I continue working my way through the ISO 27001 Standard Document.  When I look at Appendix A, it appears I may be about to make a breakthrough in terms of understanding.  The title is Controls and Objectives.  For this first time this looks like a list of practical things one has to do to comply with the ISO 27001 Information Security standard.

For example, at A.5.1.1 is declares “An information security  policy document shall be approved by management, and published and communicated to all employees and relevant external parties.”  What this practically means is that at minimum I need find a model Information Security policy, insert my company’s name, sign it and stick it  up on the company website and wahey - route one compliance with A5.1.1!  To do things properly, I will have to tailor the policy to the specific requirements of a secure data erasure company.    I am starting to understand what is practically being asked for by ISO 27001 the information security standard.

The next four controls up to A6.1.3 aren’t as easy  A5.1.1. but they could be met with a bit of thought and paperwork.  I turn the page and there are more controls.

A6.1.4 I says I need an authorization process for new information processing facilities.  I get this but how do it in a small organisation?  Does this mean mandatory testing process for any new bit of kit or software?  Would my company  have the resources for that?  Maybe it would just apply to secure data erasure software or hard drive destruction equipment.

A6.1.5 talks about the need to have Confidentiality Agreements or NDAs in place which is fair enough and clearly understood.

A6.1.6   and A6.1.7 require the maintenance of contacts with authorities and special interest groups in security forums or specialist associations.  I don’t know what this means in practice though.  What kind of authorities are they talking about?  Does this means government, police or what?  Is one meant to have meetings with them?  I am also not part of any security related professional associations- and, if I was going to be, which ones should I try and be an member of?  And again what does “maintain contact” mean exactly?

Having recently been spurred on by the appearance of my “Control of Documents and Records” friends I am now getting bogged down again.  I wonder what lies in the pages ahead.  So turn over and see more controls. I turn again and there are more.  And again - more.  I gulp - it feels like I am desperately reaching for air in the face of a massive wave of controls which is about to overwhelm me.

I turn the page 5 more times before I get to the end of the list of ISO 27001 Controls and Objectives - I am just looking at the page numbers now - closer focus is detrimental to my well-being.  The wave is right on top of me - what do I do to escape?

My information sources for developing an ISO 14001 manual include:

• A copy of the Standard itself (which arrived by email a couple of days ago)
• My Arthur-shredded or approved Compact 9001 Manual
• The Acorn Course Book which cost me £50
• A Handout provided written by NQA, the UKAS approved system auditors, but actually given to me by Adrian.

I begin by creating a complete stand alone ISO 14001 manual – even though I know there is going to be duplication between ISO 9001 and ISO 14001. This way might seem more long-winded but I need to learn each standard one at time before I merge them. Otherwise it gets too confusing and complicated.

Sovereign Certification provides a useful but wordy version of an ISO 14001 manual. For Data Eliminate’s version, I exclude from the first section of my ISO 14001 manual all Sovereign’s wording which is similar or equivalent to what Arthur deleted from my ISO 9001 manual.

I still find it hard to make sense of the “Interaction of Processes” – but I think its probably because is so simple I can’t understand it - if you know what I mean. The examples of Interaction of Processes charts I have are more concerned with the process of implementing the environmental standard (Plan, Do, Check, Act I suppose) rather than featuring specific Data Eliminate customer service processes.

I work out a number of things in order to keep the ISO 14001 documentation to a minimum. The first is that the six standard procedures required by ISO 14001 (Corrective Action, Preventative Action etc) are almost identical to those required for ISO 9001. In addition, you need a Training Needs Assessment Form to track training you believe your employees need to fill skill gaps. To complement this, you need a Training Record Form to record the details of the actual training.

When compared to the Quality Policy, the Environmental Policy is different in focus but much the same in style. As was the case with ISO 9001, thanks to Supply London I had a morning’s lesson in how to write a policy. However, one could have used someone else’s and created one in a few minutes by making some very minor changes.

The we get onto the bits which are not part of ISO 9001 but which ISO 14001 requires. These include:

• An Environmental Aspects Register
• An Environmental Aspects Analysis
• A Register of Applicable Laws and Regulations
• A Risk Assessment Methodology

I also add some questions to the Supplier Questionnaire which is already part of my ISO 9001 manual and some items to the Management review Agenda. The Environmental policy has to be on our web site with contact details for the manager responsible. We also need documented environmental objectives.

The first version of my Environmental Management System manual is 25 pages long – a lot more compact than my 53 page long ISO 9001 Quality Manual first starter effort.

I then spend an hour or so removing the items from my ISO 14001 manual that are duplicated in my Arthur approved ISO 9001 manual. After that the Environmental Manual is down to about 14 pages.

