Julian can be contacted on Tel: 0845-1234400.

Julian appeared on London Tonight on 4th November 2011 talking about data protection, the Vince Cable case and Hard Drive Shredding.

Looking at Secure IT Disposal the web sites of future competitors two things are apparent. The first is that its only the serious hard disk destruction guys who really bother with any standards at all. The second is that there is a wide range not only of information destruction standards but also of other accreditations as well. It appears at this stage that following computer recycling may be relevant:

• BS 8470:2006 Secure Destruction of Confidential Material
• BS 7858:2006 Security Screening of Individuals Employed in a Security Environment
• BS7799 Information Security Management System

I keep reminding myself in the face of the scale of the task ahead, that accreditations are the main barrier to entry in this market and are vital to the whole project. Its comparatively easy to set-up a WEEE recycling business. Securely wiping or destroying data is more difficult but accreditations represent the biggest challenge.

Based on account recorded in diary of September 2007.

I download a Risk Register Template from http://www.iso27001security.com/.  This is again a blank template – an excel spreadsheet comprising four worksheets.

There is no explanation of what a Risk Register is in the file but judging by the empty columns a risk Register is clearly a list of risks.  These risks are given a unique reference and they are assessed in terms of probability and severity both before and after controls have been put in place to mitigate them.

The ‘Controls’ – there’s that word again – are the physical or practical bits which mitigate the risks.  The probability and severity of the potential impact of the risk are multiplied in order to give the risk a score and highlight the one (with the highest score) which deserves the highest priority – or which should be tackled first.  The costs of mitigating the risks is also recorded.  After the controls have been implemented, the probability times the severity of the risk is then recalculated and compared with what it was before the controls were introduced.

There’s also a traffic light scoring system based on the result of the probability x severity multiplier which indicates whether at the most serious extreme risks would lead to “operational failure” and be unacceptable,  or at the other end of the scale be merely “issues which can be resolved quickly and easily at the other”.

This project is about setting up a IT Destruction business in London from scratch which has quality assurance and security controls as an integral part of the structure.  Hence, the foundation stones of the business are laid in anticipation of  what the needs of the business are doing to be when it is considerably larger and is a major player in the information assurance sector.

This approach differs, I believe, from that which most people would take.  Most would set the business up and start shredding.  Then, when the business has acquired a particular size, implement Standards and controls which will be required to compete with leaders in the industry.

My feeling is that my preferred route is going to either be spectacularly right or spectacularly wrong.  The route I am choosing means there is a huge amount of donkey work up front before I am sure of the exact market response to the concept.  On the other side of the coin, it means that I can complete most of the structural work before I take more staff and save on costs.   I know from experience that there is little more stressful as an employer than having employees sitting around because they are waiting for systems to be configured.  My whole plan is based on the idea that its better to set the systems up first.

I obviously have surveyed the market but I now take it as read that the information security market is an expanding one and ripe for exploitation.  Moreover, most successful companies do not succeed with their first offering – they succeed with the second, third or even fourth incarnation thereof.   The best strategy is to establish yourself in the market with the right credentials and retain the flexibility to respond to the needs of the market which will become increasingly apparent the more one gets involved.

I know that my commitment to this Construct First – Sell Later strategy will be challenged every day as the company parts with or invests cash in its structure and framework rather than going for quick, route on sales from the outset.

Based on on account recorded in diary from September 2007.

This morning I am firmly back on the shores of http://www.iso27001security.com/ and looking around again.  Apparently, there’s a discussion forum and a members area which you have to join to access.  The membership criteria are written to deter the unworthy from joining or so to speak.  I write an application which explains I am a management consultant who may be doing this kind of work for clients.  I also say that I could add a review of Alan Calder’s book which I have just read.  I am hoping for an immediate reply but I don’t get one – I’ll have to wait.

Having partially cracked the Statement of Applicability puzzle I am now looking for stuff to help me understand Risk Assessment – or  at least risk assessment as it specifically applies to ISO27001.  Continuing with my swimming in the sea analogy, http://www.iso27001security.com/ does seem to be like a desert island with a few trees of fruit in the middle of an vast ocean.  In my anaology, the ocean represents internet or life (depending on how profound you want to be) and it is devoid of any  information about iso27001.)

My mind temporarily skips to BBC Radio 4′s desert island disks which I have always listened to and also wanted to play.  I think that if I was marooned on this desert island, I certainly wouldn’t choose the ISO 27001 standard or even a Statement of Applicability to go alongside the bible and the complete works of Shakespeare.  Would my one luxury on the desert island might be a fully certified, UKAS approved integrated management system for a secure data destruction company?  I think not but I’d love to have one of those on this temperate island (Britain), right now and be at the end of all this!

