Having partially cracked the Statement of Applicability puzzle I am now looking for stuff to help me understand Risk Assessment - or  at least risk assessment as it specifically applies to ISO27001.  Continuing with my swimming in the sea analogy, http://www.iso27001security.com/ does seem to be like a desert island with a few trees of fruit in the middle of an vast ocean.  In my anaology, the ocean represents internet or life (depending on how profound you want to be) and it is devoid of any  information about iso27001.)

My mind temporarily skips to BBC Radio 4’s desert island disks which I have always listened to and also wanted to play.  I think that if I was marooned on this desert island, I certainly wouldn’t choose the ISO 27001 standard or even a Statement of Applicability to go alongside the bible and the complete works of Shakespeare.  Would my one luxury on the desert island might be a fully certified, UKAS approved integrated management system for a secure data destruction company?  I think not but I’d love to have one of those on this temperate island (Britain), right now and be at the end of all this!

I begin to rethink my strategy and flick backwards quickly to page 5.  This is where the ‘Statement of Applicability’ is mentioned.  This ties together the list of Controls and Objectives - the list of practical things one need to do to implement the standard - with the content of the standard itself so its probably a good place to start.  There is a lot about Risk Assessment before the Statement of Applicability which I don’t understand but I can come back to them later.  I’ve got the Statement of Applicability as a short term objective - a buoy to swim towards that perhaps I can cling onto for a while.  So I type “Statement of Applicability ISO27001″ into Google and start trawling through the results.

Almost immediately I come across http://www.iso27001security.com/.  By its basic but functional design this site just looks like the kind of site that could cut to the chase and ‘deal the deal’.  There are a few scary bits like mentions of other ISO27002, ISO 27003 but what catches my eye immediately after this is a FREE ISSO27k toolkit.  Amazingly, I don’t even have to register on the site to get access to it.

Hard Drives after Destruction.

I spend quite a while opening documents up on the site and reading them.  The documents here have been developed by ISO 27001 implementers and then put up on the site.   This site clearly doesn’t offer a complete toolkit or total solution to my problems but it does give applied examples of certain documents and there is comparatively little in the way of guff.  Most of the contributions are made by two individuals but there are other contributors too.

The fourth document I open off the site is a Statement of Applicability.  This is a blank template - which is not populated with data - but I still get the jist - more than having see an actual example of one, I quickly see its primary purpose.  The list is a spreadsheet for all the Controls and Objectives listed in Appendix A of the standard.  There are several columns and notes I don’t understand yet  but clearly what one has to do is go through each of these 120 or so items and record what one has done to cover them off in one’s own organisation.

Against each row is a “Controls” column and a “Selected Controls” and a “Reasons for Selection” group of columns.  Reasons for Selection are broken down into four types ‘LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent.

On the right there’s a ‘Remarks (Overview of implementation)’ column where one should record the  to the specific action taken to meet the control.  This could be introducing a swipe card system on doors, creating a written policy or implementing a procedure to verify the destruction of hard drives.

I don’t get the whole picture yet, but what I do get is that the ISO 27001 Standards sets a defined series of things called “controls” with which my data destruction company needs to comply.  I will need to go through this list one by one and check that I can practically meet them.

The buoy I spotted in the distance has turned out to be a rubber ring.  Thanks to this I am now riding higher in the water and time to float home for the night.

So begins the start of a refreshed effort to find the practical or working examples of how to implement 27001 which have so far evaded me. What does it mean for the way my shredding business should handle personal data and comply with legislation such as the Data Protection Act and the WEE Directive?

I start to give Google a pummelling. There really aren’t many links that look like they are going to give me what I want. So I end up going very deep – to search results 80 and above and opening tens of documents including ones on information assurance, the Cabinet Office and risk management - in pursuit of my goal.

What I really want to find is an Information Security Manual for a small or mid-size organisation which somebody has published on their website – one which is a bit more friendly that the one from the IT Governance Toolkit trial. I am aware that organisations shouldn’t publish such things on their website –particularly those involved security - as letting the public know about their security systems obviously isn’t a good idea. But I am expecting to find something out there in cyberspace – you can find almost anything else!

