I resolve to “read” Mr Calder’s book which I ordered from Amazon from “cover to cover” – or at least to peruse the whole thing so I know what it contains.

On the face of it, from a cursory glance it looks okay.  It written by a Briton with a UK audience in mind, its only just been published and, best of all, the typeface is nice and big so its 300 pages shouldn’t take forever to digest!

The book’s got 28 chapters. Seemingly chapters 5 to 26 are about different areas of security eg.  Human Resource Security and the physical protection of your site and offices amongst other things.  I am keen to get into chapters 5 onwards as I hope these will tell me what practically I need to do to comply with the ISO 27001 Standard.

Chapter 1 explains what Information Security is.  This is a well written introduction for somebody with a business brain who really didn’t know.   It explains the reasons why information security is becoming increasingly important.  Chapter 2 explains how various pieces of predominantly US and UK legislation have converged and morphed into a compliance model.  Sarbanes Oxley is included in this.

Chapter 3 is about the ISO 27001 standard itself – I groan on p39 when Plan Do Check Act makes a reappearance.

Suddenly, I find a nice clear list on page 40.   There are six steps to planning for ISO 27001:

1. Define the scope of the management system
2. Define the policy
3. Find a risk assessment method
4. Carry out the risk assessment
5. Decide how these risks are going to be countered or mitigated
6. Prepare a Statement of Applicability – whatever that is.

Then Alan Calder talks about what we actually have to do:

There is more useful stuff on page 43 with a list of required documentation.  Some of this is readily understandable in that it says the information security policy and the scope of the management system must be defined.  These are short documents and you need only one of each of them.  I have learnt from my Supply London Courses that the Policy is a Statement of Organisation’s intent to continually improve its information security.  The Scope is that area of your organisation to which the management system applies.  Eg the customer service department, the whole company or its Scottish operations.

Things get more confusing again further down the list of required documents.  One needs documented procedures which implement specific controls.

Buried in this paragraph is an explanation that a Work Instruction is an “even more detailed description of how to perform a specific task” than a procedure.  So I was basically correct when I thought these two amounted to the same thing.  Perhaps all this is very confusing but I am getting an accurate grasp after all.  I find this reassuring and move on to Chaper 4!

Based on entries in my diary from May 2008.

I continue my inspection of Alan Calder’s sample ISO 27001 Toolkit.

Next I focus on “Procedures”.   I am hoping this is the area in which things might become clearer.  I think I have some advance understanding of what to expect here.   I have got a draft staff manual from my solicitor and it tells employees what they can and can’t do with regards to email, internet access and other things.  Eg. You can’t visit certain websites from work computers or use work email for private purposes.

The example procedures provided by Alan Calder here state over and over again that “The organisation requires……”  For example, the organisation requires that users of notebook computers carry with them at all times the charges and spare batteries specified in the user agreement.”  This is good advice and I suppose one has to write it down so that it will be followed and nobody can say that they didn’t know about the rule.

I am presently confused about the difference between policies and procedures within the context of the Toolkit– although I obviously have a clue from life in general.  Eg. Procedures are made up in light of a policy and followed in order to comply with the policy.

Similarly, there’s a “Tier 3 Work Instruction” for employees about how to use Voicemail – not to give security information out on recorded messages unwittingly and the like.    A third of the text of this work instruction seems to appear on every policy, procedure or work instruction document.  Why does one need a “Work Instruction” that lays down rules as well as a procedure – why not incorporate everything in the latter?

Other declarations of the obvious in the sample procedures  include, “The IT Manager is responsible for specifying, ordering providing the firewalls, malware, automatic updating and connectivity and back-up facilities….”

The Principles of Plan Do Check Act make another appearance.  On seeing it, I turn the page quickly.

The most interesting item among the remaining files is an Information Security Manual – 38 sides of it.  However, again it seems to come our with circular sentences  that state the obvious.

In sum, this toolkit may be useful to some people.  Sure I’ve only seen 10 per cent of it.  It has not, however, given me examples of the application of ISO 27001 and what you need practically to do to comply with it or to make your organisation secure.  I think that if you’d done an ISO 27001 implementation previously, the Toolkit would save you time.  I am starting from scratch and it hasn’t helped me much.