I have been examining the ISO 27001 Standard Document itself and feeling rather overwhelmed and that I am bashing my head against a brick wall.

I begin to rethink my strategy and flick backwards quickly to page 5.  This is where the ‘Statement of Applicability’ is mentioned.  This ties together the list of Controls and Objectives – the list of practical things one need to do to implement the standard – with the content of the standard itself so its probably a good place to start.  There is a lot about Risk Assessment before the Statement of Applicability which I don’t understand but I can come back to them later.  I’ve got the Statement of Applicability as a short term objective – a buoy to swim towards that perhaps I can cling onto for a while.  So I type “Statement of Applicability ISO27001″ into Google and start trawling through the results.

Almost immediately I come across http://www.iso27001security.com/.  By its basic but functional design this site just looks like the kind of site that could cut to the chase and ‘deal the deal’.  There are a few scary bits like mentions of other ISO27002, ISO 27003 but what catches my eye immediately after this is a FREE ISSO27k toolkit.  Amazingly, I don’t even have to register on the site to get access to it.

Hard Drives after Destruction.

I spend quite a while opening documents up on the site and reading them.  The documents here have been developed by ISO 27001 implementers and then put up on the site.   This site clearly doesn’t offer a complete toolkit or total solution to my problems but it does give applied examples of certain documents and there is comparatively little in the way of guff.  Most of the contributions are made by two individuals but there are other contributors too.

The fourth document I open off the site is a Statement of Applicability.  This is a blank template – which is not populated with data – but I still get the jist – more than having see an actual example of one, I quickly see its primary purpose.  The list is a spreadsheet for all the Controls and Objectives listed in Appendix A of the standard.  There are several columns and notes I don’t understand yet  but clearly what one has to do is go through each of these 120 or so items and record what one has done to cover them off in one’s own organisation.

Against each row is a “Controls” column and a “Selected Controls” and a “Reasons for Selection” group of columns.  Reasons for Selection are broken down into four types ‘LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent.

On the right there’s a ‘Remarks (Overview of implementation)’ column where one should record the  to the specific action taken to meet the control.  This could be introducing a swipe card system on doors, creating a written policy or implementing a procedure to verify the destruction of hard drives.

I don’t get the whole picture yet, but what I do get is that the ISO 27001 Standards sets a defined series of things called “controls” with which my data destruction company needs to comply.  I will need to go through this list one by one and check that I can practically meet them.

The buoy I spotted in the distance has turned out to be a rubber ring.  Thanks to this I am now riding higher in the water and time to float home for the night.

So begins the start of a refreshed effort to find the practical or working examples of how to implement 27001 which have so far evaded me. What does it mean for the way my shredding business should handle personal data and comply with legislation such as the Data Protection Act and the WEE Directive?

I start to give Google a pummelling. There really aren’t many links that look like they are going to give me what I want. So I end up going very deep – to search results 80 and above and opening tens of documents including ones on information assurance, the Cabinet Office and risk management – in pursuit of my goal.

What I really want to find is an Information Security Manual for a small or mid-size organisation which somebody has published on their website – one which is a bit more friendly that the one from the IT Governance Toolkit trial. I am aware that organisations shouldn’t publish such things on their website –particularly those involved security – as letting the public know about their security systems obviously isn’t a good idea. But I am expecting to find something out there in cyberspace – you can find almost anything else!

The first useful looking document is an Information Security Manual produced by the Pennine Care NHS Trust. This is clearly the kind of thing that I am looking for but it doesn’t strike me as particularly friendly. The first two sides are about “Policy Document Control” and then the index comprises pages 3-5. I have seen this kind of thing before from the Cabinet Office and CESG. The first actual prose appears on page 6:

“1. INTRODUCTION

1.1 The Trust has a duty to protect its information assets and thus to ensure business continuity and minimise the adverse effects of securityincidents. Information assets and the IT systems that support them arebecoming increasingly more vulnerable as the potential for wideraccessibility is facilitated via more powerful computers and communications networks.

1.2 Any loss of the ability to access information could have a significanteffect on the efficient operation of the Trust and may result an inabilityto provide services to patients and financial loss to the Trust.”

These are to me statements of the very obvious, the like of which feature widely in many ISO 27001 documents I have seen. I know they have to be there but doesn’t their continued use and repetition run the risk of making the user, who should be interested in their content, just switch off?

The document continues for 47 pages. There are guidelines here for information assurance practices including the setting of passwords and controlling access to buildings. However, its difficult to determine the structure of the document and how it fits into an overall framework. It is on the right lines of what I am looking for but it is for a very sizeable organisation. I move on.