Things are coming together nicely. ISO 9001 and ISO 1400 are integrated. I will now need to merge ISO 27001 with them.

I contact Arthur to arrange another session. This time I am going to get him to review my combined manual for ISO 9001 and ISO 14001.   I hope that I have pre-weeded it this time so that he doesn’t need to tear it apart or tell me I like detail.  If he does that again after all this effort it will take more than one flapjack in my mouth to keep me quiet!

Based on notes from my diary from June 2008.

Today, Arthur the Supply London advisor comes to assess my draft ISO 9001 Manual. For mutual convenience, we arranged for him to come to my home.

I go up the road before Arthur’s meant to arrive to buy him a flapjack – all part of the PR offensive. I get back 15 minutes before he’s meant to be there but he’s already standing outside the front door looking slightly irritated. He’s come from some way away. I say, “You’re early aren’t you? I just went up the road to buy you a flapjack.” He didn’t break into a grateful smile.

He asks for a coffee. I only have instant coffee but he doesn’t seem to be phased. He enquires about Data Eliminate’s CCT Mark. I explain that it was given to us by CESG and the Cabinet Office. He asks what CESG is. I explain that it’s the Information Assurance arm of the Cabinet Office. He nods but I am not sure he is any the wiser. Perhaps I haven’t explained it properly. Perhaps I am turning into an information security head and losing my ability to communicate with normal mortals.

I put my 53 page pile in front of him and ask him to review the information. He flicks through the document and confirms that we are destroying data on hard disks and data tapes and then recycling them in line with the WEEE Directive? I nod.

My manual is divided into four sections. Below is the outcome of Arthur’s assessment of the first of its four sections point by point:

“Is this good or is this bad?” I am wondering.

Arthur interrupts, ”Julian you really like details don’t you!”

I don’t. I really, really hate detail. If he read my blog he wouldn’t say this. But I maintain my composure because I know that although Arthur is effectively shredding almost half my work, he is helping me a lot.

So that I don’t speak, I reach forward for a flap jack and take an enormous bite out of it which completely fills my mouth. I begin to chew. Arthur continues through the next section. He starts to talk about the Data Protection Act or something but doesn’t finish his point. He continues his review:

He hasn’t touched his flapjack.

“So many people think their manual has to repeat what the Standard says,” he exclaims “you don’t need to do it!”

Arthur is more impressed by the rest of the content. A lot of it he says though is just repeating the standard again. He also says that when the manual is applied in practice that it will make things more straightforward.

He excuses himself. He leaves the room with me smarting from the “Julian=detail” accusation. I exact revenge by demolishing his flapjack too.

The contrast between the ultra-wordy material I have waded through on ISO standards and information security and Arthur’s approach is marked. Perhaps this is one of those few cases where its better to have less information!

I am still chewing intensively when he returns. He is not phased.

Ironically, Arther has shredded last part of my ISO Manaual for a secure data destruction or hard drive shredding business!  However, in sum Arthur approves of the stuff I have originated myself. Where I have text dumps, he says they are too wordy.

I will take on board most of what he says but I am aware that different experts/auditors on these Standards are likely to have different views of these things. For example, if they come from an information security background they might have a different view to Arthur’s.

So far so good then with ISO 9001. I’ll need to do the same with  ISO 14001 down to a similar minimum.

Based on notes from my diary from June 2008.

I spend a while looking for a copy of ISO 27001 on the internet and just when I think I have wasted a my time, I strike gold. On result 26 of the fourth Google search, a copy of ISO 27001 – all 34 pages of it!

Items containing computer hard drives

The security rubric on the document has the words “Uncontrolled Copy” on it. “You can say that again,” I think. It was available as a download off some German student’s website in a directory which was full of photos and videos and other stuff. That’s pretty uncontrolled!

I know when I sit down to read it that understanding it is going to be a challenge (judging from my ISO 9001 experience), but at least I have got a copy. Nice one!

I then email a contact that I have met at the Supply London seminars I have been to recently and ask her for a copy of ISO 14001 which she said she had. She says she will be able to oblige but I might have to wait a while. The point is that I’ve got so much work to do on ISO 27001, I am very happy to wait a while  for for a copy of the ISO 14001 Standard!

Based on notes from my diary in June 2008.

The final part of my IMS or ISO 9001 Manual is dedicated to the Management Records Data Eliminate will need to keep.