The first useful looking document is an Information Security Manual produced by the Pennine Care NHS Trust. This is clearly the kind of thing that I am looking for but it doesn’t strike me as particularly friendly. The first two sides are about “Policy Document Control” and then the index comprises pages 3-5. I have seen this kind of thing before from the Cabinet Office and CESG. The first actual prose appears on page 6:

“1. INTRODUCTION

1.1 The Trust has a duty to protect its information assets and thus to ensure business continuity and minimise the adverse effects of securityincidents. Information assets and the IT systems that support them arebecoming increasingly more vulnerable as the potential for wideraccessibility is facilitated via more powerful computers and communications networks.

1.2 Any loss of the ability to access information could have a significanteffect on the efficient operation of the Trust and may result an inabilityto provide services to patients and financial loss to the Trust.”

These are to me statements of the very obvious, the like of which feature widely in many ISO 27001 documents I have seen. I know they have to be there but doesn’t their continued use and repetition run the risk of making the user, who should be interested in their content, just switch off?

The document continues for 47 pages. There are guidelines here for information assurance practices including the setting of passwords and controlling access to buildings. However, its difficult to determine the structure of the document and how it fits into an overall framework. It is on the right lines of what I am looking for but it is for a very sizeable organisation. I move on.

The next document which catches my eye is an Information Security Business Manual from NHS Wales. This is in Word and is clearly a template with blanks or red text which can be filled in by different NHS branch offices to suit their needs. It’s a lot shorter than the Pennine document at only 24 pages.

Some terms used are ery familiar such as “Senior Management Team”. We then get onto “ISMS Operational Forum Membership” which sounds very corporate and, stone me, Plan/Do/Check/Act (PDCA) model with a little chart makes an appearance on Page 10!

The good thing about this document though is its length. It has some slightly scary headings such as those mentioned above but it strikes me (although I can’t be sure) that somebody has spent a lot of time simplifying things and reducing them down to produce a very well put together template that will save an NHS departmental manager a lot of time in producing an Information Security Manual. Whether the person producing the manual would understand what they were doing beyond filling in the blanks I am not sure. In other words, this document is a bit like doing dot to dot. You join the dots (or fill in the blanks) but can you see the whole picture when you’re finished? Ok, not exactly what I want, but I keep it because it could be useful.

I am aware that the NHS has a lot of data handling procedures and it computers hold a lot of personal data. No central, London based government department seems to have produced similar guidance. The NHS are good potential customer for our CCT Mark Certified service which we have just  formally submitted to CESG and the Cabinet Office office as our “Secure Destruction of Data on Hard Drives and Magnetic Media v1.0”!

Based on diary entries from June 2008.
<–>

For example, at A.5.1.1 is declares “An information security  policy document shall be approved by management, and published and communicated to all employees and relevant external parties.”  What this practically means is that at minimum I need find a model Information Security policy, insert my company’s name, sign it and stick it  up on the company website and wahey - route one compliance with A5.1.1!  To do things properly, I will have to tailor the policy to the specific requirements of a secure data erasure company.    I am starting to understand what is practically being asked for by ISO 27001 the information security standard.

The next four controls up to A6.1.3 aren’t as easy  A5.1.1. but they could be met with a bit of thought and paperwork.  I turn the page and there are more controls.

A6.1.4 I says I need an authorization process for new information processing facilities.  I get this but how do it in a small organisation?  Does this mean mandatory testing process for any new bit of kit or software?  Would my company  have the resources for that?  Maybe it would just apply to secure data erasure software or hard drive destruction equipment.

A6.1.5 talks about the need to have Confidentiality Agreements or NDAs in place which is fair enough and clearly understood.

A6.1.6   and A6.1.7 require the maintenance of contacts with authorities and special interest groups in security forums or specialist associations.  I don’t know what this means in practice though.  What kind of authorities are they talking about?  Does this means government, police or what?  Is one meant to have meetings with them?  I am also not part of any security related professional associations- and, if I was going to be, which ones should I try and be an member of?  And again what does “maintain contact” mean exactly?