The next document which catches my eye is an Information Security Business Manual from NHS Wales. This is in Word and is clearly a template with blanks or red text which can be filled in by different NHS branch offices to suit their needs. It’s a lot shorter than the Pennine document at only 24 pages.

Some terms used are ery familiar such as “Senior Management Team”. We then get onto “ISMS Operational Forum Membership” which sounds very corporate and, stone me, Plan/Do/Check/Act (PDCA) model with a little chart makes an appearance on Page 10!

The good thing about this document though is its length. It has some slightly scary headings such as those mentioned above but it strikes me (although I can’t be sure) that somebody has spent a lot of time simplifying things and reducing them down to produce a very well put together template that will save an NHS departmental manager a lot of time in producing an Information Security Manual. Whether the person producing the manual would understand what they were doing beyond filling in the blanks I am not sure. In other words, this document is a bit like doing dot to dot. You join the dots (or fill in the blanks) but can you see the whole picture when you’re finished? Ok, not exactly what I want, but I keep it because it could be useful.

I am aware that the NHS has a lot of data handling procedures and it computers hold a lot of personal data. No central, London based government department seems to have produced similar guidance. The NHS are good potential customer for our CCT Mark Certified service which we have just  formally submitted to CESG and the Cabinet Office office as our “Secure Destruction of Data on Hard Drives and Magnetic Media v1.0”!

Based on diary entries from June 2008.
<–>

I continue working my way through the ISO 27001 Standard Document.  When I look at Appendix A, it appears I may be about to make a breakthrough in terms of understanding.  The title is Controls and Objectives.  For this first time this looks like a list of practical things one has to do to comply with the ISO 27001 Information Security standard.

For example, at A.5.1.1 is declares “An information security  policy document shall be approved by management, and published and communicated to all employees and relevant external parties.”  What this practically means is that at minimum I need find a model Information Security policy, insert my company’s name, sign it and stick it  up on the company website and wahey – route one compliance with A5.1.1!  To do things properly, I will have to tailor the policy to the specific requirements of a secure data erasure company.    I am starting to understand what is practically being asked for by ISO 27001 the information security standard.

The next four controls up to A6.1.3 aren’t as easy  A5.1.1. but they could be met with a bit of thought and paperwork.  I turn the page and there are more controls.

A6.1.4 I says I need an authorization process for new information processing facilities.  I get this but how do it in a small organisation?  Does this mean mandatory testing process for any new bit of kit or software?  Would my company  have the resources for that?  Maybe it would just apply to secure data erasure software or hard drive destruction equipment.

A6.1.5 talks about the need to have Confidentiality Agreements or NDAs in place which is fair enough and clearly understood.

A6.1.6   and A6.1.7 require the maintenance of contacts with authorities and special interest groups in security forums or specialist associations.  I don’t know what this means in practice though.  What kind of authorities are they talking about?  Does this means government, police or what?  Is one meant to have meetings with them?  I am also not part of any security related professional associations- and, if I was going to be, which ones should I try and be an member of?  And again what does “maintain contact” mean exactly?

Having recently been spurred on by the appearance of my “Control of Documents and Records” friends I am now getting bogged down again.  I wonder what lies in the pages ahead.  So turn over and see more controls. I turn again and there are more.  And again – more.  I gulp – it feels like I am desperately reaching for air in the face of a massive wave of controls which is about to overwhelm me.

I turn the page 5 more times before I get to the end of the list of ISO 27001 Controls and Objectives – I am just looking at the page numbers now – closer focus is detrimental to my well-being.  The wave is right on top of me – what do I do to escape?

I am now used to looking at the ISO 9001 Standard document itself.  The ISO 27001 Standard document I have  is 36 pages long as opposed to 20 pages for the ISO 9001 Standard.  We’ve got even more Plan, Do, Check, Act in the ISO 27001 document.  However, I soon suss out that the key bit we are looking at is Clause 4 onwards.

To start with Clause 4 is pretty similar to the corresponding clause in ISO 9001.  4.2.1a talks about the establishment of an Information Security policy suitable for the business and a scope.  Guess I can get my head around this.

4.2.1c is more problematic.  I am told to “define a risk assessment methodology for my organisation” and “develop criteria for accepting risks and identify the acceptable levels of risks”.  I just have limited concept of what is involved here.  This sounds like a job for McKinsey or Accenture but not me.  The ISO 27001 Standards says more information about Risk Assessment Methodologies  can be found in “ISO/IEC TR 13335- Guidelines for the management of IT Security = Techniques for the Management of IT Security”.   There is no way I am going to be a sucker for that document!  I’d rather disk by head in the hard disk crusher!