Based on entries in my diary from May 2008.

I continue perusing the ISO 27001 Sample Toolkit. 

I look at a  sample policy. There are 3 or 4 bullet points covering the specifics of the policy itself. Two thirds of the document is made up of the same or very similar standard blurb which appears atop and afoot all the other sample policies.    Other information includes who the author is and where the document can be found. 

Explanations provided with in the sample document templates include ones such as “the Organisation protects it networked services in line with it Access Control Policy from unauthorised Access”.  This is exactly the same type of sentence as I took Ray Tricker to task for.  Is anyone really any the wiser after a sentence like this?  Why do you need to state that the purpose of an Access Control policy is to prevent unauthorised access?   Isn’t that just common sense?

Even more scarily these templates have big gaps in them where one is meant to insert text to suit one’s organisation. It strikes me that filling in the blanks is not going to be straightforward.  I was hoping more for a “delete the text that doesn’t apply to your organisation” approach.  There is no example text provided that one could lift and adapt to fill these gaps. 

Hints about what might rightly fill the gaps are not straighforward.   In one of them, the Toolkit it advises me to enter “details of appropriate authentication mechanisms…”.   I think this could simply be a requirement for a password.  The answer, despite all the documented complexity, is probably that straightforward, but the whole thing is so bamboozling I don’t know!

There is a Policies and Procedures Diagram.  I am really expecting overload here.  As I double click it I am cringing in anticipation of seeing much compexity before me and how mind boggling it is going to be.  My cringe turns to broad smile as my PC tells me that it doesn’t have the software to open the document up!  I happily move on.

Based on entries in my diary from May 2008.

ITG offers a series of toolkits which can be downloaded for something between £400 and £1,000 depending on the contents.

I am sceptical about paying this sort of money for a download from the internet which isn’t actually software – it will be a series of templates. Anyways, there’s a free trial which I download. The confirmation email tells me it contains 10% of the contents of the full toolkit.

The first document I open up is the Toolkit Contents and Change History which is six sides long. All this does is list all the changes made to all the documents within the Toolkit and gives them lots of reference numbers. This is a massive turnoff. I gulp –I can’t even find an index at the moment.

The Toolkit talks on about Tier1, Tier 2 and Tier 3 documents but there isn’t an abvious explanation what this means. It also talks about a ‘Statement of Applicability’ - I am similarly confused.

There’s an Introduction to the Toolkit document which I can understand because it’s the one which encourages you to buy the proper versions and spend £500 plus quid.!! I understand most of the contents. The contents list is thus

 Next there are some user instructions – in fact there are 48 of them over 5 pages. These are legible and understandable. There’s good, frank advice embedded in here like “ Creating your ISMS documentation is a big task”.

The User Instructions document is one you can work to but you’d have to sit down and study it. But, man, are we gearing up for a massive project here? This is the first document which divides the task out into stages and is the closest to a bullet point methodology I’ve seen. It refers to many other documents, Risk Assessments and other phenomena, many of which I don’t know what they are. It does at least tell me the order in which I have to begin trying to understand them.

Based on notes from my diary and other records from May 2008.

I feel that I am now in strong position with regards to ISO 9001 and ISO 14001. My attention turns to finding information on the practical implementation of 27001 in an SME.

After the struggle of finding information on with ISO 9001 and ISO 14001, my patience is wearing a bit thin with the nature of information that is available on thes standards.

Most of the material features in depth discussion on corporate governance or charts which to my mind make a simple idea much more complex than it needs to be. It seems that when a point could be made in one or two sentences ISO authors write two sides of prose instead.  They throw in a chart, and, if they’re really overloading, a table or figure as well. What’s more the figures have numbers eg. “3.1a”, and the figure or chart is always over the page to the text that refers to it and explains it – so one has to keep page-flipping between the two.

