This morning I am firmly back on the shores of http://www.iso27001security.com/ and looking around again.  Apparently, there’s a discussion forum and a members area which you have to join to access.  The membership criteria are written to deter the unworthy from joining or so to speak.  I write an application which explains I am a management consultant who may be doing this kind of work for clients.  I also say that I could add a review of Alan Calder’s book which I have just read.  I am hoping for an immediate reply but I don’t get one - I’ll have to wait.

Having partially cracked the Statement of Applicability puzzle I am now looking for stuff to help me understand Risk Assessment - or  at least risk assessment as it specifically applies to ISO27001.  Continuing with my swimming in the sea analogy, http://www.iso27001security.com/ does seem to be like a desert island with a few trees of fruit in the middle of an vast ocean.  In my anaology, the ocean represents internet or life (depending on how profound you want to be) and it is devoid of any  information about iso27001.)

My mind temporarily skips to BBC Radio 4’s desert island disks which I have always listened to and also wanted to play.  I think that if I was marooned on this desert island, I certainly wouldn’t choose the ISO 27001 standard or even a Statement of Applicability to go alongside the bible and the complete works of Shakespeare.  Would my one luxury on the desert island might be a fully certified, UKAS approved integrated management system for a secure data destruction company?  I think not but I’d love to have one of those on this temperate island (Britain), right now and be at the end of all this!

I have been examining the ISO 27001 Standard Document itself and feeling rather overwhelmed and that I am bashing my head against a brick wall.

I begin to rethink my strategy and flick backwards quickly to page 5.  This is where the ‘Statement of Applicability’ is mentioned.  This ties together the list of Controls and Objectives - the list of practical things one need to do to implement the standard - with the content of the standard itself so its probably a good place to start.  There is a lot about Risk Assessment before the Statement of Applicability which I don’t understand but I can come back to them later.  I’ve got the Statement of Applicability as a short term objective - a buoy to swim towards that perhaps I can cling onto for a while.  So I type “Statement of Applicability ISO27001″ into Google and start trawling through the results.

Almost immediately I come across http://www.iso27001security.com/.  By its basic but functional design this site just looks like the kind of site that could cut to the chase and ‘deal the deal’.  There are a few scary bits like mentions of other ISO27002, ISO 27003 but what catches my eye immediately after this is a FREE ISSO27k toolkit.  Amazingly, I don’t even have to register on the site to get access to it.

Hard Drives after Destruction.

I spend quite a while opening documents up on the site and reading them.  The documents here have been developed by ISO 27001 implementers and then put up on the site.   This site clearly doesn’t offer a complete toolkit or total solution to my problems but it does give applied examples of certain documents and there is comparatively little in the way of guff.  Most of the contributions are made by two individuals but there are other contributors too.

The fourth document I open off the site is a Statement of Applicability.  This is a blank template - which is not populated with data - but I still get the jist - more than having see an actual example of one, I quickly see its primary purpose.  The list is a spreadsheet for all the Controls and Objectives listed in Appendix A of the standard.  There are several columns and notes I don’t understand yet  but clearly what one has to do is go through each of these 120 or so items and record what one has done to cover them off in one’s own organisation.

Against each row is a “Controls” column and a “Selected Controls” and a “Reasons for Selection” group of columns.  Reasons for Selection are broken down into four types ‘LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent.

On the right there’s a ‘Remarks (Overview of implementation)’ column where one should record the  to the specific action taken to meet the control.  This could be introducing a swipe card system on doors, creating a written policy or implementing a procedure to verify the destruction of hard drives.

I don’t get the whole picture yet, but what I do get is that the ISO 27001 Standards sets a defined series of things called “controls” with which my data destruction company needs to comply.  I will need to go through this list one by one and check that I can practically meet them.

The buoy I spotted in the distance has turned out to be a rubber ring.  Thanks to this I am now riding higher in the water and time to float home for the night.

So begins the start of a refreshed effort to find the practical or working examples of how to implement 27001 which have so far evaded me. What does it mean for the way my shredding business should handle personal data and comply with legislation such as the Data Protection Act and the WEE Directive?

I start to give Google a pummelling. There really aren’t many links that look like they are going to give me what I want. So I end up going very deep – to search results 80 and above and opening tens of documents including ones on information assurance, the Cabinet Office and risk management - in pursuit of my goal.