I can feel myself sinking lower in the water and looking up at this massive wave towering above me made of long words, jargon and confusion.  Around this mix, there is an information security industry built which comprises lots of people who make money regurgitating long words which few outsiders understand.  Right now the wave is looking really big – and its about to swamp my enthusiasm – for today at least.

Back to the ISO 27001 Standard – when I have done a risk assessment, I then to treat the risks.  This involves “selecting control objectives and controls”.  What are those?   No idea.

Next I’ve got to prepare a Statement of Applicability in which must apparently  list my controls and my control objectives and give my reasons for selecting them.  My problem here is that I need an example of a Statement of Applicability – yes to see the PRACTICAL implementation of all this.   Information on which still can seemingly cannot be found anywhere.

My brain and vision are blurred by the time I turn over to page 6.  I am not reading every sentence just kind of prodding the content with the eyes to see how painful it might be.  But these bits, namely  4.2.2 through 4.3.1, are broadly familiar.  They are talking about implementing the ISMS , monitoring and reviewing it and maintaining it.

And blow me, over the page is my old friend “Control of Documents”.   And I am not being sarcastic – when you read him he might be one of the most boring friends I know but, right now ,I am really please to see him.  He’s hanging out with another buddy, “Control of Records”.  This is okay, I now understand now what these guys are about.

The next couple of pages aren’t so bad either – though I am skimming quite fast now – improvements to the system, preventative and corrective action etc.  I want to keep by hard disk shredding company as straightforward as possible. These could be called problems (Non Conformities), temporary fixes (Corrective Action) and Solutions (Preventative Action) could they not?  Life could be simpler if these people wanted it to be!!

My information sources for developing an ISO 14001 manual include:

• A copy of the Standard itself (which arrived by email a couple of days ago)
• My Arthur-shredded or approved Compact 9001 Manual
• The Acorn Course Book which cost me £50
• A Handout provided written by NQA, the UKAS approved system auditors, but actually given to me by Adrian.

I begin by creating a complete stand alone ISO 14001 manual – even though I know there is going to be duplication between ISO 9001 and ISO 14001. This way might seem more long-winded but I need to learn each standard one at time before I merge them. Otherwise it gets too confusing and complicated.

Sovereign Certification provides a useful but wordy version of an ISO 14001 manual. For Data Eliminate‘s version, I exclude from the first section of my ISO 14001 manual all Sovereign’s wording which is similar or equivalent to what Arthur deleted from my ISO 9001 manual.

I still find it hard to make sense of the “Interaction of Processes” – but I think its probably because is so simple I can’t understand it – if you know what I mean. The examples of Interaction of Processes charts I have are more concerned with the process of implementing the environmental standard (Plan, Do, Check, Act I suppose) rather than featuring specific Data Eliminate customer service processes.

I work out a number of things in order to keep the ISO 14001 documentation to a minimum. The first is that the six standard procedures required by ISO 14001 (Corrective Action, Preventative Action etc) are almost identical to those required for ISO 9001. In addition, you need a Training Needs Assessment Form to track training you believe your employees need to fill skill gaps. To complement this, you need a Training Record Form to record the details of the actual training.

When compared to the Quality Policy, the Environmental Policy is different in focus but much the same in style. As was the case with ISO 9001, thanks to Supply London I had a morning’s lesson in how to write a policy. However, one could have used someone else’s and created one in a few minutes by making some very minor changes.

The we get onto the bits which are not part of ISO 9001 but which ISO 14001 requires. These include:

• An Environmental Aspects Register
• An Environmental Aspects Analysis
• A Register of Applicable Laws and Regulations
• A Risk Assessment Methodology

I also add some questions to the Supplier Questionnaire which is already part of my ISO 9001 manual and some items to the Management review Agenda. The Environmental policy has to be on our web site with contact details for the manager responsible. We also need documented environmental objectives.

The first version of my Environmental Management System manual is 25 pages long – a lot more compact than my 53 page long ISO 9001 Quality Manual first starter effort.

I then spend an hour or so removing the items from my ISO 14001 manual that are duplicated in my Arthur approved ISO 9001 manual. After that the Environmental Manual is down to about 14 pages.

Things are coming together nicely. ISO 9001 and ISO 1400 are integrated. I will now need to merge ISO 27001 with them.

I contact Arthur to arrange another session. This time I am going to get him to review my combined manual for ISO 9001 and ISO 14001.   I hope that I have pre-weeded it this time so that he doesn’t need to tear it apart or tell me I like detail.  If he does that again after all this effort it will take more than one flapjack in my mouth to keep me quiet!

Based on notes from my diary from June 2008.