Judging by my searching on ISO 27001, all or most Google information security roads appear to lead to www.itgovernance.co.uk (ITG). Unlike for ISO 9001, Google searches for ISO 27001 do not go many page searches deep in terms of relevant results.

These Google road signs lead to ‘ITG’ either because its good, because it’s the only one there, or both.

My first download about 27001 is IT Governance’s Introduction to Information Security and 27001 – 6 sides. This is pretty useful. It sets the scene quite well for a director or manager whose thinking about going for it and sets the background to the standard well. I pick up on some particular sentences “the most time-consuming….part of the entire project is the development of documentation that sets out how the ISMS works.” I would have guessed this but it just underlines what the challenge is going to be judging by my ISO 9001 experience to date.
At the end of ITG intro document is a list of additional resources which turn out all to be available from their own website! Ok, so the this intro document have set the scene and now the next task is to have a look around the site.

I decide to use some templates supplied by Adrian to document the company’s main workflows.  Eg from receiving an enquiry, to providing a quote, accepting an order, rocking up at the client’s site, destroying data, providing destruction certificates and sending out an invoice. 

The templates are in MS Word and I have to originate everything but the outline structure from scratch.  I had an initial text based version to as a starting point but formatting these in MS Word is very tricky due to the usual bugs and a completely different menu structure compared to the version I am used to.

It takes me a couple of days to sort the processes out because as well as drafting the documents I am developing improving the processes at the same time .  The full list of delivery processes which makes up 7 sides of super fiddly flow diagrams comprises:

DP1 Enquiry Handling

DP2 Estimate Preparation

DP3  Contract Preparation

DP4 Contract  Delivery 1

DP5 Contract Delivery 2

DP6  Service Execution

While going through the processes I have built a list of documents which as records will be key to the management system.  One example is a Certificate of Destruction.  Another would be an invoice.

Based on notes and my diary from May 2008.

I take stock of the situation regards the ISO Consultants I have contact.

Terry Russell of www.iso9001.co.uk replied to my requirements letter today but it wasn’t encouraging. He said he could supply everything I wanted – and he is UKAS accredited -but didn’t seem that keen to oblige. 

He said

(a) your Invitation to Tender asks for copies of work that we have produced for others. I simply will not provide the procedures of any of our clients to another organisation, under any circumstances
(b) we normally only provide services to applicants who are referred to us by existing clients. You’ll understand that the risks go both ways. If we provide services to you, I need assurance that you are financially sound and are the sort of client that would want.

I know this sounds very fussy, but we are fussy about our clients. With your timescales, it would not provide me with sufficient time to conduct our checks on your organisation.

Sorry about that.

I phoned Paul from RPPT Associates but he said the he was too far away and too busy to get involved. He said he could provide from coaching from a distance but he suggested I look for someone more local.

On top of this, some considerable time after sending me written requirements to FXXP there is still no reply from them– despite the fact that Liz said she’d look into it.

So it seems that no-one is interested! 

Is it because:

• My requirements are out of scope for these consultants?
• My requirements are too exacting and demanding for them?
• There isn’t really anyone out there who has done what I am trying to do in the way I am trying to do it?

I like to think and hope it’s the latter – if only because it helps me reverse out of this cul-de-sac to spur myself on.

Based on notes from my diary and other records from April 2008.

My search for hold-your-hand type consultants, my on line searching has uncovered two websites which seem of particular interest – www.sovereigncertification.co.uk and www.iso9000.co.uk.

If you dig into the site a bit, Sovereign has a lot of information and downloads on ISO 9001 and ISO 14001 – but not on ISO 27001.  The consultant(s) at www.iso9000.co.uk  deals with all three standards – and on the basis of my searching experience, this is unusual.

I speak to Mark Helm the senior consultant at Sovereign who is very helpful and sends over a lot of supplementary information.  Mark himself operates within a business model of remote coaching companies through ISO 9001 and ISO 14001 and providing a series of downloadable templates which the client can amend to suit their particular business.  The downloads include a sample ISO 9001 manual .  This is the first version of one I have seen and I am sure will be very helpful in deciphering the legalese of the ISO itself into what is practically required within the company.

