I take stock of the situation regards the ISO Consultants I have contact.

Terry Russell of www.iso9001.co.uk replied to my requirements letter today but it wasn’t encouraging. He said he could supply everything I wanted – and he is UKAS accredited -but didn’t seem that keen to oblige. 

He said

(a) your Invitation to Tender asks for copies of work that we have produced for others. I simply will not provide the procedures of any of our clients to another organisation, under any circumstances
(b) we normally only provide services to applicants who are referred to us by existing clients. You’ll understand that the risks go both ways. If we provide services to you, I need assurance that you are financially sound and are the sort of client that would want.

I know this sounds very fussy, but we are fussy about our clients. With your timescales, it would not provide me with sufficient time to conduct our checks on your organisation.

Sorry about that.

I phoned Paul from RPPT Associates but he said the he was too far away and too busy to get involved. He said he could provide from coaching from a distance but he suggested I look for someone more local.

On top of this, some considerable time after sending me written requirements to FXXP there is still no reply from them– despite the fact that Liz said she’d look into it.

So it seems that no-one is interested! 

Is it because:

• My requirements are out of scope for these consultants?
• My requirements are too exacting and demanding for them?
• There isn’t really anyone out there who has done what I am trying to do in the way I am trying to do it?

I like to think and hope it’s the latter – if only because it helps me reverse out of this cul-de-sac to spur myself on.

Based on notes from my diary and other records from April 2008.

My research effort took a significant step forward this morning.  Last night, I met up with Adrian, my contact from the lack of quality seminar,for a drink.  He does seem to know about ISOs and he might be ok at sales.  I am considering that he may be worth employing.  Still, as a result of last night, he’s sent me a really useful email.  It’s a copy of an integrated management system manual for ISO 9001, ISO 14001 and ISO 18001.

This is the most distilled, concise and integrated document I have seen.  The requirements of the Standards have been merged to such an extent that its not possible to see which elements within ithe manual correspond to which of the three Standards. 

Adrian also sent me a Legal Register which is apparently required by ISO 14001.   This is a huge spreadsheet listing about 100 regulations which can apply to any business.  This will have taken somebody ages to prepare.  I will need to adapt this to my business but having it will saveme a lot of time.  Adrian’s a good guy.

Based on diary entries from April 2008.

My books arrive from Amazon.  When I get a new business book, I like to read it in its entirety and check out everything in it and then distill it down to the bits that interest me.  I think this comes from dealing with software.  I used to read the entire manual or help system for each bit of software so I knew everything that it was (supposedly) able to do even if I didn’t know exactly how to make it do it.  These two books  I have bought from Amazon are going to get the same treatment.

After half an hour looking at Ray Tricker’s book I am agog.  His book is making the subject matter more confusing rather than simplifying it.  I find chapter titles such as “Interoperability of Quality Management Systems” dinstinclty demotivating. 

I read on.  The book goes though the standard clause by clause and talks in general terms about what most companies should do but it is not very precise about how they should do it.

I know this book is a best seller on Amazon but to me the language is far too close to that of the standard itself.  For example it explains that “Quality Assurance personnel are members of the organisation judged competent to carry out quality assurance duties”.

I know that a sentence like this as a stand alone makes sense but what it tells you is self evident.  If three of four sentences of this type are packed into the same paragraph then I find myself going nowhere.  Tell me something I don’t know or something that isn’t obvious.  Please distill it down.  Don’t make it so complex and wordy that I can’t make head or tail of it.  It’s just exhausting.

It’s beginning to dawn on me that maybe that is what this industry is about.  The consultants, auditors and others keep things deliberately complicated so they can bamboozle customers and charge lots of money for providing some very simple solutions - like Peter of FXXP’s forms and procedures.  (Peter himself  though is not a bamboozler.)