Having recently been spurred on by the appearance of my “Control of Documents and Records” friends I am now getting bogged down again.  I wonder what lies in the pages ahead.  So turn over and see more controls. I turn again and there are more.  And again - more.  I gulp - it feels like I am desperately reaching for air in the face of a massive wave of controls which is about to overwhelm me.

I turn the page 5 more times before I get to the end of the list of ISO 27001 Controls and Objectives - I am just looking at the page numbers now - closer focus is detrimental to my well-being.  The wave is right on top of me - what do I do to escape?

To start with Clause 4 is pretty similar to the corresponding clause in ISO 9001.  4.2.1a talks about the establishment of an Information Security policy suitable for the business and a scope.  Guess I can get my head around this.

4.2.1c is more problematic.  I am told to “define a risk assessment methodology for my organisation” and “develop criteria for accepting risks and identify the acceptable levels of risks”.  I just have limited concept of what is involved here.  This sounds like a job for McKinsey or Accenture but not me.  The ISO 27001 Standards says more information about Risk Assessment Methodologies  can be found in “ISO/IEC TR 13335- Guidelines for the management of IT Security = Techniques for the Management of IT Security”.   There is no way I am going to be a sucker for that document!  I’d rather disk by head in the hard disk crusher!

I can feel myself sinking lower in the water and looking up at this massive wave towering above me made of long words, jargon and confusion.  Around this mix, there is an information security industry built which comprises lots of people who make money regurgitating long words which few outsiders understand.  Right now the wave is looking really big - and its about to swamp my enthusiasm - for today at least.

Back to the ISO 27001 Standard - when I have done a risk assessment, I then to treat the risks.  This involves “selecting control objectives and controls”.  What are those?   No idea.

Next I’ve got to prepare a Statement of Applicability in which must apparently  list my controls and my control objectives and give my reasons for selecting them.  My problem here is that I need an example of a Statement of Applicability - yes to see the PRACTICAL implementation of all this.   Information on which still can seemingly cannot be found anywhere.

My brain and vision are blurred by the time I turn over to page 6.  I am not reading every sentence just kind of prodding the content with the eyes to see how painful it might be.  But these bits, namely  4.2.2 through 4.3.1, are broadly familiar.  They are talking about implementing the ISMS , monitoring and reviewing it and maintaining it.

And blow me, over the page is my old friend “Control of Documents”.   And I am not being sarcastic - when you read him he might be one of the most boring friends I know but, right now ,I am really please to see him.  He’s hanging out with another buddy, “Control of Records”.  This is okay, I now understand now what these guys are about.

The next couple of pages aren’t so bad either - though I am skimming quite fast now - improvements to the system, preventative and corrective action etc.  I want to keep by hard disk shredding company as straightforward as possible. These could be called problems (Non Conformities), temporary fixes (Corrective Action) and Solutions (Preventative Action) could they not?  Life could be simpler if these people wanted it to be!!

• A copy of the Standard itself (which arrived by email a couple of days ago)
• My Arthur-shredded or approved Compact 9001 Manual
• The Acorn Course Book which cost me £50
• A Handout provided written by NQA, the UKAS approved system auditors, but actually given to me by Adrian.

I begin by creating a complete stand alone ISO 14001 manual – even though I know there is going to be duplication between ISO 9001 and ISO 14001. This way might seem more long-winded but I need to learn each standard one at time before I merge them. Otherwise it gets too confusing and complicated.

Sovereign Certification provides a useful but wordy version of an ISO 14001 manual. For Data Eliminate’s version, I exclude from the first section of my ISO 14001 manual all Sovereign’s wording which is similar or equivalent to what Arthur deleted from my ISO 9001 manual.

