I have been examining the ISO 27001 Standard Document itself and feeling rather overwhelmed and that I am bashing my head against a brick wall.

I begin to rethink my strategy and flick backwards quickly to page 5.  This is where the ‘Statement of Applicability’ is mentioned.  This ties together the list of Controls and Objectives - the list of practical things one need to do to implement the standard - with the content of the standard itself so its probably a good place to start.  There is a lot about Risk Assessment before the Statement of Applicability which I don’t understand but I can come back to them later.  I’ve got the Statement of Applicability as a short term objective - a buoy to swim towards that perhaps I can cling onto for a while.  So I type “Statement of Applicability ISO27001″ into Google and start trawling through the results.

Almost immediately I come across http://www.iso27001security.com/.  By its basic but functional design this site just looks like the kind of site that could cut to the chase and ‘deal the deal’.  There are a few scary bits like mentions of other ISO27002, ISO 27003 but what catches my eye immediately after this is a FREE ISSO27k toolkit.  Amazingly, I don’t even have to register on the site to get access to it.

Hard Drives after Destruction.

I spend quite a while opening documents up on the site and reading them.  The documents here have been developed by ISO 27001 implementers and then put up on the site.   This site clearly doesn’t offer a complete toolkit or total solution to my problems but it does give applied examples of certain documents and there is comparatively little in the way of guff.  Most of the contributions are made by two individuals but there are other contributors too.

The fourth document I open off the site is a Statement of Applicability.  This is a blank template - which is not populated with data - but I still get the jist - more than having see an actual example of one, I quickly see its primary purpose.  The list is a spreadsheet for all the Controls and Objectives listed in Appendix A of the standard.  There are several columns and notes I don’t understand yet  but clearly what one has to do is go through each of these 120 or so items and record what one has done to cover them off in one’s own organisation.

Against each row is a “Controls” column and a “Selected Controls” and a “Reasons for Selection” group of columns.  Reasons for Selection are broken down into four types ‘LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent.

On the right there’s a ‘Remarks (Overview of implementation)’ column where one should record the  to the specific action taken to meet the control.  This could be introducing a swipe card system on doors, creating a written policy or implementing a procedure to verify the destruction of hard drives.

I don’t get the whole picture yet, but what I do get is that the ISO 27001 Standards sets a defined series of things called “controls” with which my data destruction company needs to comply.  I will need to go through this list one by one and check that I can practically meet them.

The buoy I spotted in the distance has turned out to be a rubber ring.  Thanks to this I am now riding higher in the water and time to float home for the night.

So begins the start of a refreshed effort to find the practical or working examples of how to implement 27001 which have so far evaded me. What does it mean for the way my shredding business should handle personal data and comply with legislation such as the Data Protection Act and the WEE Directive?

I start to give Google a pummelling. There really aren’t many links that look like they are going to give me what I want. So I end up going very deep – to search results 80 and above and opening tens of documents including ones on information assurance, the Cabinet Office and risk management - in pursuit of my goal.

What I really want to find is an Information Security Manual for a small or mid-size organisation which somebody has published on their website – one which is a bit more friendly that the one from the IT Governance Toolkit trial. I am aware that organisations shouldn’t publish such things on their website –particularly those involved security - as letting the public know about their security systems obviously isn’t a good idea. But I am expecting to find something out there in cyberspace – you can find almost anything else!

The first useful looking document is an Information Security Manual produced by the Pennine Care NHS Trust. This is clearly the kind of thing that I am looking for but it doesn’t strike me as particularly friendly. The first two sides are about “Policy Document Control” and then the index comprises pages 3-5. I have seen this kind of thing before from the Cabinet Office and CESG. The first actual prose appears on page 6:

“1. INTRODUCTION

1.1 The Trust has a duty to protect its information assets and thus to ensure business continuity and minimise the adverse effects of securityincidents. Information assets and the IT systems that support them arebecoming increasingly more vulnerable as the potential for wideraccessibility is facilitated via more powerful computers and communications networks.

1.2 Any loss of the ability to access information could have a significanteffect on the efficient operation of the Trust and may result an inabilityto provide services to patients and financial loss to the Trust.”

These are to me statements of the very obvious, the like of which feature widely in many ISO 27001 documents I have seen. I know they have to be there but doesn’t their continued use and repetition run the risk of making the user, who should be interested in their content, just switch off?