It reminds me of many people’s attitudes to accountants.  People who don’t understand accounts are so deferential to accountants.  As soon as an accountant mentions a word like ‘debit’ or ‘credit’ , his client often switches off.  The client can’t tell when the account is talking a load of baloney and when he’s not.  The accountant sits there uses lots of long words, is able to cover up bits he doesn’t know and then sends a nice fat invoice afterwards.  In my role as management consultant, I have often helped clients in these kind of situations. 

Ray Tricker provides something that I am really interested in getting hold of – an example Quality Management Manual for an SME.   However, Ray Tricker’s version is a whopping  160 sides long.  Sovereign Certifcation’s was more like 20 sides.  How can I possibly wade through this lot? 

Right now I am very frustrated and disappointed.  This book is a best seller – probably because it’s the only one on the subject.  Maybe its useful to some management academics really into the theory and MBAs etc.  For me it’s just compounded the situation.  Its  saving grace is the 5 page appendix listing the minimum documents required by standard.  This is useful – at this stage worth the £40 I paid for the book. 

It also says within the book that purchasers of it can buy word versions of some of the documentation featured within a book on a CD.  I visit the website (http://www.herne.org.uk/).  The amateurish design of the site does not instill confidence.

I send an email enquiring about the CD.

Based on notes from my diary and other records from May 2008.

My search for hold-your-hand type consultants, my on line searching has uncovered two websites which seem of particular interest – www.sovereigncertification.co.uk and www.iso9000.co.uk.

If you dig into the site a bit, Sovereign has a lot of information and downloads on ISO 9001 and ISO 14001 – but not on ISO 27001.  The consultant(s) at www.iso9000.co.uk  deals with all three standards – and on the basis of my searching experience, this is unusual.

I speak to Mark Helm the senior consultant at Sovereign who is very helpful and sends over a lot of supplementary information.  Mark himself operates within a business model of remote coaching companies through ISO 9001 and ISO 14001 and providing a series of downloadable templates which the client can amend to suit their particular business.  The downloads include a sample ISO 9001 manual .  This is the first version of one I have seen and I am sure will be very helpful in deciphering the legalese of the ISO itself into what is practically required within the company.

I also make several unsuccessful attempts to speak to Terry Russell of www.iso9001.co.uk.

Despite this temporary chink of light, I am getting increasingly anxious at the lack of clear progress.  So I decide to write down exactly what I want from these consultants – to write a spec.  This is what most of the unforthcoming ones have requested.  It takes a while but in the end I come up with the one below. 

I write a pretty formal letter and talk about decisions of the Board etc which is in line with the way in which I perceive these “ISO types” communicate!

My letter is thus:

REQUEST FOR INFORMATION ON ISO CONSULTANCY SERVICES

We are writing to you to enquire about your services relating to the acquisition by Data Eliminate Ltd of certain ISO Standards.

ISO CERTIFICATION REQUIREMENTS

Data Eliminate (www.dataeliminate.com) has researched a range of accreditations and standards.  With regards to Standards, this has comprised a day of advance consultancy from an UKAS approved consultant specializing in the security industry,  the reading of substantive books on ISO 9001 and ISO 27001, 3 days desk research and attendance at 2 courses run by Supply London and participation in its business support scheme.  We have also spoken to business associates who have implemented various standards and obtained telephone overviews from a handful of experienced individuals.

On the basis of our research and information to date, the Board has decided that the following should be Data Eliminate’s priorities:

The Board has concluded that ISO 18001 has no obvious commercial or practical benefit at present and its introduction would be too burdensome at this stage of the company’s development.
Data Eliminate is aware of the type of premises, equipment and personnel it is going to have.  The objective is to complete as much Standards-related documentation and planning as is practicable before the company focus shifts to servicing customers.  (In saying this, we acknowledge that adhering to Standards is an on-going responsibility).

Our foremost requirement in a supplier of consultancy services is flexibility and the ability to provide services in a way which is compatible with our needs and modus operandi.

We have an intense, fast-moving and thorough approach to the Data Eliminate project and have done considerable homework on this subject. We need a consultant who can take a running start from the position we have already reached.

