Don’t be put off by thinking it is too complex a thing to do. We aren’t saying it’s simple, but with us doing the bulk of the work for you, including managing the whole process, it is relatively straightforward.
There are really 6 stages to becoming and staying certified to BS 10012:
There is more detailed information below about the various stages you need to go through.
Episode has plenty of experience, and some really helpful tools to deal with most requirements.
As part of any information security project undertaken by Episode, we get our info sec/cyber security expert partner to undertake a detailed audit of your system (using penetration tests, network sniffers, etc.) to identify any issues. If you feel you need their help rectifying issues, they will give you a fixed fee proposal for the work.
Done wrong, absolutely. Too many systems we see have a form or document to cover every aspect of the standard. That’s the easy way to build a system, and an equally easy way to cripple you operationally. You know when this is the case when you spend a month “updating” (i.e. creating false) records, etc. before the auditor next comes.
Done right, as we will make sure it is, the system should be at the core of how you work. Remember, we make ISO work for you, not the other way around.
It is difficult to give precise timescales, as it depends on a number of things such as how complex the business is, how close you are to complying with the standard already, and so on. We recommend planning for it taking at least 4 to 6 months.
For a fixed cost we will do as much of the work as possible, and guarantee certification.
Episode has worked with over 40 clients, many of whom have more than one standard they comply with (one has 5). All have been successfully certified and many subsequently ask us to help them maintain certification, and get more out of the system.
There are the following costs that will arise
Episode always gives a fixed fee proposal for a project, and we include guaranteed certification. A typical BS 10012 project is about £4,550, but this does depend on the size and complexity of your business.
You will need an external company certify the system as being compliance with the standard. There many certification bodies that can independently assess (certify) your system against the standard. We will manage this process for you, and typical costs for a single standard range from £2,500 to £3,000 for a single standard, depending on size and complexity of the business.
There may well be IT and other infrastructure work that needs doing, and we will give you a list of requirements as the first stage of any project.
Written specifically to help you comply with the General Data Protection Regulations [GDPR], BS 10012:2017, Data protection — Specification for a personal information management system is the British standard that sets out the requirements for a personal information management system and aligns with the principles of the European General Data Protection Regulation (EU GDPR). It outlines the core requirements organisations need to consider when collecting, storing, processing, retaining or disposing of personal records related to individuals. It then provides a framework for a Personal Information Management System, helping you to maintain and improve compliance with data protection legislation and provide assurance to your stakeholders. It provides a best practice framework for a personal information management system.
Whilst GDPR is new, it is a revision of laws that have existed for many years. Government agencies that supervise information security (the ICO in the UK) take a balanced, pragmatic approach. They realise no one can be perfect, and should the need arise for them to look into your organisation, the starting point is always “what have you done to protect against such issue?”. BS 10012 is an excellent way to demonstrate your intent. It is easily integrated with other popular ISO based management system standards.
It was only by utilising the expert guidance and experience of ‘Episode Ltd.’ That Thurston Group was able to attain certification within an exceptionally challenging time frame. We therefore offer our thanks to Episode Ltd. For the diligent and professional services provided. We also look forward to working with them again soon and would not hesitate to recommend their services."
Peter Spieight, Senior Divisional Director, Thurston Group, Wakefield
Roger's support was invaluable in terms of gap analysis, recommendations for improvement, and facilitation of the certification process. I would strongly recommend Roger to any organisation wishing to develop or improve its management systems, in a way which minimizes bureaucracy, and focuses on best serving the needs of the organization.
Gary Evans, Flour Corporation, Abu Dhabi