IT Governance Blog on IT governance, risk management, compliance and information security.

Coming to a standards office near you is ISO 50001. Due to be published in early 2011, this will be the definitive Energy Management Standard. Currently, the de facto standard for energy management is EN 16001:2009 ‘Energy management systems. Requirements with guidance for use’. This standard is intended to help all organisations irrespective of their size, geographical location, products, services or marketplace to establish the processes and systems necessary for managing and improving energy efficiency. In turn, this helps reduce emissions and green house gases.

Having an EN16001 Energy Management System will enable any organisation to:

• Improve energy use performance in a systematic way
• Establish an energy management system
• Ensure energy management conforms with stated policy
• Demonstrate to stakeholders and others the organisation’s commitment to energy use improvement
• Allow certification of the Energy Management System by an accredited third party.

EN 16001 is currently a European standard (the EN designator indicating it is a ‘European Norm’). However, the International Standards Organisation (ISO) has taken up this standard and is planning to publish the international version as ISO 50001 and, surprise, surprise, will also be called “Energy management systems — Requirements with guidance for use”. Currently, the international standard version is in the voting stage as a Draft International Standard. If all goes well expected publication will be in early 2011. Thus, certainly for a while EN 16001 and ISO 50001 will sit alongside one another. Those of you who have already started on EN 16001 programmes fear not: one of the prime aims in writing the international version has been to retain compatibility between EN 16001 and ISO 50001 thus ensuring early adopters of the former standard will not lose out. It is anticipated that those certifying to EN16001 should have only minimal transitional requirements to achieve ISO 50001 status.

Confused? You certainly should be. Well after reading this hopefully it will clarify the situation and remove doubt. If you still are in need of succour why not call IT Governance (+44(0)845 070 1570) and talk it through.

The contents of EN 16001 are:

(more…)

During my experience as an assessor, auditor, practitioner and consultant, I find that documentation is a real pain for organisations.  Too often I see organisations who have ended up with documentation that is inappropriate for the way they work.  Large, bulky manuals full of technical information.  Documents that are inconsistent and in different formats and layouts.  Documents are written for an external assessor rather than for the a practical business process.  The result is clear.  People don’t bother to read or use them.  And this means the resulting business practices become non compliant and out of control.  Security risks therefore, will increase dramatically.

Getting documents “write” shouldn’t be difficult.  I’ve compiled a list of top tips below that, if followed, should ensure that documentation stays, relevant, up to date, useable and more importantly read and followed by an organisations stakeholders.

The most important document you will write is the document control, or “how to document” document.  This will set out the formats and practices that the rest are built on, and makes sure that all the other documents are consistent within the organisation.

Educate staff on the difference between policy (senior management aspiration), procedure (documenting how to undertake a process), guidance (non-mandatory help or explanation) and records (evidence that procedures have been carried out).  Too many organisation use the word “policy” to mean all of the above and end up with documentation with very confused purposes and language.

Try to keep documents short and succinct.  As a guide, try and keep policies to a single page, procedures to around three.  Consider whether a picture or diagram will be more effective than words.

Allocate roles and responsibilities early to ensure everyone knows where they stand.  If you allocate someone a role or responsibility, be clear what that entails and requires of the individual.

Give staff ownership of documents that pertain to their part of the business.  Make them responsible for document update and maintenance.  Not only will it ensure that documents are produced, but that they are relevant, accurate and practical to their right audience.  Audit to ensure documents have been reviewed and updated.

Try and avoid large and unwieldy compliance manuals, instead build security controls in to the smaller business process documents that are relevant to the staff who will use them. 

When pursuing standards, though you must ensure the requirements are covered, ensure that documents are still written in language that is appropriate to the staff and culture of the business.  For example, if a standard says you must have a “corrective action” procedure, it may be better to call it something like “How do we fix problems?” instead of the title from the standard.

When applying protective marking (or information classification) to documents, make sure that everyone is educated in the marking system and what it means you can and cannot do with a document.  Consider extending the marking system to other tangible information assets, such as manual files, emails, media and using it for the basis of access control (ie this is a “public” zone and through that door is the “confidential” zone)

Consider how you will evidence that staff have read and understood documents.  However, getting staff to sign loads of documents can sometimes be a waste of resource.  Consider standing orders that require staff to visit a folder or intranet page at a certain time, or an email with links to relevant documents.

Don’t mix words like “will”, “shall” and “should” in the same document.  Some words are aspirational (“will” is a good word for policy), some are mandatory (“shall” or “must” is good for procedures) and some are non-mandatory (“should” or “may” is good for guidance).  Mixing these words like this within a single document means that you are not providing clear direction to your staff on what they are required to do.  Being consistent in your words means that the style of documents and instructions to staff remain consistent.