What I really want to find is an Information Security Manual for a small or mid-size organisation which somebody has published on their website – one which is a bit more friendly that the one from the IT Governance Toolkit trial. I am aware that organisations shouldn’t publish such things on their website –particularly those involved security - as letting the public know about their security systems obviously isn’t a good idea. But I am expecting to find something out there in cyberspace – you can find almost anything else!

The first useful looking document is an Information Security Manual produced by the Pennine Care NHS Trust. This is clearly the kind of thing that I am looking for but it doesn’t strike me as particularly friendly. The first two sides are about “Policy Document Control” and then the index comprises pages 3-5. I have seen this kind of thing before from the Cabinet Office and CESG. The first actual prose appears on page 6:

“1. INTRODUCTION

1.1 The Trust has a duty to protect its information assets and thus to ensure business continuity and minimise the adverse effects of securityincidents. Information assets and the IT systems that support them arebecoming increasingly more vulnerable as the potential for wideraccessibility is facilitated via more powerful computers and communications networks.

1.2 Any loss of the ability to access information could have a significanteffect on the efficient operation of the Trust and may result an inabilityto provide services to patients and financial loss to the Trust.”

These are to me statements of the very obvious, the like of which feature widely in many ISO 27001 documents I have seen. I know they have to be there but doesn’t their continued use and repetition run the risk of making the user, who should be interested in their content, just switch off?

The document continues for 47 pages. There are guidelines here for information assurance practices including the setting of passwords and controlling access to buildings. However, its difficult to determine the structure of the document and how it fits into an overall framework. It is on the right lines of what I am looking for but it is for a very sizeable organisation. I move on.

The next document which catches my eye is an Information Security Business Manual from NHS Wales. This is in Word and is clearly a template with blanks or red text which can be filled in by different NHS branch offices to suit their needs. It’s a lot shorter than the Pennine document at only 24 pages.

Some terms used are ery familiar such as “Senior Management Team”. We then get onto “ISMS Operational Forum Membership” which sounds very corporate and, stone me, Plan/Do/Check/Act (PDCA) model with a little chart makes an appearance on Page 10!

The good thing about this document though is its length. It has some slightly scary headings such as those mentioned above but it strikes me (although I can’t be sure) that somebody has spent a lot of time simplifying things and reducing them down to produce a very well put together template that will save an NHS departmental manager a lot of time in producing an Information Security Manual. Whether the person producing the manual would understand what they were doing beyond filling in the blanks I am not sure. In other words, this document is a bit like doing dot to dot. You join the dots (or fill in the blanks) but can you see the whole picture when you’re finished? Ok, not exactly what I want, but I keep it because it could be useful.

I am aware that the NHS has a lot of data handling procedures and it computers hold a lot of personal data. No central, London based government department seems to have produced similar guidance. The NHS are good potential customer for our CCT Mark Certified service which we have just  formally submitted to CESG and the Cabinet Office office as our “Secure Destruction of Data on Hard Drives and Magnetic Media v1.0”!

Based on diary entries from June 2008.
<–>

I continue working my way through the ISO 27001 Standard Document.  When I look at Appendix A, it appears I may be about to make a breakthrough in terms of understanding.  The title is Controls and Objectives.  For this first time this looks like a list of practical things one has to do to comply with the ISO 27001 Information Security standard.

For example, at A.5.1.1 is declares “An information security  policy document shall be approved by management, and published and communicated to all employees and relevant external parties.”  What this practically means is that at minimum I need find a model Information Security policy, insert my company’s name, sign it and stick it  up on the company website and wahey - route one compliance with A5.1.1!  To do things properly, I will have to tailor the policy to the specific requirements of a secure data erasure company.    I am starting to understand what is practically being asked for by ISO 27001 the information security standard.

The next four controls up to A6.1.3 aren’t as easy  A5.1.1. but they could be met with a bit of thought and paperwork.  I turn the page and there are more controls.

A6.1.4 I says I need an authorization process for new information processing facilities.  I get this but how do it in a small organisation?  Does this mean mandatory testing process for any new bit of kit or software?  Would my company  have the resources for that?  Maybe it would just apply to secure data erasure software or hard drive destruction equipment.