The document continues for 47 pages. There are guidelines here for information assurance practices including the setting of passwords and controlling access to buildings. However, its difficult to determine the structure of the document and how it fits into an overall framework. It is on the right lines of what I am looking for but it is for a very sizeable organisation. I move on.

The next document which catches my eye is an Information Security Business Manual from NHS Wales. This is in Word and is clearly a template with blanks or red text which can be filled in by different NHS branch offices to suit their needs. It’s a lot shorter than the Pennine document at only 24 pages.

Some terms used are ery familiar such as “Senior Management Team”. We then get onto “ISMS Operational Forum Membership” which sounds very corporate and, stone me, Plan/Do/Check/Act (PDCA) model with a little chart makes an appearance on Page 10!

The good thing about this document though is its length. It has some slightly scary headings such as those mentioned above but it strikes me (although I can’t be sure) that somebody has spent a lot of time simplifying things and reducing them down to produce a very well put together template that will save an NHS departmental manager a lot of time in producing an Information Security Manual. Whether the person producing the manual would understand what they were doing beyond filling in the blanks I am not sure. In other words, this document is a bit like doing dot to dot. You join the dots (or fill in the blanks) but can you see the whole picture when you’re finished? Ok, not exactly what I want, but I keep it because it could be useful.

I am aware that the NHS has a lot of data handling procedures and it computers hold a lot of personal data. No central, London based government department seems to have produced similar guidance. The NHS are good potential customer for our CCT Mark Certified service which we have just  formally submitted to CESG and the Cabinet Office office as our “Secure Destruction of Data on Hard Drives and Magnetic Media v1.0”!

Based on diary entries from June 2008.
<–>

I continue working my way through the ISO 27001 Standard Document.  When I look at Appendix A, it appears I may be about to make a breakthrough in terms of understanding.  The title is Controls and Objectives.  For this first time this looks like a list of practical things one has to do to comply with the ISO 27001 Information Security standard.

For example, at A.5.1.1 is declares “An information security  policy document shall be approved by management, and published and communicated to all employees and relevant external parties.”  What this practically means is that at minimum I need find a model Information Security policy, insert my company’s name, sign it and stick it  up on the company website and wahey - route one compliance with A5.1.1!  To do things properly, I will have to tailor the policy to the specific requirements of a secure data erasure company.    I am starting to understand what is practically being asked for by ISO 27001 the information security standard.

The next four controls up to A6.1.3 aren’t as easy  A5.1.1. but they could be met with a bit of thought and paperwork.  I turn the page and there are more controls.

A6.1.4 I says I need an authorization process for new information processing facilities.  I get this but how do it in a small organisation?  Does this mean mandatory testing process for any new bit of kit or software?  Would my company  have the resources for that?  Maybe it would just apply to secure data erasure software or hard drive destruction equipment.

A6.1.5 talks about the need to have Confidentiality Agreements or NDAs in place which is fair enough and clearly understood.

A6.1.6   and A6.1.7 require the maintenance of contacts with authorities and special interest groups in security forums or specialist associations.  I don’t know what this means in practice though.  What kind of authorities are they talking about?  Does this means government, police or what?  Is one meant to have meetings with them?  I am also not part of any security related professional associations- and, if I was going to be, which ones should I try and be an member of?  And again what does “maintain contact” mean exactly?

Having recently been spurred on by the appearance of my “Control of Documents and Records” friends I am now getting bogged down again.  I wonder what lies in the pages ahead.  So turn over and see more controls. I turn again and there are more.  And again - more.  I gulp - it feels like I am desperately reaching for air in the face of a massive wave of controls which is about to overwhelm me.

I turn the page 5 more times before I get to the end of the list of ISO 27001 Controls and Objectives - I am just looking at the page numbers now - closer focus is detrimental to my well-being.  The wave is right on top of me - what do I do to escape?

My information sources for developing an ISO 14001 manual include:

• A copy of the Standard itself (which arrived by email a couple of days ago)
• My Arthur-shredded or approved Compact 9001 Manual
• The Acorn Course Book which cost me £50
• A Handout provided written by NQA, the UKAS approved system auditors, but actually given to me by Adrian.

I begin by creating a complete stand alone ISO 14001 manual – even though I know there is going to be duplication between ISO 9001 and ISO 14001. This way might seem more long-winded but I need to learn each standard one at time before I merge them. Otherwise it gets too confusing and complicated.

