IMS-Smart (pronounced I’m smart) Limited is a provider of expert information security management system (ISMS) consultancy and software-as-a-service from people who know the standards. All our ISMS have the following characteristics:
- Easy to demonstrate conformance — everything is just a click awayWe use PHP generated HTML for our electronic documents and store all the documented information in a database. You view it using a browser. ISMS documented information is hyperlinked, so in many cases, what you need just a “click away”. No more searching filing cabinets for printed paper. Just click. This enormously speeds up certification audits. Once you see where the auditor’s questions are leading, you can click away and quickly display all the evidence needed to demonstrate conformance.
- Risk assessment results that top management and risk owners can understandWe drive risk assessment using 12 event-scenarios, the necessary controls for which guarantee coverage of the ISO/IEC 27001 Annex A controls. The scenarios are easy to understand, e.g., Loss of a mobile device. Risk assessment is just the estimate of how often this could occur and the severity of the consequences. Read the Mastering the SOA page and click “Want to know more?”.
- Risk treatment plans that top management and risk owners can understandWe use the “tell-it-like-a-story” approach. Our risk treatment plans are designer plans, i.e., they specify the interrelationship between controls and explain how they work in concert to modify risk. Being written as a story, it is easy to comprehend how the controls act to prevent the event, detect the event should it occur and react to the consequence if all else fails.
- Distinguish between controls performed by you and by other organisationsIf your IMS organisation is part of a larger organisation, e.g., a department within a faculty of a university, or perhaps just part of that department, your organisation is unlikely to be responsible for implementing all of your necessary controls. Controls concerning HR and physical security are likely to be performed by other parts of the larger organisation to which you belong. We have a way to deal with this.
- Actions are recorded in a TDL and linked to the reports that generated themAs we use designer RTPs, we use a To-Do-List (TDL) to record ISMS actions (e.g., nonconformities, risks and improvements). These are linked to the reports (e.g. audits and management reviews) that generated them, so when reading, say an audit report, audit actions are marked as outstanding, overdue or completed, and are updated when their status in the TDL is changed.
- Require people to acknowledge reading and understanding ISMS policy pagesThere is an ISO/IEC 27001 requirement that persons doing work under the control of your ISMS organisation are aware of your information security policy, and there are information security controls related to this requiement that you are likely to consider as being necessary. We have a facility for users to acknowledge that they have read and understood all of your custom pages that you have so designated, and you can easily produce reports to see which pages have not been read and by whom.
- Guarantee that every requirement in ISO/IEC 27001 has been fulfilledWe use a conformance table that lists every ISO/IEC 27001 in one column and an explanation of how it has been fulfilled in the adjacent column. Never get caught out unawares in a certification audit. Just ask what clause is the auditor is referring to and look up the conformance table to determine the source of evidence and show that to the auditor.
You can view a demonstration of an ISMS being constructed and try out our software-as-a-service for free. If you are looking for information about ISMS, please use the Ask or Find buttons at the top of each page, or click on the resource links below. Interested in Cyber Essentials and migration to partial or full conformity with ISO/IEC 27001?