A6.1.5 talks about the need to have Confidentiality Agreements or NDAs in place which is fair enough and clearly understood.

A6.1.6   and A6.1.7 require the maintenance of contacts with authorities and special interest groups in security forums or specialist associations.  I don’t know what this means in practice though.  What kind of authorities are they talking about?  Does this means government, police or what?  Is one meant to have meetings with them?  I am also not part of any security related professional associations- and, if I was going to be, which ones should I try and be an member of?  And again what does “maintain contact” mean exactly?

Having recently been spurred on by the appearance of my “Control of Documents and Records” friends I am now getting bogged down again.  I wonder what lies in the pages ahead.  So turn over and see more controls. I turn again and there are more.  And again - more.  I gulp - it feels like I am desperately reaching for air in the face of a massive wave of controls which is about to overwhelm me.

I turn the page 5 more times before I get to the end of the list of ISO 27001 Controls and Objectives - I am just looking at the page numbers now - closer focus is detrimental to my well-being.  The wave is right on top of me - what do I do to escape?

I am now used to looking at the ISO 9001 Standard document itself.  The ISO 27001 Standard document I have  is 36 pages long as opposed to 20 pages for the ISO 9001 Standard.  We’ve got even more Plan, Do, Check, Act in the ISO 27001 document.  However, I soon suss out that the key bit we are looking at is Clause 4 onwards.

To start with Clause 4 is pretty similar to the corresponding clause in ISO 9001.  4.2.1a talks about the establishment of an Information Security policy suitable for the business and a scope.  Guess I can get my head around this.

4.2.1c is more problematic.  I am told to “define a risk assessment methodology for my organisation” and “develop criteria for accepting risks and identify the acceptable levels of risks”.  I just have limited concept of what is involved here.  This sounds like a job for McKinsey or Accenture but not me.  The ISO 27001 Standards says more information about Risk Assessment Methodologies  can be found in “ISO/IEC TR 13335- Guidelines for the management of IT Security = Techniques for the Management of IT Security”.   There is no way I am going to be a sucker for that document!  I’d rather disk by head in the hard disk crusher!

I can feel myself sinking lower in the water and looking up at this massive wave towering above me made of long words, jargon and confusion.  Around this mix, there is an information security industry built which comprises lots of people who make money regurgitating long words which few outsiders understand.  Right now the wave is looking really big - and its about to swamp my enthusiasm - for today at least.

Back to the ISO 27001 Standard - when I have done a risk assessment, I then to treat the risks.  This involves “selecting control objectives and controls”.  What are those?   No idea.

Next I’ve got to prepare a Statement of Applicability in which must apparently  list my controls and my control objectives and give my reasons for selecting them.  My problem here is that I need an example of a Statement of Applicability - yes to see the PRACTICAL implementation of all this.   Information on which still can seemingly cannot be found anywhere.

My brain and vision are blurred by the time I turn over to page 6.  I am not reading every sentence just kind of prodding the content with the eyes to see how painful it might be.  But these bits, namely  4.2.2 through 4.3.1, are broadly familiar.  They are talking about implementing the ISMS , monitoring and reviewing it and maintaining it.

And blow me, over the page is my old friend “Control of Documents”.   And I am not being sarcastic - when you read him he might be one of the most boring friends I know but, right now ,I am really please to see him.  He’s hanging out with another buddy, “Control of Records”.  This is okay, I now understand now what these guys are about.

The next couple of pages aren’t so bad either - though I am skimming quite fast now - improvements to the system, preventative and corrective action etc.  I want to keep by hard disk shredding company as straightforward as possible. These could be called problems (Non Conformities), temporary fixes (Corrective Action) and Solutions (Preventative Action) could they not?  Life could be simpler if these people wanted it to be!!

My information sources for developing an ISO 14001 manual include:

• A copy of the Standard itself (which arrived by email a couple of days ago)
• My Arthur-shredded or approved Compact 9001 Manual
• The Acorn Course Book which cost me £50
• A Handout provided written by NQA, the UKAS approved system auditors, but actually given to me by Adrian.

I begin by creating a complete stand alone ISO 14001 manual – even though I know there is going to be duplication between ISO 9001 and ISO 14001. This way might seem more long-winded but I need to learn each standard one at time before I merge them. Otherwise it gets too confusing and complicated.

