exactly what I want from these consultants – to write a spec.  This is what most of the unforthcoming ones have requested.  It takes a while but in the end I come up with the one below. 

I write a pretty formal letter and talk about decisions of the Board etc which is in line with the way in which I perceive these “ISO types” communicate!

My letter is thus:

REQUEST FOR INFORMATION ON ISO CONSULTANCY SERVICES

We are writing to you to enquire about your services relating to the acquisition by Data Eliminate Ltd of certain ISO Standards.

ISO CERTIFICATION REQUIREMENTS

Data Eliminate (www.dataeliminate.com) has researched a range of accreditations and standards.  With regards to Standards, this has comprised a day of advance consultancy from an UKAS approved consultant specializing in the security industry,  the reading of substantive books on ISO 9001 and ISO 27001, 3 days desk research and attendance at 2 courses run by Supply London and participation in its business support scheme.  We have also spoken to business associates who have implemented various standards and obtained telephone overviews from a handful of experienced individuals.

On the basis of our research and information to date, the Board has decided that the following should be Data Eliminate’s priorities:

The Board has concluded that ISO 18001 has no obvious commercial or practical benefit at present and its introduction would be too burdensome at this stage of the company’s development.
Data Eliminate is aware of the type of premises, equipment and personnel it is going to have.  The objective is to complete as much Standards-related documentation and planning as is practicable before the company focus shifts to servicing customers.  (In saying this, we acknowledge that adhering to Standards is an on-going responsibility).

Our foremost requirement in a supplier of consultancy services is flexibility and the ability to provide services in a way which is compatible with our needs and modus operandi.

We have an intense, fast-moving and thorough approach to the Data Eliminate project and have done considerable homework on this subject. We need a consultant who can take a running start from the position we have already reached.

The purpose of engaging a consultant is to benefit from external advice and experience and to save time and internal resource.

We are aware that many of the Standards’ clauses will not apply to us and that our documentation relating to them can be comparatively concise.  With this in mind, we are seeking the services of a consultant who can provide among other things:

• A list of the Standards’ elements which are obligatory for all businesses and a separate list for organisations in our line of business.
• Advice on other non-compulsory elements which may be beneficial to our business in the medium and longer term.
• Policy, procedure and other templates for the compulsory elements that we can adapt for our own use.
• Guidance on the wording of Standard elements which are particular to our business.  For example, we believe we have the body of an ISO 9001 Policy Manual of suitable size and style for a business of our size.  However, we require specific advice on the completion of clauses 7.3.1 through 7.3.7.

Before we engage your services, our principal requirement is that we are convinced of your professionalism and efficiency - and that you want our business.

We would also like to be informed of the following - where appropriate in writing:

• An estimate of consultancy days required from you to help us achieve our short term objectives, over what time period and at what intervals those days will be given.  Associated costs and travel expenses.
• The amount of internal Data Eliminate man days which will be required working in parallel with your consultant(s) and at what internals.
• A similar estimate of man days (external and internal)  and costs pertaining to the medium term objective above.
• An explanation of the work that will be completed by you and that you  will expect Data Eliminate to do.
• Copies of documents such as policy manuals and procedures you have previously prepared (or extracts therefrom) which you believe are similar in length and style to those you would assist us in developing.
• A brief outline of your experience in dealing with the above Standards. 
• Two references from existing customers who we may contact briefly over the phone to confirm the efficacy of your service.
• The names and brief backgrounds of the person(s) providing the consultancy, when they are able to start the project and advance notification of any absences or unavailability of key personnel over the next 4 months.
• A copy of your Terms and Conditions.
• Details of your professional indemnity insurance (if applicable)

Finally,

• Please acknowledge receipt of this email by close of business on date in 2008 or by phoning Tel: 0845-1234-400. 
• Responses are required by close of business on xxxx. 
• Data Eliminate requires UKAS approved certification of its Standards.

If you wish to contact us to discuss the above, please call and speak to me on etc

We look forward to hearing from you.

Regards

Julian Fraser

I feel that this really explains the situation.  I send it to Sovereign Certification, www.iso9001.co.uk,  FXXP Associates and Paul from RPPT Associates – recommended by Adrian.

Based on notes from my diary and other records from April 2008.

I set aside my disappointing contacts with FXXP and RTTP and begin crawling the internet again for companies which cover all three standards and who look like they might not take a massive corporate scale approach to things.  There aren’t (obviously at least) that many of these.

I have decided to make experience of  ISO 27001 the focus of my search for a consultant.  ISO 27001 is much larger and more complex than ISO 9001 and ISO 14001 and requires more detailed expertise.

I have learnt by now the difference between a UKAS accredited ISO auditor and a self-certified or on UKAS auditor.  The difference is very important but very few people understand it. 

All auditors issue kite marks to companies they audit.   UKAS approved auditors are third party monitored and certified by UKAS itself.  Other ISO Auditors are not independently assessed.  The kitemarks issues by each type of auditor look very similar but they are not of the same value.