Sovereign Certification provides a useful but wordy version of an ISO 14001 manual. For Data Eliminate’s version, I exclude from the first section of my ISO 14001 manual all Sovereign’s wording which is similar or equivalent to what Arthur deleted from my ISO 9001 manual.

I still find it hard to make sense of the “Interaction of Processes” – but I think its probably because is so simple I can’t understand it - if you know what I mean. The examples of Interaction of Processes charts I have are more concerned with the process of implementing the environmental standard (Plan, Do, Check, Act I suppose) rather than featuring specific Data Eliminate customer service processes.

I work out a number of things in order to keep the ISO 14001 documentation to a minimum. The first is that the six standard procedures required by ISO 14001 (Corrective Action, Preventative Action etc) are almost identical to those required for ISO 9001. In addition, you need a Training Needs Assessment Form to track training you believe your employees need to fill skill gaps. To complement this, you need a Training Record Form to record the details of the actual training.

When compared to the Quality Policy, the Environmental Policy is different in focus but much the same in style. As was the case with ISO 9001, thanks to Supply London I had a morning’s lesson in how to write a policy. However, one could have used someone else’s and created one in a few minutes by making some very minor changes.

The we get onto the bits which are not part of ISO 9001 but which ISO 14001 requires. These include:

• An Environmental Aspects Register
• An Environmental Aspects Analysis
• A Register of Applicable Laws and Regulations
• A Risk Assessment Methodology

I also add some questions to the Supplier Questionnaire which is already part of my ISO 9001 manual and some items to the Management review Agenda. The Environmental policy has to be on our web site with contact details for the manager responsible. We also need documented environmental objectives.

The first version of my Environmental Management System manual is 25 pages long – a lot more compact than my 53 page long ISO 9001 Quality Manual first starter effort.

I then spend an hour or so removing the items from my ISO 14001 manual that are duplicated in my Arthur approved ISO 9001 manual. After that the Environmental Manual is down to about 14 pages.

Things are coming together nicely. ISO 9001 and ISO 1400 are integrated. I will now need to merge ISO 27001 with them.

I contact Arthur to arrange another session. This time I am going to get him to review my combined manual for ISO 9001 and ISO 14001.   I hope that I have pre-weeded it this time so that he doesn’t need to tear it apart or tell me I like detail.  If he does that again after all this effort it will take more than one flapjack in my mouth to keep me quiet!

Based on notes from my diary from June 2008.

I spend a while looking for a copy of ISO 27001 on the internet and just when I think I have wasted a my time, I strike gold. On result 26 of the fourth Google search, a copy of ISO 27001 – all 34 pages of it!

Items containing computer hard drives

The security rubric on the document has the words “Uncontrolled Copy” on it. “You can say that again,” I think. It was available as a download off some German student’s website in a directory which was full of photos and videos and other stuff. That’s pretty uncontrolled!

I know when I sit down to read it that understanding it is going to be a challenge (judging from my ISO 9001 experience), but at least I have got a copy. Nice one!

I then email a contact that I have met at the Supply London seminars I have been to recently and ask her for a copy of ISO 14001 which she said she had. She says she will be able to oblige but I might have to wait a while. The point is that I’ve got so much work to do on ISO 27001, I am very happy to wait a while  for for a copy of the ISO 14001 Standard!

Based on notes from my diary in June 2008.

In the last three days I have been to two Supply London workshops.

The first was the Environmental Workshop. This was a real basic level course aimed at getting you to think about the environmental aspects of your business. I feel good when I understand where it fits into the overall ISO 14001 accreditation process. It only covers the very early part of the Acorn book. Including the book, I am now in possession of a significant amount of information on ISO 14001 which I have accrued by my own research and feel I understand what is required.

Computer media including data tapes must be properly recycled.

The second Supply London event I attended is about Wining Public Sector Business. Its the third out of the four free courses I get from Supply London and I have been told by other delegates who have already done this one that this is the best course.  (None of these provide hard disk destruction services.)

Things get underway at about 930 and go through until about 3. This is the first course that we don’t spend the day thinking about policies and being introduced to real common denominator level concepts. Most of the slides/talk was about material I didn’t know.

We are given lots of really useful information including a great 58 page printed A4 booklet. At the back was a list of London councils and the way they took quotes and tenders for different values of contracts from the small under £5k, to the biggies over £144k which apparently have to be offered to all EU companies under some directive.