Make sure document formats and templates are held centrally and used by staff to create documents.  This ensures the logo and brand is protected, and staff have examples to work from.  Make sure that documents can be approved and published centrally to ensure that all documents contain the relevant information and can be found when required (technology solutions for storing these documents in web portals are becoming more popular by the day).

Finally – whenever I train staff and information security professionals the documentation part of the courses, is always initially met with a groan.  However, once people see the many benefits of good documentation regimes, they leave the session enthused and confident, knowing the many benefits that good communication can brings to any organisation, and the improvement it can bring to its security stance.

Post by Ralph O’Brien.

Under the Data Protection Act 1998, anyone who processes personal data has a legal obligation to “notify” the Information Commissioner’s Office (ICO) they are doing so.  In fact it is a criminal offence not to notify, or to fail to keep the ICO up to date with any changes to the way an organisation processes personal data.

This notification can be done online or by phone directly with the ICO, and costs 35 GBP per year (500 for larger businesses).  However it was in 2000 I first became aware when working for the Police of “bogus agencies” who threaten businesses to extort money from them using this law.  It seems the scam is still in operation today.

These businesses often charge up to 200GBP to notify on an organisations behalf.  There is nothing illegal in charging an admin fee for taking this burden from other organisations.  What is wrong about this, is the way they undertake to get their clients, often posing as the information commissioner and writing threatening letters stating that organisations will be fined or people jailed if they do not pay up immediately to that bogus agency concerned.  Often their name or logo is designed to make an organisation think that bogus agency is an official body, and of course they do not state the organisation can do it themselves far cheaper.
(more…)

Ever watched a presentation that’s left you with the feeling that it was an hour of your life you’ll never get back? Ever sat in a room full of people that are just two PowerPoint slides away from screaming “None of this matters!” before defenestrating themselves? Have you ever had to present to a room full of people like that? People who have so little interest in you, or your subject, that they’ve had to resort to stabbing their own leg with a biro just to stay awake?

I might be going out on a limb here, but I’m pretty sure that most people reading this will have been subjected to “Death by PowerPoint” at some time in their lives, and that most of us have previously resorted to any excuse short of actually faking our own death not to be subjected to it again. The simple fact is that it’s hard to keep your attention focussed on anything you’ve already decided you don’t care about. It doesn’t matter how often someone extols the virtues of something to you; if you can’t see how it matters to you, you’re unlikely to care.
(more…)

Recently my neck of the woods has been taking a bit of a beating from the weather gods. First it was the rain, which flooded part of the town I live in and all but destroyed a couple of towns nearby. This week it’s been snow, which has reduced the main roads in and out of my home town to a complete standstill at some times, and an outright deathtrap at others.

Happily having a member of staff, or even several members of staff, trapped by the weather has little or no impact on ITG’s continuing operation. Why? Because we operate an Information Security Management System to the ISO27001 standard. We are prepared.
(more…)

In my inaugural post last week I talked about those companies out there who certificate their own work, in particular to ISO27001. I’m not going to go over the same argument again here, but I do feel it would be remiss of me not to address the more pressing, underlying cause that feeds such organisations in the first place: information security can be expensive to do properly.

In particular, ISO27001 can be an expensive standard to tackle for small businesses. That doesn’t mean that there’s any less of a demand for it, however: The “information age” has provided start-ups and SME’s with the tools required to punch well above their weight, often finding themselves in the supply chains for much larger bodies who demand a certain standard in doing business, including how you manage your information security.

What to do in that situation? Well, there are a number of options available:
(more…)

There are some things that make me grind my teeth with despair. People who seem to think that everyone in the train carriage will appreciate the music on their phone, for example, or the grammar checking function on my word processor that’s convinced it knows better than I do. Oh, and companies that trade on the reputation of international standards, without actually complying with them. I admit, that last one’s probably a bit more specific to me than the other two.

In my particular field (information security) the international standard is ISO/IEC 27001:2005. There are lots of good reasons to comply with this standard, which are well documented elsewhere on the IT Governance website and in this great little pack of books on the subject. For the purposes of this post let’s just say that if you need to keep your company information present, correct and secure, ISO27001 is the standard you want. Organisations do want it, too, in their thousands, and they look for help in implementing it.
(more…)

Strategic approach to energy management: EN 16001

In today’s highly volatile and competitive market place energy costs have assumed a greater significance. With rising fuel costs, open markets in gas and electricity and new government climate change policies, no organisation can afford to be complacent in managing its energy efficiently.

Evidence shows that adopting structured management techniques to energy management can result in significant savings.

There has never been a better time for any organisation large or small to move forward and adopt a strategic formal approach to managing its energy system.

  (more…)