Sovereign Certification provides a useful but wordy version of an ISO 14001 manual. For Data Eliminate’s version, I exclude from the first section of my ISO 14001 manual all Sovereign’s wording which is similar or equivalent to what Arthur deleted from my ISO 9001 manual.

I still find it hard to make sense of the “Interaction of Processes” – but I think its probably because is so simple I can’t understand it - if you know what I mean. The examples of Interaction of Processes charts I have are more concerned with the process of implementing the environmental standard (Plan, Do, Check, Act I suppose) rather than featuring specific Data Eliminate customer service processes.

I work out a number of things in order to keep the ISO 14001 documentation to a minimum. The first is that the six standard procedures required by ISO 14001 (Corrective Action, Preventative Action etc) are almost identical to those required for ISO 9001. In addition, you need a Training Needs Assessment Form to track training you believe your employees need to fill skill gaps. To complement this, you need a Training Record Form to record the details of the actual training.

When compared to the Quality Policy, the Environmental Policy is different in focus but much the same in style. As was the case with ISO 9001, thanks to Supply London I had a morning’s lesson in how to write a policy. However, one could have used someone else’s and created one in a few minutes by making some very minor changes.

The we get onto the bits which are not part of ISO 9001 but which ISO 14001 requires. These include:

• An Environmental Aspects Register
• An Environmental Aspects Analysis
• A Register of Applicable Laws and Regulations
• A Risk Assessment Methodology

I also add some questions to the Supplier Questionnaire which is already part of my ISO 9001 manual and some items to the Management review Agenda. The Environmental policy has to be on our web site with contact details for the manager responsible. We also need documented environmental objectives.

The first version of my Environmental Management System manual is 25 pages long – a lot more compact than my 53 page long ISO 9001 Quality Manual first starter effort.

I then spend an hour or so removing the items from my ISO 14001 manual that are duplicated in my Arthur approved ISO 9001 manual. After that the Environmental Manual is down to about 14 pages.

Things are coming together nicely. ISO 9001 and ISO 1400 are integrated. I will now need to merge ISO 27001 with them.

I contact Arthur to arrange another session. This time I am going to get him to review my combined manual for ISO 9001 and ISO 14001.   I hope that I have pre-weeded it this time so that he doesn’t need to tear it apart or tell me I like detail.  If he does that again after all this effort it will take more than one flapjack in my mouth to keep me quiet!

Based on notes from my diary from June 2008.

I spend a while looking for a copy of ISO 27001 on the internet and just when I think I have wasted a my time, I strike gold. On result 26 of the fourth Google search, a copy of ISO 27001 – all 34 pages of it!

Items containing computer hard drives

The security rubric on the document has the words “Uncontrolled Copy” on it. “You can say that again,” I think. It was available as a download off some German student’s website in a directory which was full of photos and videos and other stuff. That’s pretty uncontrolled!

I know when I sit down to read it that understanding it is going to be a challenge (judging from my ISO 9001 experience), but at least I have got a copy. Nice one!

I then email a contact that I have met at the Supply London seminars I have been to recently and ask her for a copy of ISO 14001 which she said she had. She says she will be able to oblige but I might have to wait a while. The point is that I’ve got so much work to do on ISO 27001, I am very happy to wait a while  for for a copy of the ISO 14001 Standard!

Based on notes from my diary in June 2008.

In the last three days I have been to two Supply London workshops.

The first was the Environmental Workshop. This was a real basic level course aimed at getting you to think about the environmental aspects of your business. I feel good when I understand where it fits into the overall ISO 14001 accreditation process. It only covers the very early part of the Acorn book. Including the book, I am now in possession of a significant amount of information on ISO 14001 which I have accrued by my own research and feel I understand what is required.

Computer media including data tapes must be properly recycled.

The second Supply London event I attended is about Wining Public Sector Business. Its the third out of the four free courses I get from Supply London and I have been told by other delegates who have already done this one that this is the best course.  (None of these provide hard disk destruction services.)

Things get underway at about 930 and go through until about 3. This is the first course that we don’t spend the day thinking about policies and being introduced to real common denominator level concepts. Most of the slides/talk was about material I didn’t know.