The course explained what councils typically look for in supplier. The basic is that they have the right balance of skills and experience. Companies are unlikely to win a contract which is worth more than a quarter of their existing turnover. Supply London gave a check list to measure one’s fitness to supply.

This course just confirms the importance of the ISOs and why they have to be tackled. I made sure I took a second copy of the course material from the empty seat next to me. In 17 years of running and being involved in businesses this is the most useful free handout or course I have had from the government. I can’t believe I am saying this considering the grief government generally causes business!

Based on notes from my diary from June 2008.

I had an automated email from Alan Calder the author of the IT Governance Toolkit today. Alan tells me that I get five times more content in the full version. Well that’s shrunk by half from a couple of days ago. “Maybe he’ll reduce his prices accordingly,” I think fleetingly. Then I realize the follow up email adds some value but he’s really just stoking up the pressure so that I buy the Toolkit.

Chapter 4 of A Manager’s Guide to Data Security and ISO27001/ISO2700 is about the organisation of information security. I am beginning to see the value in this book. Mr Calder does a thorough job in explaining the various individuals and committee or groups who will have responsibilities for the implementation of an ISMS in a large organisation. He explains what their roles should be and the competences required. Also buried in the text are some references or web links for further information. For example, he mentions the 3 magazines he believes to be the most useful magazines to read: SC Magazine, Infosecurity Today and Information Security. This is really, really useful up to date information.

The difficulty for me is that most of this information is not relevant to me. I am not running a large corporate but a business which will only have a handful of employees to start. I still need to know what practically I have to do to to get this certification or whether it just isn’t going to be possible.

The title of chapter 6 is more promising. Its about two things I don’t have much experience of – Risk Assessment and Statement of Applicability.

There are a few sentences that spring out from the page. These include: “for every control that the organisation might implement, the calculation would be that the cost of implementation would be outweighed, preferably significantly, by the economic benefits that derive from, or economic losses that are avoided as a result of, its implementation”. In other words there is a clear indication of a “reasonableness” judgement here. In that case a small organisation might be excused from certain requirements on account of its size. I have been told that ISOs can apply to any organisation. However, I am not sure if there are actually minimum technical or staffing requirements which must be met and, if so, what are they?

Mr Calder then goes on about Quantative Risk Analysis and its Elements. I switch off again – if only he’d give an example of one he did before (like Blue Peter) then I’d grasp it so much more quickly than I would reading the theory behind the process and a description of it with no example to hand.

Key sentence number two: “Controls are countermeasures to risks.” Great, nice, concise …. but it doesn’t stay simple for long. Controls can either be directive, preventative, detective, corrective or recovery controls.

Key sentence number 3 “the Standard.. requires the organisation to select appropriate control objective sand controls …it clearly invites organisation to do this exhaustively..” The word “invite” normally has an enjoyable indirect object I think to myself eg a party. It doesn’t here.

Based on notes from my diary from May 2008.

I resolve to “read” Mr Calder’s book which I ordered from Amazon from “cover to cover” – or at least to peruse the whole thing so I know what it contains.

On the face of it, from a cursory glance it looks okay.  It written by a Briton with a UK audience in mind, its only just been published and, best of all, the typeface is nice and big so its 300 pages shouldn’t take forever to digest!

The book’s got 28 chapters. Seemingly chapters 5 to 26 are about different areas of security eg.  Human Resource Security and the physical protection of your site and offices amongst other things.  I am keen to get into chapters 5 onwards as I hope these will tell me what practically I need to do to comply with the ISO 27001 Standard.

Chapter 1 explains what Information Security is.  This is a well written introduction for somebody with a business brain who really didn’t know.   It explains the reasons why information security is becoming increasingly important.  Chapter 2 explains how various pieces of predominantly US and UK legislation have converged and morphed into a compliance model.  Sarbanes Oxley is included in this.

Chapter 3 is about the ISO 27001 standard itself – I groan on p39 when Plan Do Check Act makes a reappearance.

Suddenly, I find a nice clear list on page 40.   There are six steps to planning for ISO 27001:

1. Define the scope of the management system
2. Define the policy
3. Find a risk assessment method
4. Carry out the risk assessment
5. Decide how these risks are going to be countered or mitigated
6. Prepare a Statement of Applicability – whatever that is.

