10 January 2014

My ISO 9001 Manual for Data Destruction is Partially Shredded

Today, Arthur the Supply London advisor comes to assess my draft ISO 9001 Manual.For mutual convenience, we arranged for him to come to my home.

I go up the road before Arthur’s meant to arrive to buy him a flapjack – all part of the PR offensive.I get back 15 minutes before he’s meant to be there but he’s already standing outside the front door looking slightly irritated. He’s come from some way away. I say, “You’re early aren’t you? I just went up the road to buy you a flapjack.”He didn’t break into a grateful smile.

He asks for a coffee.I only have instant coffee but he doesn’t seem to be phased.He enquires about Data Eliminate’s CCT Mark.I explain that it was given to us by CESG and the Cabinet Office.He asks what CESG is.I explain that it’s the Information Assurance arm of the Cabinet Office.He nods but I am not sure he is any the wiser.Perhaps I haven’t explained it properly.Perhaps I am turning into an information security head and losing my ability to communicate with normal mortals.

I put my 53 page pile in front of him and ask him to review the information. He flicks through the document and confirms that we are destroying data on hard disks and data tapes and then recycling them in line with the WEEE Directive? I nod.

My manual is divided into four sections. Below is the outcome of Arthur’s assessment of the first of its four sections point by point:

Section Title

Arthur’s Assessment

1.0

Introduction

1.1

Organisation Description

ok

1.2

Scope of Certification

ok

1.3

Third Party Certification

ok

2.0

Responsibilities

2.1

Office Based Personnel

Not needed

2.2

Site Based Personnel

Not needed

3.0

Business Processes

3.1

Description

Not needed

3.2

Implementation & Maintenance

Not needed

4.0

Quality Management System

4.1

General Requirement

Not needed

4.2

Documentation Requirements

Not needed

5.0

Management Responsibility

5.1

Management Commitment

Not needed

5.2

Customer Focus

Not needed

5.3

Quality Policy

Not needed

5.4

Planning

Not needed

5.5

Responsibility, Authority and Communication

Not needed

5.6

Management Review

Not needed

“Is this good or is this bad?”I am wondering.

Arthur interrupts, ”Julian you really like details don’t you!”

I don’t. I really, really hate detail.If he read my blog he wouldn’t say this.But I maintain my composure because I know that although Arthur is effectively shredding almost half my work, he is helping me a lot.

So that I don’t speak, I reach forward for a flap jack and take an enormous bite out of it which completely fills my mouth.I begin to chew.Arthur continues through the next section.He starts to talk about the Data Protection Act or something but doesn’t finish his point.He continues his review:

Section Title

Arthur’s Assessment

6.0

Resources

6.1

Provision of Resources

Not needed

6.2

Human Resources

Not needed

6.3

Infrastructure

Not needed

6.4

Work Environment

Not needed

7.0

Product Realisation

7.1

Planning of Product Realisation

Not needed

7.2

Customer Related Processes

Not needed

7.3

Design and Development

Not needed

7.4

Purchasing

Ok – some amendment needed

7.5

Production and Service Provision

Not needed

7.6

Control of monitoring and measuring devices

Not needed

8.0

Measurement, Analysis and Improvement

8.1

General

Not needed

8.2

Monitoring and Measurement

Not needed

8.3

Control of nonconforming product

Not needed

8.4

Analysis of data

Not needed

8.5

Improvement

Not needed

He hasn’t touched his flapjack.

“So many people think their manual has to repeat what the Standard says,” he exclaims “you don’t need to do it!”

Arthur is more impressed by the rest of the content. A lot of it he says though is just repeating the standard again.He also says that when the manual is applied in practice that it will make things more straightforward.

He excuses himself.He leaves the room with me smarting from the “Julian=detail” accusation.I exact revenge by demolishing his flapjack too.

The contrast between the ultra-wordy material I have waded through on ISO standards and information security and Arthur’s approach is marked.Perhaps this is one of those few cases where its better to have less information!

I am still chewing intensively when he returns.He is not phased.

Ironically, Arther has shredded last part of my ISO Manual for a secure data destruction business!  However, in sum Arthur approves of the stuff I have originated myself.Where I have text dumps, he says they are too wordy.

I will take on board most of what he says but I am aware that different experts/auditors on these Standards are likely to have different views of these things.For example, if they come from an information security background they might have a different view to Arthur’s.

So far so good then with ISO 9001.I’ll need to do the same with  ISO 14001 down to a similar minimum.

Based on historical notes from my diary 

Leave a Reply

*


Fatal error: Internal zval's can't be arrays, objects or resources in Unknown on line 0