I still find it hard to make sense of the “Interaction of Processes” – but I think its probably because is so simple I can’t understand it - if you know what I mean. The examples of Interaction of Processes charts I have are more concerned with the process of implementing the environmental standard (Plan, Do, Check, Act I suppose) rather than featuring specific Data Eliminate customer service processes.

I work out a number of things in order to keep the ISO 14001 documentation to a minimum. The first is that the six standard procedures required by ISO 14001 (Corrective Action, Preventative Action etc) are almost identical to those required for ISO 9001. In addition, you need a Training Needs Assessment Form to track training you believe your employees need to fill skill gaps. To complement this, you need a Training Record Form to record the details of the actual training.

When compared to the Quality Policy, the Environmental Policy is different in focus but much the same in style. As was the case with ISO 9001, thanks to Supply London I had a morning’s lesson in how to write a policy. However, one could have used someone else’s and created one in a few minutes by making some very minor changes.

The we get onto the bits which are not part of ISO 9001 but which ISO 14001 requires. These include:

• An Environmental Aspects Register
• An Environmental Aspects Analysis
• A Register of Applicable Laws and Regulations
• A Risk Assessment Methodology

I also add some questions to the Supplier Questionnaire which is already part of my ISO 9001 manual and some items to the Management review Agenda. The Environmental policy has to be on our web site with contact details for the manager responsible. We also need documented environmental objectives.

The first version of my Environmental Management System manual is 25 pages long – a lot more compact than my 53 page long ISO 9001 Quality Manual first starter effort.

I then spend an hour or so removing the items from my ISO 14001 manual that are duplicated in my Arthur approved ISO 9001 manual. After that the Environmental Manual is down to about 14 pages.

Things are coming together nicely. ISO 9001 and ISO 1400 are integrated. I will now need to merge ISO 27001 with them.

I contact Arthur to arrange another session. This time I am going to get him to review my combined manual for ISO 9001 and ISO 14001.   I hope that I have pre-weeded it this time so that he doesn’t need to tear it apart or tell me I like detail.  If he does that again after all this effort it will take more than one flapjack in my mouth to keep me quiet!

Based on notes from my diary from June 2008.

I go up the road before Arthur’s meant to arrive to buy him a flapjack – all part of the PR offensive. I get back 15 minutes before he’s meant to be there but he’s already standing outside the front door looking slightly irritated. He’s come from some way away. I say, “You’re early aren’t you? I just went up the road to buy you a flapjack.” He didn’t break into a grateful smile.

He asks for a coffee. I only have instant coffee but he doesn’t seem to be phased. He enquires about Data Eliminate’s CCT Mark. I explain that it was given to us by CESG and the Cabinet Office. He asks what CESG is. I explain that it’s the Information Assurance arm of the Cabinet Office. He nods but I am not sure he is any the wiser. Perhaps I haven’t explained it properly. Perhaps I am turning into an information security head and losing my ability to communicate with normal mortals.

I put my 53 page pile in front of him and ask him to review the information. He flicks through the document and confirms that we are destroying data on hard disks and data tapes and then recycling them in line with the WEEE Directive? I nod.

My manual is divided into four sections. Below is the outcome of Arthur’s assessment of the first of its four sections point by point:

“Is this good or is this bad?” I am wondering.

Arthur interrupts, ”Julian you really like details don’t you!”

I don’t. I really, really hate detail. If he read my blog he wouldn’t say this. But I maintain my composure because I know that although Arthur is effectively shredding almost half my work, he is helping me a lot.

So that I don’t speak, I reach forward for a flap jack and take an enormous bite out of it which completely fills my mouth. I begin to chew. Arthur continues through the next section. He starts to talk about the Data Protection Act or something but doesn’t finish his point. He continues his review:

He hasn’t touched his flapjack.

“So many people think their manual has to repeat what the Standard says,” he exclaims “you don’t need to do it!”

Arthur is more impressed by the rest of the content. A lot of it he says though is just repeating the standard again. He also says that when the manual is applied in practice that it will make things more straightforward.

He excuses himself. He leaves the room with me smarting from the “Julian=detail” accusation. I exact revenge by demolishing his flapjack too.