Then Alan Calder talks about what we actually have to do:

There is more useful stuff on page 43 with a list of required documentation.  Some of this is readily understandable in that it says the information security policy and the scope of the management system must be defined.  These are short documents and you need only one of each of them.  I have learnt from my Supply London Courses that the Policy is a Statement of Organisation’s intent to continually improve its information security.  The Scope is that area of your organisation to which the management system applies.  Eg the customer service department, the whole company or its Scottish operations.

Things get more confusing again further down the list of required documents.  One needs documented procedures which implement specific controls.

Buried in this paragraph is an explanation that a Work Instruction is an “even more detailed description of how to perform a specific task” than a procedure.  So I was basically correct when I thought these two amounted to the same thing.  Perhaps all this is very confusing but I am getting an accurate grasp after all.  I find this reassuring and move on to Chaper 4!

Based on entries in my diary from May 2008.

I continue my inspection of Alan Calder’s sample ISO 27001 Toolkit.

Next I focus on “Procedures”.   I am hoping this is the area in which things might become clearer.  I think I have some advance understanding of what to expect here.   I have got a draft staff manual from my solicitor and it tells employees what they can and can’t do with regards to email, internet access and other things.  Eg. You can’t visit certain websites from work computers or use work email for private purposes.

The example procedures provided by Alan Calder here state over and over again that “The organisation requires……”  For example, the organisation requires that users of notebook computers carry with them at all times the charges and spare batteries specified in the user agreement.”  This is good advice and I suppose one has to write it down so that it will be followed and nobody can say that they didn’t know about the rule.

I am presently confused about the difference between policies and procedures within the context of the Toolkit– although I obviously have a clue from life in general.  Eg. Procedures are made up in light of a policy and followed in order to comply with the policy.

Similarly, there’s a “Tier 3 Work Instruction” for employees about how to use Voicemail – not to give security information out on recorded messages unwittingly and the like.    A third of the text of this work instruction seems to appear on every policy, procedure or work instruction document.  Why does one need a “Work Instruction” that lays down rules as well as a procedure – why not incorporate everything in the latter?

Other declarations of the obvious in the sample procedures  include, “The IT Manager is responsible for specifying, ordering providing the firewalls, malware, automatic updating and connectivity and back-up facilities….”

The Principles of Plan Do Check Act make another appearance.  On seeing it, I turn the page quickly.

The most interesting item among the remaining files is an Information Security Manual – 38 sides of it.  However, again it seems to come our with circular sentences  that state the obvious.

In sum, this toolkit may be useful to some people.  Sure I’ve only seen 10 per cent of it.  It has not, however, given me examples of the application of ISO 27001 and what you need practically to do to comply with it or to make your organisation secure.  I think that if you’d done an ISO 27001 implementation previously, the Toolkit would save you time.  I am starting from scratch and it hasn’t helped me much.

Based on entries in my diary from May 2008.

ITG offers a series of toolkits which can be downloaded for something between £400 and £1,000 depending on the contents.

I am sceptical about paying this sort of money for a download from the internet which isn’t actually software – it will be a series of templates. Anyways, there’s a free trial which I download. The confirmation email tells me it contains 10% of the contents of the full toolkit.

The first document I open up is the Toolkit Contents and Change History which is six sides long. All this does is list all the changes made to all the documents within the Toolkit and gives them lots of reference numbers. This is a massive turnoff. I gulp –I can’t even find an index at the moment.

The Toolkit talks on about Tier1, Tier 2 and Tier 3 documents but there isn’t an abvious explanation what this means. It also talks about a ‘Statement of Applicability’ - I am similarly confused.

There’s an Introduction to the Toolkit document which I can understand because it’s the one which encourages you to buy the proper versions and spend £500 plus quid.!! I understand most of the contents. The contents list is thus

 Next there are some user instructions – in fact there are 48 of them over 5 pages. These are legible and understandable. There’s good, frank advice embedded in here like “ Creating your ISMS documentation is a big task”.

The User Instructions document is one you can work to but you’d have to sit down and study it. But, man, are we gearing up for a massive project here? This is the first document which divides the task out into stages and is the closest to a bullet point methodology I’ve seen. It refers to many other documents, Risk Assessments and other phenomena, many of which I don’t know what they are. It does at least tell me the order in which I have to begin trying to understand them.

Based on notes from my diary and other records from May 2008.