I also make several unsuccessful attempts to speak to Terry Russell of www.iso9001.co.uk.

Despite this temporary chink of light, I am getting increasingly anxious at the lack of clear progress.  So I decide to write down exactly what I want from these consultants – to write a spec.  This is what most of the unforthcoming ones have requested.  It takes a while but in the end I come up with the one below. 

I write a pretty formal letter and talk about decisions of the Board etc which is in line with the way in which I perceive these “ISO types” communicate!

My letter is thus:

REQUEST FOR INFORMATION ON ISO CONSULTANCY SERVICES

We are writing to you to enquire about your services relating to the acquisition by Data Eliminate Ltd of certain ISO Standards.

ISO CERTIFICATION REQUIREMENTS

Data Eliminate (www.dataeliminate.com) has researched a range of accreditations and standards.  With regards to Standards, this has comprised a day of advance consultancy from an UKAS approved consultant specializing in the security industry,  the reading of substantive books on ISO 9001 and ISO 27001, 3 days desk research and attendance at 2 courses run by Supply London and participation in its business support scheme.  We have also spoken to business associates who have implemented various standards and obtained telephone overviews from a handful of experienced individuals.

On the basis of our research and information to date, the Board has decided that the following should be Data Eliminate’s priorities:

The Board has concluded that ISO 18001 has no obvious commercial or practical benefit at present and its introduction would be too burdensome at this stage of the company’s development.
Data Eliminate is aware of the type of premises, equipment and personnel it is going to have.  The objective is to complete as much Standards-related documentation and planning as is practicable before the company focus shifts to servicing customers.  (In saying this, we acknowledge that adhering to Standards is an on-going responsibility).

Our foremost requirement in a supplier of consultancy services is flexibility and the ability to provide services in a way which is compatible with our needs and modus operandi.

We have an intense, fast-moving and thorough approach to the Data Eliminate project and have done considerable homework on this subject. We need a consultant who can take a running start from the position we have already reached.

The purpose of engaging a consultant is to benefit from external advice and experience and to save time and internal resource.

We are aware that many of the Standards’ clauses will not apply to us and that our documentation relating to them can be comparatively concise.  With this in mind, we are seeking the services of a consultant who can provide among other things:

• A list of the Standards’ elements which are obligatory for all businesses and a separate list for organisations in our line of business.
• Advice on other non-compulsory elements which may be beneficial to our business in the medium and longer term.
• Policy, procedure and other templates for the compulsory elements that we can adapt for our own use.
• Guidance on the wording of Standard elements which are particular to our business.  For example, we believe we have the body of an ISO 9001 Policy Manual of suitable size and style for a business of our size.  However, we require specific advice on the completion of clauses 7.3.1 through 7.3.7.

Before we engage your services, our principal requirement is that we are convinced of your professionalism and efficiency - and that you want our business.

We would also like to be informed of the following - where appropriate in writing:

• An estimate of consultancy days required from you to help us achieve our short term objectives, over what time period and at what intervals those days will be given.  Associated costs and travel expenses.
• The amount of internal Data Eliminate man days which will be required working in parallel with your consultant(s) and at what internals.
• A similar estimate of man days (external and internal)  and costs pertaining to the medium term objective above.
• An explanation of the work that will be completed by you and that you  will expect Data Eliminate to do.
• Copies of documents such as policy manuals and procedures you have previously prepared (or extracts therefrom) which you believe are similar in length and style to those you would assist us in developing.
• A brief outline of your experience in dealing with the above Standards. 
• Two references from existing customers who we may contact briefly over the phone to confirm the efficacy of your service.
• The names and brief backgrounds of the person(s) providing the consultancy, when they are able to start the project and advance notification of any absences or unavailability of key personnel over the next 4 months.
• A copy of your Terms and Conditions.
• Details of your professional indemnity insurance (if applicable)

Finally,

• Please acknowledge receipt of this email by close of business on date in 2008 or by phoning Tel: 0845-1234-400. 
• Responses are required by close of business on xxxx. 
• Data Eliminate requires UKAS approved certification of its Standards.