The contrast between the ultra-wordy material I have waded through on ISO standards and information security and Arthur’s approach is marked. Perhaps this is one of those few cases where its better to have less information!

I am still chewing intensively when he returns. He is not phased.

Ironically, Arther has shredded last part of my ISO Manaual for a secure data destruction or hard drive shredding business!  However, in sum Arthur approves of the stuff I have originated myself. Where I have text dumps, he says they are too wordy.

I will take on board most of what he says but I am aware that different experts/auditors on these Standards are likely to have different views of these things. For example, if they come from an information security background they might have a different view to Arthur’s.

So far so good then with ISO 9001. I’ll need to do the same with  ISO 14001 down to a similar minimum.

Based on notes from my diary from June 2008.

Items containing computer hard drives

The security rubric on the document has the words “Uncontrolled Copy” on it. “You can say that again,” I think. It was available as a download off some German student’s website in a directory which was full of photos and videos and other stuff. That’s pretty uncontrolled!

I know when I sit down to read it that understanding it is going to be a challenge (judging from my ISO 9001 experience), but at least I have got a copy. Nice one!

I then email a contact that I have met at the Supply London seminars I have been to recently and ask her for a copy of ISO 14001 which she said she had. She says she will be able to oblige but I might have to wait a while. The point is that I’ve got so much work to do on ISO 27001, I am very happy to wait a while  for for a copy of the ISO 14001 Standard!

Based on notes from my diary in June 2008.

There is, in my opinion, very much a disconnect at present between talk at the policy maker level in government and actions at the local authority or county court house level. Platform speakers at the CIPCOG conference in York in February essentially confirmed a new age of information security focus had arrived. However, our data destruction sales team regularly finds that knowledge and demand at the purchasing coalface within the public sector is poor and way behind where the policy makers would have you believe it is.

This is partly caused by the fact that information security is not seen as an enabler by civil servants. New rules mean they can no longer put files onto their memory stick so they can work from home for example. Take-up of information security measures will be enforced rather than spontaneous or voluntary.

Likewise, take up in the private sector will be driven by government requirements placed on larger Tier 1 providers and there will be a trickle down effect in the private sector. Suppliers further down the food chain will eventually have to comply and implement information security themselves. If they do that presently, they will find it a real challenge due to the lack of straightforward and concise guidance available on ISO 27001.

I hope that this blog will play a part in filling that gap by making ISO 27001 more accessible and understandable.

The first was the Environmental Workshop. This was a real basic level course aimed at getting you to think about the environmental aspects of your business. I feel good when I understand where it fits into the overall ISO 14001 accreditation process. It only covers the very early part of the Acorn book. Including the book, I am now in possession of a significant amount of information on ISO 14001 which I have accrued by my own research and feel I understand what is required.

Computer media including data tapes must be properly recycled.

The second Supply London event I attended is about Wining Public Sector Business. Its the third out of the four free courses I get from Supply London and I have been told by other delegates who have already done this one that this is the best course.  (None of these provide hard disk destruction services.)

Things get underway at about 930 and go through until about 3. This is the first course that we don’t spend the day thinking about policies and being introduced to real common denominator level concepts. Most of the slides/talk was about material I didn’t know.

We are given lots of really useful information including a great 58 page printed A4 booklet. At the back was a list of London councils and the way they took quotes and tenders for different values of contracts from the small under £5k, to the biggies over £144k which apparently have to be offered to all EU companies under some directive.

The course explained what councils typically look for in supplier. The basic is that they have the right balance of skills and experience. Companies are unlikely to win a contract which is worth more than a quarter of their existing turnover. Supply London gave a check list to measure one’s fitness to supply.

This course just confirms the importance of the ISOs and why they have to be tackled. I made sure I took a second copy of the course material from the empty seat next to me. In 17 years of running and being involved in businesses this is the most useful free handout or course I have had from the government. I can’t believe I am saying this considering the grief government generally causes business!

Based on notes from my diary from June 2008.