Root Causes of Nonconformities

Clients often ask how we categorize the root causes of nonconformities that we discover within the organization and the products and services we deliver.  We use the list below.

  1. Uncategorized (under investigation)
  2. Accidental loss of physical IT asset
  3. Theft or malicious interference with physical IT asset
  4. Malware attack
  5. Denial of service attack
  6. Failure or defective operation of physical IT asset
  7. Insecure configuration
  8. Phishing or social engineering
  9. Defect in 3rd party software
  10. Defect in our software
  11. Failure to follow authorised policies or procedures
  12. Utility service outage or defect
  13. Reported in error (not a nonconformity)
  14. Inadequate training
  15. Environmental (fire, flood, lightning, earthquake, etc.)
  16. Other

Because this set of reasons appears in pull-down lists we try to keep it to 16 or fewer, combining any newly identified causes with existing entries.  ‘Defect in our software’ covers a range of causes that include:

  • Coding error
  • Version misconfiguration of software components
  • Misunderstanding of requirement(s)

The ‘Reported in error’ category includes discovery of requirements never previously stated by the client and which could not be reasonably anticipated.

Cartoons for Information Security and Data Protection Awareness

Cartoons can form a valuable component of internal communications.  They can help break up text and emphasise important messages. We are satisfied customers of the Glasbergen Cartoon Service.  It offers a collection of high-quality, business-related cartoons that cover a wide range of topics including information security and data protection.  When we’ve licenced cartoons from them, we’ve been able to find excellent examples closely aligned to the messages we’ve wanted to focus on in-house.  A sample of data protection and information security cartoons can be found here.


Client Data Security

Mobile Devices

All Security Management Consultants LTD’s laptop computers and PCs contain disks that are encrypted using the BitLocker facility that forms part of the Windows Operating System.  Strong passwords are enforced for operating system logins.

All smartphones used by employees are protected by access control mechanisms and storage, including any SD cards, is encrypted.  This means that SD cards cannot be read in other devices.  By default, no client data is stored in SD cards.


All disk storage used in and attached to our physical servers are encrypted using the BitLocker facility that forms part of the Windows Server Operating System. Strong passwords are enforced for operating system logins.

Other than email (see below) and encrypted backups, no client data is stored in the virtual servers that we operate in-house or in ‘cloud’ services that we rent from trusted suppliers.  All of our virtual servers and the ‘cloud’ services that we use run on physical equipment that is located within the European Economic Area (EEA).


All backups of corporate information, including client communication are encrypted at source.  Encryption keys are held only by Security Management Consultants LTD and not shared with other parties unless a valid, lawful request is made by a relevant law enforcement agency or regulatory body.

In-house image backups of laptop, desktop and tablet computers are created once each day when they are connected to our internal network.  These are stored on the main Windows Server whose disks are all encrypted as described above.

Online, encrypted, incremental backups of new and changed files are created eight times per day for laptop and tablet computers.  This happens when they are connected to the internal network or, when out of the office, to the Internet using company-supplied mobile telephony equipment.

A subset of encrypted disks used for in-house server backups is held in our high-security data safe that has a 120 minute fire rating. The safe and servers are not co-located.

Backup tapes are no longer used and historical backup tapes have been disposed of securely.  We no longer have the ability to read or write magnetic tapes.


Outgoing and incoming emails between clients and Security Management Consultants LTD pass through or temporarily reside within Microsoft-operated services located within the European Economic Area.  If sending sensitive information in an email we place it in an encrypted attachment and advise the recipient(s) of the key or passphrase separately.


We no longer operate a physical fax machine and no longer advertise an incoming fax number.  If a client wishes to send a fax to us, they should contact us to obtain instructions for doing so securely.

Paper Records

For environmental and other reasons we are actively reducing the amount of paper that we create, transmit and store.  Incoming paper documents and records will normally be scanned into the relevant project folder structure and the masters shredded securely prior to recycling.  A small number of paper documents and records is held in a single, metal filing cupboard that is locked when not in use.

Retention Periods

By default, we retain documents and records associated with client assignments for three years following the completion of the most recent assignment for the client.  Exceptions are:

  • Financial records relating to the work are retained for 7 years.
  • Insurance certificates relating to the work are retained for 40 years.
  • Training records, where the training has resulted in the issuance of a formal certificate of ‘attendance and successful completion’, are retained for 10 years.  This is to allow trainees to request duplicate certificates if the originals have been lost.


Statement on GDPR

Business-to-Business Services

Security Management Consultants LTD provides only ‘business to business’ services. We do not provide services to consumers. Our clients are private limited companies, public limited companies and government agencies.

Person Identifiable Data (PID)

We do not store, process or transmit consumer data or person identifiable data (PID) for our own purposes or on behalf of clients except for PID relating to our current employees, former employees and client representatives as described below.