Public sector bodies and larger companies for the most part who know their stuff will look for the UKAS kite mark.  The UKAS ISO kitemark has a crown in it.   In fact, one of the companies on the Supply London course did not learn the difference between the UKAS and non UKAS audit until after they had completed self-certification (under the non UKAS route) and found it to be not be good enough for local councils.  They had to reaccredit under UKAS.

There are several companies which offer self-certification (non- UKAS route).  Probably the best known of these is QMA – of whom I am aware because of the years I have been the recipient of several of their mailers. They offer  ISO 9001 for £1,900 or something similar.  What they are doing is coaching you on interpreting the ISO and confirming for yourself that you meet the standards.  You are then permitted to use a QMA Kitemark.  This has a big tick in it like other kitemarks but does not have the UKAS Crown.

On the BSI site I find a list of approved auditors for ISO 27001.  The auditors I am reviewing on the BSI website are all going to be UKAS accredited.   However, I am aware that the non-UKAS consultants may well have material that is useful to me in interpreting the ISOs.    So I phone BSI, NQA, LRQA (all UKAS accredited) and also QMA for an information pack to to see what I get through and how useful it is.

Based on notes from my diary and other records from April 2008.

So I speak to Peter of FXXP and explain how far I have now got.  I say that I am after doing ISO 9001, ISO 14001 and ISO 27001.  He says that he can only help with ISO 9001 but he’s sure he can sort it pretty quickly.  However, I know that he is assuming on sorting it with a few simple word documents and forms and which will not fit in with the way I want Data Eliminate to run, integrate with an ERP system etc.  He tells me to speak to Liz which I do.

Liz says FXXP can help with ISO 9001 and ISO 14001 and not with ISO 27001.  She says that if I send her over a spec of exactly what I want then she will get back to me.  (Incidentally, she never does get back to me.)

FXXP represent a frustrating start.  Then out of the blue I receive an email from Adrian – the guy who sat next to me at the “Lack of Quality” seminar.  Adrian says that he knows he was going to email me something but he can’t remember what it was. I can’t remember him saying that he was going to email me anything at all!   However, what he ends up sending over looks very useful. 

He has been talking to an ISO consultant (RPPT Associates) who specialize in doing ISO 9001, ISO 14001 and ISO 18001.  ISO 18001 is the Health and Safety standard.   Adrian says that RPPT are reasonably priced at about £350 a days which is an introductory offer.  He suggests I give Paul from RPPT a call.

I thank Adrian.  He suggests we meet up for a drink next week.  I accept.

I immediately phone Paul of RPPT and explain my situationto him .  When I say I want hand-holding kind of help  he says that he’s really booked up for the next few months but if I send something over in writing then he’ll see what he can do.  NB – Adrian didn’t have the impression that he was this busy.  So far neither of these ISO consultants have been very forthcoming.  I will write to them with details of what I need, but I don’t hold out much hope.

Based on notes from my diary and other records from April 2008.

I attend the Supply London Seminar on how to write a Quality Policy. We are sitting there for 40 minutes before anything happens. The course materials were not biked over the night before apparently . There aren’t even any pens and paper to take notes.

Vain attempts are made to get the venue to provide these and also for the receptionist at the venue to receive the course material by email, print them out and then photocopy them. We are told to start introducing ourselves to the person next to us to kill time. The guy next to me is Adrian. Adrian works for an office equipment company and is planning to implement ISO 9001, ISO 14001 and ISO 18001. Adrian has done this before in Wales working for another company. He says he has some stuff that might be useful to me so we exchange details.

I am getting increasingly irritated with the seminar and perhaps visibly so. The seminar is about Quality, and I and my fellow delegates have thought up some great things to say to the course leader about the lack of quality. She, though, takes the wind out of our sails by repeatedly saying what a poor quality performance she is putting on. No-one disagrees.

I suffer for a further two and a half hours once the seminar is underway but I do get the message loud and clear that public sector buyers are concerned with ISO 9001 – the Quality Standard and ISO 14001 – the Environmental Standard.

I have now done two Supply London seminars and there are two to go. Supply London are training us to write policy documents which are required if your company is going to supply to public sector. What is crucial here is the link between the policy document the ISO Standard. The one sided policy documents (eg. a Quality Policy or and Environmental Policy) should be underpinned by a management system – the structure of which is provided by the relevant ISO.

I originally contacted Supply London to learn how to access the public sector but doing so has diverted my focus back onto ISOs. Getting access to the public sector is about loads of advance spade work, registering as a supplier in various website and directories and patient networking. Clearly if Data Eliminate has the ISOs it will be ahead of the pack.

The importance of this to the business strategy is further underlined by the increasingly parlous state of the economy. Data Eliminate has to been in a position to tender for public sector business as early as is practical.

In light of the Supply London advice and the comment from my Competitor about being only one of two businesses with ISO 27001, the priorities are now ISO 9001 The Quality Standard, ISO 27001 the Information Security Standard and ISO 14001 the Environmental Standard - in that order.

Based on diary entires from April 2008.