The purpose of engaging a consultant is to benefit from external advice and experience and to save time and internal resource.

We are aware that many of the Standards’ clauses will not apply to us and that our documentation relating to them can be comparatively concise.  With this in mind, we are seeking the services of a consultant who can provide among other things:

• A list of the Standards’ elements which are obligatory for all businesses and a separate list for organisations in our line of business.
• Advice on other non-compulsory elements which may be beneficial to our business in the medium and longer term.
• Policy, procedure and other templates for the compulsory elements that we can adapt for our own use.
• Guidance on the wording of Standard elements which are particular to our business.  For example, we believe we have the body of an ISO 9001 Policy Manual of suitable size and style for a business of our size.  However, we require specific advice on the completion of clauses 7.3.1 through 7.3.7.

Before we engage your services, our principal requirement is that we are convinced of your professionalism and efficiency - and that you want our business.

We would also like to be informed of the following - where appropriate in writing:

• An estimate of consultancy days required from you to help us achieve our short term objectives, over what time period and at what intervals those days will be given.  Associated costs and travel expenses.
• The amount of internal Data Eliminate man days which will be required working in parallel with your consultant(s) and at what internals.
• A similar estimate of man days (external and internal)  and costs pertaining to the medium term objective above.
• An explanation of the work that will be completed by you and that you  will expect Data Eliminate to do.
• Copies of documents such as policy manuals and procedures you have previously prepared (or extracts therefrom) which you believe are similar in length and style to those you would assist us in developing.
• A brief outline of your experience in dealing with the above Standards. 
• Two references from existing customers who we may contact briefly over the phone to confirm the efficacy of your service.
• The names and brief backgrounds of the person(s) providing the consultancy, when they are able to start the project and advance notification of any absences or unavailability of key personnel over the next 4 months.
• A copy of your Terms and Conditions.
• Details of your professional indemnity insurance (if applicable)

Finally,

• Please acknowledge receipt of this email by close of business on date in 2008 or by phoning Tel: 0845-1234-400. 
• Responses are required by close of business on xxxx. 
• Data Eliminate requires UKAS approved certification of its Standards.

If you wish to contact us to discuss the above, please call and speak to me on etc

We look forward to hearing from you.

Regards

Julian Fraser

I feel that this really explains the situation.  I send it to Sovereign Certification, www.iso9001.co.uk,  FXXP Associates and Paul from RPPT Associates – recommended by Adrian.

Based on notes from my diary and other records from April 2008.

I set aside my disappointing contacts with FXXP and RTTP and begin crawling the internet again for companies which cover all three standards and who look like they might not take a massive corporate scale approach to things.  There aren’t (obviously at least) that many of these.

I have decided to make experience of  ISO 27001 the focus of my search for a consultant.  ISO 27001 is much larger and more complex than ISO 9001 and ISO 14001 and requires more detailed expertise.

I have learnt by now the difference between a UKAS accredited ISO auditor and a self-certified or on UKAS auditor.  The difference is very important but very few people understand it. 

All auditors issue kite marks to companies they audit.   UKAS approved auditors are third party monitored and certified by UKAS itself.  Other ISO Auditors are not independently assessed.  The kitemarks issues by each type of auditor look very similar but they are not of the same value.

Public sector bodies and larger companies for the most part who know their stuff will look for the UKAS kite mark.  The UKAS ISO kitemark has a crown in it.   In fact, one of the companies on the Supply London course did not learn the difference between the UKAS and non UKAS audit until after they had completed self-certification (under the non UKAS route) and found it to be not be good enough for local councils.  They had to reaccredit under UKAS.

There are several companies which offer self-certification (non- UKAS route).  Probably the best known of these is QMA – of whom I am aware because of the years I have been the recipient of several of their mailers. They offer  ISO 9001 for £1,900 or something similar.  What they are doing is coaching you on interpreting the ISO and confirming for yourself that you meet the standards.  You are then permitted to use a QMA Kitemark.  This has a big tick in it like other kitemarks but does not have the UKAS Crown.