Employee Person Identifiable Data

We do store and process personal data relating to our current and former employees in accordance with the requirements of the current UK Data Protection Act and the General Data Protection Regulation (GDPR) that will officially come into force on 25 May 2018. This data is not shared with third parties except where required by law or necessary for the operation of our pension scheme.

Person Identifiable Data of Client Representatives

If we are a supplier to your business and need to communicate with you we will store the following information about you to allow us to carry out the work that we have been contracted to perform:

  • Name
  • Business email address
  • Business physical address or addresses where you normally work (if relevant to the work)
  • Business telephone number (if relevant to the work)
  • Business role title (if relevant to the work)
  • Details of planned and completed training that we have been contracted to deliver.

This data is not shared with third parties except where required by law.

Please see our ‘Client Data Security‘ post for details of how we keep client information safe.

Person Identifiable Data Relating to Prospective Clients

If you have contacted us because you are considering engaging us as a supplier to your business we will store the following information that you provide about yourself and your business colleagues to allow us to communicate with you:

  • Name
  • Business email address
  • Business physical address or addresses where you normally work (if relevant to the work)
  • Business telephone number (if relevant to the work)
  • Business role title (if relevant to the work)

This data is not shared with third parties except where required by law.

If you subsequently decide not to engage us as a supplier we will retain the associated information for a period of seven months following the end of the period of validity of the most recently submitted proposal or quote unless requested otherwise.  This is to facilitate submitting a subsequent proposal or quote should the same or similar requirement arise in the near future.

Receipt of Unsolicited Personal Information

If, unsolicited, a member of the public provides personal identifiable data (PID) to us we delete the data as soon as practicable and advise the sender of this using contact information they have provided.

Speculative Employment Enquiries

We do not retain unsolicited employment enquiries for future reference.

Data Protection Officer (DPO)

Please use the address stated on the Contact page to submit enquiries or make requests to exercise your applicable rights under the UK Data Protection Act and, from 25 May 2018, under the General Data Protection Regulation (GDPR).

Protection of Client Data

Please see our ‘Client Data Security‘ post for details of how we keep information relating to clients and prospective clients safe.

Celebrating 25 years in business

Celebrating 25 years in business
  • Founded in Bearsden, East Dunbartonshire in 1991
  • Developed the LOW-PAPER DIET™ approach to quality management system development in 1992
  • First achieved ISO 9001/TickIT certification in 1993
  • First achieved BS 7799-2 certification in 2005.  (BS7799-2 was the forerunner of ISO 27001.)
  • Relocated to East Ayrshire in 2012

It’s time for a Data Protection Offenders Register

Is the UK Office of the Information Commissioner (ICO) effective in helping ensure that our data protection legislation is respected and complied with consistently?

My view is that the ICO needs to have an additional sanction that it can apply when data protection legislation is breached. This would take the form of a Data Protection Offenders Register.

Individuals would be added to the Register if they were responsible for data protection breaches where avoidance of the breach was within their control. Such individuals would be barred, for a designated period, from working in any position or role where they had access to information covered by the UK Data Protection Act and would not be allowed to manage or supervise anyone who had access to such data.

The idea of a Data Protection Offenders Register isn’t new. published an article along these lines by Toby Stevens in 2011.

Is your supplier’s ISO 27001 certification body UKAS-accredited?

We often encounter IT service providers that are choosing to use non-UKAS-accredited organizations to issue them with certificates of compliance with ISO 27001. The reasons are unclear, but we suspect that this is largely driven by cost considerations.

In the UK there is no legal barrier to any organization offering to provide ISO 27001 certification.  For example, Security Management Consultants LTD could, if it wished, issue ISO 27001 certificates to customers for whom it had helped implement an ISMS. However, we choose not to do so for obvious reasons, including ‘conflict of interest’.

When we assist customers to set up and operate an information security management system (ISMS) we always recommend, if certification to ISO 27001 is required, that the customer chooses an UKAS-accredited certification body. The reasons for this are:

  • The United Kingdom Accreditation Service (UKAS) is the sole national accreditation body recognised by the UK government to assess, against internationally agreed standards, organisations that provide certification, testing, inspection and calibration services
  • Knowledgeable purchasers and procurement departments may specifically require suppliers’ ISO 27001, ISO 9001, ISO 14001 and other management system certifications to be by UKAS-accredited certification bodies
  • In the United Kingdom, UKAS is appointed as the national accreditation body by the Accreditation Regulations 2009 (SI No 3155/2009) and operates under a Memorandum of Understanding with the Government through the Secretary of State for Business, Innovation and Skills
  • Accreditation by UKAS demonstrates the competence, impartiality and performance capability of certification bodies.

You can check if your organization’s ISO 27001 certification or the ISO 27001 certifications of its key suppliers are UKAS-accredited by visiting the UKAS web site.