I spend a while looking for a copy of ISO 27001 on the internet and just when I think I have wasted a my time, I strike gold. On result 26 of the fourth Google search, a copy of ISO 27001 – all 34 pages of it!

Items containing computer hard drives

The security rubric on the document has the words “Uncontrolled Copy” on it. “You can say that again,” I think. It was available as a download off some German student’s website in a directory which was full of photos and videos and other stuff. That’s pretty uncontrolled!

I know when I sit down to read it that understanding it is going to be a challenge (judging from my ISO 9001 experience), but at least I have got a copy. Nice one!

I then email a contact that I have met at the Supply London seminars I have been to recently and ask her for a copy of ISO 14001 which she said she had. She says she will be able to oblige but I might have to wait a while. The point is that I’ve got so much work to do on ISO 27001, I am very happy to wait a while  for for a copy of the ISO 14001 Standard!

Based on notes from my diary in June 2008.

I am curious that about retaining a management consultant – or at least someone doing something close to that.  I have not often been on the receiving end of one but have spent the last few years dispensing advice as just that – a Management Consultant.

Peter arrives with a big plastic folder for me containing the full text of ISOs 9001 and BS 7858.  This is very naughty – the origin/ copyright info is blacked out in the margin.  It’s a good start for me though – approximately £180 worth of documents.

I assume that we are going to start going through the standards, read each clause and learn what it means and how it applies to Data Eliminate.  Peter has no such plan.  He asks me a number of questions – he wants to see copies of customer orders and enquiries.  I have none.    Eventually he says that doesn’t matter and that we can draft up the necessary documentation. 

What astounds me about what Peter did (and charged me £500 for) was its simplicity. That is not a criticism of Peter.  He did a full day’s work, was obliging and he knew his subject area – but perhaps in a way which was slightly blinkered.  He offers value for money and is an obliging guy.  But compared to the type of “management consultancy” I am used to providing – it was so, so simple and based on the reproduction of standard material as opposed to creative thinking.

He had some set of form templates (Word documents) on his laptop – some relating to ISO 9001 and some relating to BS 7858.  Some of these are forms you fill in and others are processes.  It becomes apparent as Peter goes through these that he is giving a template for the paperwork you need to present to an ISO Auditor to prove you comply.

I am still expecting to go through the ISO requirements and work out how I need to configure Data Eliminate’s accounts, CRM, ERP and customer service workflows and processes so I can accommodate the needs of ISOs.  It seems its almost the case that if you have a few manual forms you comply.

BS7858 is about vetting your staff’s employment history before they start work.  For this you need a documented process which starts something like this

1. Requirement to Vet security personnel in accordance with BS 7858

2. All applicants must complete an application form and be interviewed

3. Collate completed application forms

4. Set up personnel fie

 And so on…..

It is completely common sensical.

Another document is a Quote Register done in Excel.  This features fields which would be collected automatically by the most basic quickbooks or Sage software package.

ISO 9001 requires you measure the satisfaction of some (but not all) your customers?  To prove this you have to ask them the questions in writing “Were you satisfied with our service” and thats about it.

As the day progresses, Peter spends increasingly more time working on his own without my input – he is amending more and more templates.  He is heading them with “Data Eliminate Ltd” and making minor amendments.  I keep expecting in depth discussions about processes etc and how they’ll fit in with ERP systems but this doesn’t happen.  I take the decision to let Peter provide as many as these forms as possible to maximise my vale for money by the time the day is out.

I am given a useful sheet on what do next for BS7858 which included the name of a Credit Agency and am advised to register under the Data Protection Act.

By the end of the day I am satisfied that I can move on to look at other aspects of the business idea like the practicalities and machinery for crushing hard drives.  What I don’t have is an understanding of the correlation or interpretation of the long legal like documents Peter gave me at the start of the meeting (the Standards themselves) with the simple forms he gave me at the end.

Based on an account recorded in my diary from October 2007.

After work I cycle from Moorgate to meet FXXP’s Consultant, Peter.  A man is his sixties is waiting outside, he sees me get off by bike and take it into reception for storing in the luggage room.  I wait 5 minutes in the lobby but already know that they guy outside was Peter.

I buy Peter a beer (this doesn’t happen often and should be appreciated!) and I explain what I want.  He does the basic job in explaining the service he provides.  He tells me that most of the work he has done is in personnel security eg security companies who have to vet their staff.   This means he knows most about BS7858 and has only done one or two BS8470 Secure Destruction of Confidential Material implementations.  Moreover, he explains that the vertical industry standards (like 7858 and 8470) often sit on top of ISO 9001.  He says ISO 9001 is a good starting point and recommends we discuss this to start with BS7858 on top.

Despite this good underlying advice, I get the message that he can’t  or won’t give me what I want – namely advice about setting up ISO processes for a company which adoesn’t as yet (October 07) have any customers.  I arrived on a bike, I am not wearing a suit and also he thinks he’s giving me free advice and he’s not going to get paid.  He’s also apparently booked out for most of the next month.

During this meeting, I realize that faced with an internet which has been unforthcoming with the kind of information I want - and  now a reluctant consultant – I am hitting my head against a brick wall and have to be bold to get what I want and part with some cash get it.

To end the uncertainty and overcome his reluctance I say to Peter, “Ok, well I’ll take one day’s consultancy and the payment will be cheque on visit.”  As if by magic Peter’s pendulum swings from scepticism to a desire to please.  I am taken more seriously

“Do you work Saturday?” I ask.  “No, but I can do he says.”  So we are fixed for Saturday coming.

Based on on account recorded in diary from October 2007.

I have been surfing the internet for hours about BS7858 (Employee Vetting) and BS8470 (Secure Information Destruction). There is plenty of information about generic descriptions of the standards – in other words what they are trying to achieve in terms of security and data destruction and the business case for them. There is no sign of a free copy of the standard itself or any information on what practically one has to do to comply in terms of procedures for computer disposal or WEEE recycling etc.

 There are plenty of sites which feature quotes from the standards – it sounds like legalese - but there are no views of standard as a whole.

 There is also little evidence of a central point of contact or a trade association within the UK. Several trails have taken me to the British Security Industry Association which has a broad remit covering anything from night club bouncers through to burglar alarm installers. There is an Information Destruction section and at first this seems like a good potential source of information. On closer investigation, this is much more for established data destruction businesses. I appreciate and understand the BSIA’s reasons for this – but it doesn’t serve me right now.

Based on diary entries from October 2007.