On the BSI site I find a list of approved auditors for ISO 27001.  The auditors I am reviewing on the BSI website are all going to be UKAS accredited.   However, I am aware that the non-UKAS consultants may well have material that is useful to me in interpreting the ISOs.    So I phone BSI, NQA, LRQA (all UKAS accredited) and also QMA for an information pack to to see what I get through and how useful it is.

Based on notes from my diary and other records from April 2008.

So I speak to Peter of FXXP and explain how far I have now got.  I say that I am after doing ISO 9001, ISO 14001 and ISO 27001.  He says that he can only help with ISO 9001 but he’s sure he can sort it pretty quickly.  However, I know that he is assuming on sorting it with a few simple word documents and forms and which will not fit in with the way I want Data Eliminate to run, integrate with an ERP system etc.  He tells me to speak to Liz which I do.

Liz says FXXP can help with ISO 9001 and ISO 14001 and not with ISO 27001.  She says that if I send her over a spec of exactly what I want then she will get back to me.  (Incidentally, she never does get back to me.)

FXXP represent a frustrating start.  Then out of the blue I receive an email from Adrian – the guy who sat next to me at the “Lack of Quality” seminar.  Adrian says that he knows he was going to email me something but he can’t remember what it was. I can’t remember him saying that he was going to email me anything at all!   However, what he ends up sending over looks very useful. 

He has been talking to an ISO consultant (RPPT Associates) who specialize in doing ISO 9001, ISO 14001 and ISO 18001.  ISO 18001 is the Health and Safety standard.   Adrian says that RPPT are reasonably priced at about £350 a days which is an introductory offer.  He suggests I give Paul from RPPT a call.

I thank Adrian.  He suggests we meet up for a drink next week.  I accept.

I immediately phone Paul of RPPT and explain my situationto him .  When I say I want hand-holding kind of help  he says that he’s really booked up for the next few months but if I send something over in writing then he’ll see what he can do.  NB – Adrian didn’t have the impression that he was this busy.  So far neither of these ISO consultants have been very forthcoming.  I will write to them with details of what I need, but I don’t hold out much hope.

Based on notes from my diary and other records from April 2008.

The next salvo of my enquiry and research effort  is to try and find someone to coach me through the implementation of these ISOs in a hand-holding kind of way.  I think this is gong to be a challenge as I suspect most consultants will want to do most of the work themselves.  Perhaps even more challenging will be finding one source of help for all three standards - especially a source which has an SME orientation as as opposed to a corporate one.  I know this will cost money.  However, as things presently stand I am uncertain if a I am going to make much progress without such assistance initally at least.

I start by trying to get in touch with Peter of FXXP – “ISO 9001 and BS 7858 man” who I had in for a day back in October 07.  After our session in October, Peter phoned and asked me if I’d like to do some management consultancy for his company – which was nice but unfortunately the day rate was far too low for me.  It reminded me of what template- driven version of management consultancy Peter’s was when compared to mine.

It takes me a good half an hour to dig out Peter’s mobile.  I could have gone via Liz (the savvy office manager at FXXP previously mentioned) but I am in the kind of mood where I need immediate results and I don’t want to wait for him to call me tomorrow.

In the end I leave a message on his mobile but I also contact Liz by email so that she sends him a message too.  This guy is going to know I want to speak to him and speak to him NOW!  I am becoming impatient to make progress and get somewhere!  In the end I do have to wait until tomorrow.

Based on notes from my diary and other records from April 2008.

This afternoon I turned my attention to books I can buy so I have been browsing through anything that Amazon has to offer on any of the three standards.  I am focussing particularly on ones written with smaller to mid sized businesses (as opposed to corporates) in mind.