By reading through the standard and collating information from my other sources, I have identitied following records, the keeping of which I believe is mandatory, even if not specifically identified as such by the Standard:

MR1 Management Review Meeting
MR2 Non-Conformance Report
MR 3 Audit Report
MR 4 Corrective Action Record
MR 5 Preventative Action Record
MR 10 Supplier Evaluation Questionnaire
MR 11 Customer Satisfaction Questionnaire

I am fairly sure I will need these for employees:

MR 12 Training Needs Assessment Form
MR13 Training Record

Finally are  are the ones I am voluntarily adding.  Without them I don’t think the management system would be worth its salt.  These include:

MR14 Client Inventory Sheet
MR 15 Certificate Of Data Destruction
MR 16 Items That Could Not Be Processed Report
MR 17 Equipment Conformity Check

MR14 the Client Inventory Sheet is what we send to clients in advance of our visit.  It lists serial numbers and other information about the items to be destroyed. 

MR 16 Items That Could Not Be Processed Report is what is completed if we arrive on site and there is an item we cannot process. Eg. The hard drive is so old and big it won’t fit in one of our manglers then I think the Standard says we have to record this. 

MR 17 Equipment Conformity Check records our internal tests on our crushing equipment referred to in my voluntarily introduced procedure MP7 Verification of Purchased Product.

My first draft manual comprises 53 sides. There is one side per section, procedure or record and relevant text  is placed on each page.  So there aren’t 53 fully populated pages.I hope this is the right approach. 

I am getting to know the standard pretty well.   I now need to get Arthur from Supply London to review it.

Based on notes from my diary and other records from May 2008.

A procedure is a list of specific instructions or rules about the way certain things will be done.    Both ISO 9001 and ISO 27001 require certain procedures to be documented and the documentation of many others is deemed to be optional but may be practically essential as proof of compliance for audit purposes.  In the language of the Standards, certain  procedures “shall” rather than “should” be documented.

The mandatory procedures  for ISO 9001 which I have now identified are similarly listed in most of my sources. They comprise :

MP 1 Document Control

MP2 Control of Records

MP3 Internal Auditing

MP4 Control of Non-conformance

MP5 Corrective Action

MP6 Preventive Action

For the moment these are text dumps in my draft manual.  My primary focus here is covering off the minimum documentation requirement .

I make one small voluntary addition here.  It seems prudent to me to run regular internal checks on our data destruction equipment to verify it is destroying data in the way it should.  So I have also added a procedure for this under Verification of Purchased Product clause of ISO 9001.  I am not sure if it should necessarily go under this heading but I plan to include it as a procedure wherever it should be placed.

Based on diary entries from May 2008.

I decide to use some templates supplied by Adrian to document the company’s main workflows.  Eg from receiving an enquiry, to providing a quote, accepting an order, rocking up at the client’s site, destroying data, providing destruction certificates and sending out an invoice. 

The templates are in MS Word and I have to originate everything but the outline structure from scratch.  I had an initial text based version to as a starting point but formatting these in MS Word is very tricky due to the usual bugs and a completely different menu structure compared to the version I am used to.

It takes me a couple of days to sort the processes out because as well as drafting the documents I am developing improving the processes at the same time .  The full list of delivery processes which makes up 7 sides of super fiddly flow diagrams comprises:

DP1 Enquiry Handling

DP2 Estimate Preparation

DP3  Contract Preparation

DP4 Contract  Delivery 1

DP5 Contract Delivery 2

DP6  Service Execution

While going through the processes I have built a list of documents which as records will be key to the management system.  One example is a Certificate of Destruction.  Another would be an invoice.

Based on notes and my diary from May 2008.

In the first draft of my ISO 9001 manual, I have got 15 sides and 2,954 words.  That’s a lot of data, but a lot less than Ray Tricker!   Most of the wording seems to be repeating what the clauses of the ISO 9001 Standard itself say but in plainer English.  I can’t see the point of these clauses but I have heard these standards are about paperwork so maybe the inspector will like it!

Under different headings in the manual, I have made entries in blue text which were either suggested as generic insertions by, or featured in, other sources.  In addition, I have added paragraphs or sections that I think will be of specific benefit to Data Eliminate.

The clauses in the ISO 9001 Standard document itself represent different degrees of challenge in interpretation. I think I have worked out clauses from which Data Eliminate is excluded – a lot of these seem to relate to manufacturing processes.  Data Eliminate provides a service for the risk management of personal data and confidential information and as such is not a manufacturer.

Some clauses of ISO 9001 the Quality Management Standard itself  are easy to understand. I begin to work out which forms and procedures they relate to.  In other words, what an auditor is likely to look for to prove that one is in compliance with each clause.  Drawing some of these relationships is very straightforward. 

There is a second tier of more challenging clauses which requires some cross referencing and even a bit of digging into of Ray Tricker’s 500 page doorstop to work out what they mean. 

The third tier of discovery involves some mixing and matching - cross referencing items with clauses and requirements elsewhere in the document. This isa bit like playing “Pelmanism” or “Pairs” – the card memory game where you lay the 104 cards individually face down on a table.  Each player  takes it in turn over or look at two cards and  has to collect pairs by remembering where individual cards are located in order to match them up with their pair. 