If you wish to contact us to discuss the above, please call and speak to me on etc

We look forward to hearing from you.

Regards

Julian Fraser

I feel that this really explains the situation.  I send it to Sovereign Certification, www.iso9001.co.uk,  FXXP Associates and Paul from RPPT Associates – recommended by Adrian.

Based on notes from my diary and other records from April 2008.

I set aside my disappointing contacts with FXXP and RTTP and begin crawling the internet again for companies which cover all three standards and who look like they might not take a massive corporate scale approach to things.  There aren’t (obviously at least) that many of these.

I have decided to make experience of  ISO 27001 the focus of my search for a consultant.  ISO 27001 is much larger and more complex than ISO 9001 and ISO 14001 and requires more detailed expertise.

I have learnt by now the difference between a UKAS accredited ISO auditor and a self-certified or on UKAS auditor.  The difference is very important but very few people understand it. 

All auditors issue kite marks to companies they audit.   UKAS approved auditors are third party monitored and certified by UKAS itself.  Other ISO Auditors are not independently assessed.  The kitemarks issues by each type of auditor look very similar but they are not of the same value.

Public sector bodies and larger companies for the most part who know their stuff will look for the UKAS kite mark.  The UKAS ISO kitemark has a crown in it.   In fact, one of the companies on the Supply London course did not learn the difference between the UKAS and non UKAS audit until after they had completed self-certification (under the non UKAS route) and found it to be not be good enough for local councils.  They had to reaccredit under UKAS.

There are several companies which offer self-certification (non- UKAS route).  Probably the best known of these is QMA – of whom I am aware because of the years I have been the recipient of several of their mailers. They offer  ISO 9001 for £1,900 or something similar.  What they are doing is coaching you on interpreting the ISO and confirming for yourself that you meet the standards.  You are then permitted to use a QMA Kitemark.  This has a big tick in it like other kitemarks but does not have the UKAS Crown.

On the BSI site I find a list of approved auditors for ISO 27001.  The auditors I am reviewing on the BSI website are all going to be UKAS accredited.   However, I am aware that the non-UKAS consultants may well have material that is useful to me in interpreting the ISOs.    So I phone BSI, NQA, LRQA (all UKAS accredited) and also QMA for an information pack to to see what I get through and how useful it is.

Based on notes from my diary and other records from April 2008.

So I speak to Peter of FXXP and explain how far I have now got.  I say that I am after doing ISO 9001, ISO 14001 and ISO 27001.  He says that he can only help with ISO 9001 but he’s sure he can sort it pretty quickly.  However, I know that he is assuming on sorting it with a few simple word documents and forms and which will not fit in with the way I want Data Eliminate to run, integrate with an ERP system etc.  He tells me to speak to Liz which I do.

Liz says FXXP can help with ISO 9001 and ISO 14001 and not with ISO 27001.  She says that if I send her over a spec of exactly what I want then she will get back to me.  (Incidentally, she never does get back to me.)

FXXP represent a frustrating start.  Then out of the blue I receive an email from Adrian – the guy who sat next to me at the “Lack of Quality” seminar.  Adrian says that he knows he was going to email me something but he can’t remember what it was. I can’t remember him saying that he was going to email me anything at all!   However, what he ends up sending over looks very useful. 

He has been talking to an ISO consultant (RPPT Associates) who specialize in doing ISO 9001, ISO 14001 and ISO 18001.  ISO 18001 is the Health and Safety standard.   Adrian says that RPPT are reasonably priced at about £350 a days which is an introductory offer.  He suggests I give Paul from RPPT a call.

I thank Adrian.  He suggests we meet up for a drink next week.  I accept.

I immediately phone Paul of RPPT and explain my situationto him .  When I say I want hand-holding kind of help  he says that he’s really booked up for the next few months but if I send something over in writing then he’ll see what he can do.  NB – Adrian didn’t have the impression that he was this busy.  So far neither of these ISO consultants have been very forthcoming.  I will write to them with details of what I need, but I don’t hold out much hope.

Based on notes from my diary and other records from April 2008.