There is a lot on ISO 9001, less on ISO 14001 and comparatively little on ISO 27001.  Restricting my searches to books specifically for SMEs but  doesn’t yield  much.   Google Books is handy for peeking inside several of the titles I see on Amazon to see if they are relevant.  The majority of the books are academic in their approach or talk about management theory.  They talk about the models ones should use and the considerations one should take into account - but there’s so, so little on practical applications - particularly for an SME.

In the end I buy two books for a total price of about £80.

1. ISO9001:2000 for Small Business by Ray Tricker and
2. IT Governance: A Manager’s Guide to Data Security and ISO 27001/ ISO 27002 by Alan Calder

The big potential advantage with the latter is that is was very recently published so it should be up to date.

Based on diary entires from April 2008.

I remember my session with Peter of FXXP Associates from October 2007 and how simple his BS 7858 and ISO 9001 processes were. 

I dig out the folder Peter gave me containing the copies of ISO 9001 and have a look at it.  Its 23 sides long and reads like an Act of Parliament.  I have no idea how to interpret most of the clauses and no clue as to which ones apply to a secure data destruction company.

To make matters worse, I cannot figure out from the wording which elements are mandatory and which are optional.  I refer back to Peter’s processes and forms and can see how they relate to certain clauses of the ISO but that still leaves 80% of the text of the Standard unexplained.

This is like needing a lawyer to interpret a law – as the words can have different meanings and if you don’t have experience of interpreting the clauses then its very hard.

I know I am up against a huge challenge now.  I can hardly make head or tail of the ISO 9001 Standard which is supposedly the base or easiest standard, and I haven’t even got copies of ISO 27001 and ISO 14001 yet. 

Its time to launch a large salvo of enquiries and research to enable me to move forward and get answers to three key questions:

1. What are the minimum compulsory requirements in each standard?
2. How are they practically integrated into the procedures and processes of a business?
3. How do the different standards fit together?

Based on diary entires from April 2008.

I attend the Supply London Seminar on how to write a Quality Policy. We are sitting there for 40 minutes before anything happens. The course materials were not biked over the night before apparently . There aren’t even any pens and paper to take notes.

Vain attempts are made to get the venue to provide these and also for the receptionist at the venue to receive the course material by email, print them out and then photocopy them. We are told to start introducing ourselves to the person next to us to kill time. The guy next to me is Adrian. Adrian works for an office equipment company and is planning to implement ISO 9001, ISO 14001 and ISO 18001. Adrian has done this before in Wales working for another company. He says he has some stuff that might be useful to me so we exchange details.

I am getting increasingly irritated with the seminar and perhaps visibly so. The seminar is about Quality, and I and my fellow delegates have thought up some great things to say to the course leader about the lack of quality. She, though, takes the wind out of our sails by repeatedly saying what a poor quality performance she is putting on. No-one disagrees.

I suffer for a further two and a half hours once the seminar is underway but I do get the message loud and clear that public sector buyers are concerned with ISO 9001 – the Quality Standard and ISO 14001 – the Environmental Standard.

I have now done two Supply London seminars and there are two to go. Supply London are training us to write policy documents which are required if your company is going to supply to public sector. What is crucial here is the link between the policy document the ISO Standard. The one sided policy documents (eg. a Quality Policy or and Environmental Policy) should be underpinned by a management system – the structure of which is provided by the relevant ISO.

I originally contacted Supply London to learn how to access the public sector but doing so has diverted my focus back onto ISOs. Getting access to the public sector is about loads of advance spade work, registering as a supplier in various website and directories and patient networking. Clearly if Data Eliminate has the ISOs it will be ahead of the pack.

The importance of this to the business strategy is further underlined by the increasingly parlous state of the economy. Data Eliminate has to been in a position to tender for public sector business as early as is practical.

In light of the Supply London advice and the comment from my Competitor about being only one of two businesses with ISO 27001, the priorities are now ISO 9001 The Quality Standard, ISO 27001 the Information Security Standard and ISO 14001 the Environmental Standard - in that order.

Based on diary entires from April 2008.