The fourth tier comprises the bits about which I don’t have a clue .  This becomes my list of questions for Arthur – noted in red text within my Manual.

My ISO 9001 manual a contains a Quality Policy, an Organisation Chart and some Delivery Process diagrams.  The latter are flow charts. 

The Delivery Process diagrams are flow charts.  This is your internal workflow in servicing customers amongst other things.  I have seen some really simple example workflows but this is the first area I have found where I think I will voluntarily go for more detail.  This is partly because I need to get the processes laid out and documented before hiring employees.

I am confused about the requirement to define the  “interaction of processes”.  Versions of charts I have are quite different in style.  Showing how the sprocesses interact is what  I am unsure about at present. It seems that this may be a case where the concept being conveyed is so simple there is no real need for a chart!  (I have never been a fan of process charts.  It reminds me of my computing O level! )

Confidence in my interpretive ability is increasing the more I work on this!

I now have enough information to tackle ISO 9001 and produce the first draft or text dump of  the IMS or Quality manual.    I have now collated the following resources:

• A copy of the standard itself.
• The basic procedures and policies left by Peter from FXXP principally relating to BS7858 Employee Vetting
• Several downloads from sovereigncertifciation.com including a quality manual template
• The Integrated Management System (IMS) covering ISO 9001, ISO 14001 and ISO 18001 sent over by Adrian
• The 5 pages from the Ray Tricker Book
• One of two other documents from various websites

 Adrian’s manual covers 3 standards and is considerably more consise that the Sovereign Template which covers only one standard.  I only have some parts of the former.  The trouble is that it is that what I have is so succinct and merged/integrated that I can’t really tell how the contents relate to each of the individual standards. 

In Sovereign’s manual, the numbering system of the clauses mirrors that of the clauses within the standard itself.  This is clearly going to make life easier now but  I have read that taking this approach can have disadvantages later in making the manual too bulky.  Seems like its probably too bulky already for my purposes.

The challenge now is to collate all this into a coherent Manual and documentation for Data Eliminate. At first, I am going to pull a minimum manual together for .  I’ll do a generic one for ISO 9001 and one for ISO 14001 and then merge them.

I start with the ISO 9001 open on my desk.  I know now that I can pretty much ignore anything that comes in sections 1 through 3.  My first focus is Section 4.   I have the two manual templates open on my screen I start moving between the two, text dumping and amending.   This takes quite a while.

By the time I have finished the first draft of my manual is a text dump comprising the following headings:

1.0       Introduction

1.1       Organisation Description
1.2       Scope of Certification
1.3       Third Party Certification

2.0       Responsibilities

2.1       Office Based Personnel
2.2       Site Based Personnel

3.0       Business Processes

3.1       Description
3.2       Implementation & Maintenance

4.0       Quality Management System

4.1       General Requirement
4.2       Documentation Requirements

5.0       Management Responsibility

5.1       Management Commitment
5.2       Customer Focus
5.3       Quality Policy
5.4       Planning
5.5       Responsibility, Authority and Communication
5.6       Management Review

6.0       Resources

6.1       Provision of Resources
6.2       Human Resources
6.3       Infrastructure
6.4       Work Environment

7.0       Product Realisation

7.1       Planning of Product Realisation
7.2       Customer Related Processes
7.3       Design and Development
7.4       Purchasing
7.5       Production and Service Provision
7.6       Control of monitoring and measuring devices

8.0       Measurement, Analysis and Improvement

8.1       General
8.2       Monitoring and Measurement
8.3       Control of Nonconforming Product
8.4       Analysis of data
8.5       Improvement

 I feel like I have take a big step forward - I call Arthur to advance book a session with him so that I can go through all this with him once its done.

 Based on notes from my diary and other records from May 2008.

My research effort took a significant step forward this morning.  Last night, I met up with Adrian, my contact from the lack of quality seminar,for a drink.  He does seem to know about ISOs and he might be ok at sales.  I am considering that he may be worth employing.  Still, as a result of last night, he’s sent me a really useful email.  It’s a copy of an integrated management system manual for ISO 9001, ISO 14001 and ISO 18001.

This is the most distilled, concise and integrated document I have seen.  The requirements of the Standards have been merged to such an extent that its not possible to see which elements within ithe manual correspond to which of the three Standards. 

Adrian also sent me a Legal Register which is apparently required by ISO 14001.   This is a huge spreadsheet listing about 100 regulations which can apply to any business.  This will have taken somebody ages to prepare.  I will need to adapt this to my business but having it will saveme a lot of time.  Adrian’s a good guy.

Based on diary entries from April 2008.