I am now used to looking at the ISO 9001 Standard document itself.  The ISO 27001 Standard document I have  is 36 pages long as opposed to 20 pages for the ISO 9001 Standard.  We’ve got even more Plan, Do, Check, Act in the ISO 27001 document.  However, I soon suss out that the key bit we are looking at is Clause 4 onwards.

To start with Clause 4 is pretty similar to the corresponding clause in ISO 9001.  4.2.1a talks about the establishment of an Information Security policy suitable for the business and a scope.  Guess I can get my head around this.

4.2.1c is more problematic.  I am told to “define a risk assessment methodology for my organisation” and “develop criteria for accepting risks and identify the acceptable levels of risks”.  I just have limited concept of what is involved here.  This sounds like a job for McKinsey or Accenture but not me.  The ISO 27001 Standards says more information about Risk Assessment Methodologies  can be found in “ISO/IEC TR 13335- Guidelines for the management of IT Security = Techniques for the Management of IT Security”.   There is no way I am going to be a sucker for that document!  I’d rather disk by head in the hard disk crusher!

I can feel myself sinking lower in the water and looking up at this massive wave towering above me made of long words, jargon and confusion.  Around this mix, there is an information security industry built which comprises lots of people who make money regurgitating long words which few outsiders understand.  Right now the wave is looking really big - and its about to swamp my enthusiasm - for today at least.

Back to the ISO 27001 Standard - when I have done a risk assessment, I then to treat the risks.  This involves “selecting control objectives and controls”.  What are those?   No idea.

Next I’ve got to prepare a Statement of Applicability in which must apparently  list my controls and my control objectives and give my reasons for selecting them.  My problem here is that I need an example of a Statement of Applicability - yes to see the PRACTICAL implementation of all this.   Information on which still can seemingly cannot be found anywhere.

My brain and vision are blurred by the time I turn over to page 6.  I am not reading every sentence just kind of prodding the content with the eyes to see how painful it might be.  But these bits, namely  4.2.2 through 4.3.1, are broadly familiar.  They are talking about implementing the ISMS , monitoring and reviewing it and maintaining it.

And blow me, over the page is my old friend “Control of Documents”.   And I am not being sarcastic - when you read him he might be one of the most boring friends I know but, right now ,I am really please to see him.  He’s hanging out with another buddy, “Control of Records”.  This is okay, I now understand now what these guys are about.

The next couple of pages aren’t so bad either - though I am skimming quite fast now - improvements to the system, preventative and corrective action etc.  I want to keep by hard disk shredding company as straightforward as possible. These could be called problems (Non Conformities), temporary fixes (Corrective Action) and Solutions (Preventative Action) could they not?  Life could be simpler if these people wanted it to be!!

A procedure is a list of specific instructions or rules about the way certain things will be done.    Both ISO 9001 and ISO 27001 require certain procedures to be documented and the documentation of many others is deemed to be optional but may be practically essential as proof of compliance for audit purposes.  In the language of the Standards, certain  procedures “shall” rather than “should” be documented.

The mandatory procedures  for ISO 9001 which I have now identified are similarly listed in most of my sources. They comprise :

MP 1 Document Control

MP2 Control of Records

MP3 Internal Auditing

MP4 Control of Non-conformance

MP5 Corrective Action

MP6 Preventive Action

For the moment these are text dumps in my draft manual.  My primary focus here is covering off the minimum documentation requirement .

I make one small voluntary addition here.  It seems prudent to me to run regular internal checks on our data destruction equipment to verify it is destroying data in the way it should.  So I have also added a procedure for this under Verification of Purchased Product clause of ISO 9001.  I am not sure if it should necessarily go under this heading but I plan to include it as a procedure wherever it should be placed.

Based on diary entries from May 2008.

In the first draft of my ISO 9001 manual, I have got 15 sides and 2,954 words.  That’s a lot of data, but a lot less than Ray Tricker!   Most of the wording seems to be repeating what the clauses of the ISO 9001 Standard itself say but in plainer English.  I can’t see the point of these clauses but I have heard these standards are about paperwork so maybe the inspector will like it!

Under different headings in the manual, I have made entries in blue text which were either suggested as generic insertions by, or featured in, other sources.  In addition, I have added paragraphs or sections that I think will be of specific benefit to Data Eliminate.

The clauses in the ISO 9001 Standard document itself represent different degrees of challenge in interpretation. I think I have worked out clauses from which Data Eliminate is excluded – a lot of these seem to relate to manufacturing processes.  Data Eliminate provides a service for the risk management of personal data and confidential information and as such is not a manufacturer.

Some clauses of ISO 9001 the Quality Management Standard itself  are easy to understand. I begin to work out which forms and procedures they relate to.  In other words, what an auditor is likely to look for to prove that one is in compliance with each clause.  Drawing some of these relationships is very straightforward. 

There is a second tier of more challenging clauses which requires some cross referencing and even a bit of digging into of Ray Tricker’s 500 page doorstop to work out what they mean. 

The third tier of discovery involves some mixing and matching - cross referencing items with clauses and requirements elsewhere in the document. This isa bit like playing “Pelmanism” or “Pairs” – the card memory game where you lay the 104 cards individually face down on a table.  Each player  takes it in turn over or look at two cards and  has to collect pairs by remembering where individual cards are located in order to match them up with their pair. 

The fourth tier comprises the bits about which I don’t have a clue .  This becomes my list of questions for Arthur – noted in red text within my Manual.

My ISO 9001 manual a contains a Quality Policy, an Organisation Chart and some Delivery Process diagrams.  The latter are flow charts. 

The Delivery Process diagrams are flow charts.  This is your internal workflow in servicing customers amongst other things.  I have seen some really simple example workflows but this is the first area I have found where I think I will voluntarily go for more detail.  This is partly because I need to get the processes laid out and documented before hiring employees.

I am confused about the requirement to define the  “interaction of processes”.  Versions of charts I have are quite different in style.  Showing how the sprocesses interact is what  I am unsure about at present. It seems that this may be a case where the concept being conveyed is so simple there is no real need for a chart!  (I have never been a fan of process charts.  It reminds me of my computing O level! )

Confidence in my interpretive ability is increasing the more I work on this!