We are given lots of really useful information including a great 58 page printed A4 booklet. At the back was a list of London councils and the way they took quotes and tenders for different values of contracts from the small under £5k, to the biggies over £144k which apparently have to be offered to all EU companies under some directive.

The course explained what councils typically look for in supplier. The basic is that they have the right balance of skills and experience. Companies are unlikely to win a contract which is worth more than a quarter of their existing turnover. Supply London gave a check list to measure one’s fitness to supply.

This course just confirms the importance of the ISOs and why they have to be tackled. I made sure I took a second copy of the course material from the empty seat next to me. In 17 years of running and being involved in businesses this is the most useful free handout or course I have had from the government. I can’t believe I am saying this considering the grief government generally causes business!

Based on notes from my diary from June 2008.

Chapter 7 of a Manager’s Guide to Data Security and ISO27001/ISO27002 is about countering risks from external parties. Subsequent chapters cover different subjects and the book moves to giving informed and solid advice about what one should consider in determining how to secure one’s organisation under each of these headings. It breaks down the options clearly and it gives links to further information from directly within the text as opposed to having to hop to an appendix the whole time. It tells you what to consider, where to get information and how to balance priorities.

It gives very little in the way of examples of how these factors have been assessed and applied in a particular situation and the resulting policy, control or document that arises. This is what is preventing me from getting a clear picture of what I need to do from Mr Calder’s book or any other sources. I know enough about IT and about running businesses to see the value in these chapters but I need a hard examples to cement my understanding.

I  remain unable to picture exactly what the Risk Assessment  or Statement of Applicability should look like in reality from the description in Mr Calder’s book. It is a well written book but at this stage it is of limited help to me.

Continuing to plough through the book isn’t going to get me where I want to be so I am going to need to look elsewhere for these hard examples.

Based on notes from my diary from June 2008.

I had an automated email from Alan Calder the author of the IT Governance Toolkit today. Alan tells me that I get five times more content in the full version. Well that’s shrunk by half from a couple of days ago. “Maybe he’ll reduce his prices accordingly,” I think fleetingly. Then I realize the follow up email adds some value but he’s really just stoking up the pressure so that I buy the Toolkit.

Chapter 4 of A Manager’s Guide to Data Security and ISO27001/ISO2700 is about the organisation of information security. I am beginning to see the value in this book. Mr Calder does a thorough job in explaining the various individuals and committee or groups who will have responsibilities for the implementation of an ISMS in a large organisation. He explains what their roles should be and the competences required. Also buried in the text are some references or web links for further information. For example, he mentions the 3 magazines he believes to be the most useful magazines to read: SC Magazine, Infosecurity Today and Information Security. This is really, really useful up to date information.

The difficulty for me is that most of this information is not relevant to me. I am not running a large corporate but a business which will only have a handful of employees to start. I still need to know what practically I have to do to to get this certification or whether it just isn’t going to be possible.

The title of chapter 6 is more promising. Its about two things I don’t have much experience of – Risk Assessment and Statement of Applicability.

There are a few sentences that spring out from the page. These include: “for every control that the organisation might implement, the calculation would be that the cost of implementation would be outweighed, preferably significantly, by the economic benefits that derive from, or economic losses that are avoided as a result of, its implementation”. In other words there is a clear indication of a “reasonableness” judgement here. In that case a small organisation might be excused from certain requirements on account of its size. I have been told that ISOs can apply to any organisation. However, I am not sure if there are actually minimum technical or staffing requirements which must be met and, if so, what are they?

Mr Calder then goes on about Quantative Risk Analysis and its Elements. I switch off again – if only he’d give an example of one he did before (like Blue Peter) then I’d grasp it so much more quickly than I would reading the theory behind the process and a description of it with no example to hand.

Key sentence number two: “Controls are countermeasures to risks.” Great, nice, concise …. but it doesn’t stay simple for long. Controls can either be directive, preventative, detective, corrective or recovery controls.

Key sentence number 3 “the Standard.. requires the organisation to select appropriate control objective sand controls …it clearly invites organisation to do this exhaustively..” The word “invite” normally has an enjoyable indirect object I think to myself eg a party. It doesn’t here.

Based on notes from my diary from May 2008.