Our template contains all the essential ingredients for conformance

The third edition of ISO/IEC 27002 was published last February… the new controls are now in ISO/IEC 27001:2022 Annex A which was published on 25 October last

IMS-Smart On-Line

In support of the IMS-Smart philosophy we have a Template IMS, called IMS-Smart On-Line, which contains all the essential ingredients necessary to produce the documented information in conformance with various ISO management system standards.

In particular we have an ISO/IEC 27001:2022 version that has been built from the ground up paying close attention to the precise requirements of this new standard. In particular there are just sixteen requirements for documented information and most of these concern results — long gone are the days when management systems required a documented this and a documented that.

Principal features

The principal features of our technology are:

It is all you need to establish, operate, maintain and improve your ISMS.
There are examples and templates for all the required documented information.
There a detailed explanation of all requirements and how to meet them.
It is easy to use and maintain.
You can achieve certification in a short period of time.
License by subscription, does not need large one-off investment.
Runs on-line.
Automatic SOA generation.
There are extensions to demonstrate conformance to ISO 9001 and ISO/IEC 27701.

The screen shot below shows the home page of our latest ISO/IEC 27001:2022 version, showing the “Edit page” tab on the administration menu. If you are registered as an ISMS administrator you will see this option. It is your means to customise your instance of IMS-Smart On-line. The vertical menu window shows that some menu items have been collapsed and that this IMS-Smart On-Line instance demonstrates conformance to ISO 9001 and ISO/IEC 27701, as well as ISO/IEC 27001.

Screenshot of the on-line ISMS index page

On-line page editing

When you select Allow editing the page goes into editor mode, see below.

The parts that you can edit are highlighted. Sometimes there are multiple regions on a page. These correspond to different ISO/IEC 27001 requirements.

A block editing window. With this you can create headings and paragraphs, whole pages effectively.

You have control over headings, fonts, spell checking etc.. Version numbering is automatic.

Examples — to get you started

In many cases you can display an example and edit that to get you started. Take a look at the screen shot below. Pressing the EXAMPLE button will overwrite the editing window(s) with an example (or first give you a choice of examples to select from). Don’t like the example — then press CANCEL and revert to what you had before. Like the example — by all means edit it before saving. Note the buttons to PREVIEW, SAVE DRAFT, REPUBLISH CURRENT EDITION and PUBLISH AS NEW EDITION.

In many cases there is an example to help you, and in some cases more than one example.

Help windows

You can toggle the help windows on and off. The following screen shots show them switched on.

The help is contextual, although there a facility to view the whole of the administration manual and the technical guidance text.

Risk assessment

Risk assessment is based on events and consequences (as advocated by ISO 31000) and is driven by a questionnaire.

The screenshot show the risk questionnaire wizard. Questions are answered using radio buttons and sliders. The graph shows the resultant inherent risk values. Once all the questions have been answered, the process of risk assessment is complete.

The risk question wizard speeds up risk assessment, and it works with custom events as well.

Control questions

The control question wizard speeds up risk treatment, and facilitates automatic production of the Statement of Applicability (SOA). There are 182 questions. Half of these correspond directly to the 93 Annex A controls. The other questions are derived from the control purposes and guidance text in ISO/IEC 27002:2022, plus some more to ensure that there are no gaps in the risk treatment plans (see below).

The answers to each question can be “yes”, “similar” or “no”. If the answer is no” and the question corresponds to an Annex A control, you will be asked to explain why. This explanation is required for the SOA, as a justification is required for all excluded Annex A controls.

If cannot truthfully answer “yes” because the question does not faithfully correspond to what you do, answer “similar”. You will then be invited to enter a replacement question (to which the answer would be “yes” The statement forms of these questions correspond to your necessary controls. They are used to populate the risk treatment plans (RTPs) and the SOA.

If you have some necessary controls in addition to those that correspond to these questions, don’t worry — there is a facility to create your own custom controls and assign them to the RTPs.

The control question wizard speeds up risk treatment,
and facilitates automatic production of the Statement of Applicability (SOA).

Risk treatment plans

The “yes” and “similar” answered questions are used to create the risk treatment plans (RTPs). There are 9 built-in plans, which guarantee coverage of the Annex A controls. You don’t need to use all of these. You can create your own. You can reorder them and rename them.

The principal component of the RTP is the story text. These are partitioned into three parts: preventing the event, detecting the event, and reacting to the consequence(s). In edit mode, the control statements can be reordered and the display text edited to create an easy to understand explanation of the risk treatment plan.

The control statements can be reordered and the display text edited to create
an easy to understand explanation of the risk treatment plan. It is partitioned
in to three parts: preventing the event, detecting the event, and reacting to the
consequence(s).

Effectiveness

Also in edit mode, you can specify the effectiveness of your RTPs, using radio buttons and sliders. The graph shows the effect. The black squares correspond to the inherent risk (defined by the risk assessment) and the white squares correspond to the residual risks, i.e., the risks after treatment.

The Statement of Applicability

The Statement of Applicability (SOA) page is automatically generated from the answers to the control questions.

There are two formats: traditional, which uses the structure of Annex A, or the modern layout, which puts all the necessary controls first and the excluded Annex A controls last. There is a drop down menu to help to to find the entry for a given Annex A or custom control.

The SOA is automatically generated. Choose between two layouts at the flick of a radio button.

Other features

There are many other features to IMS-Smart On-line:

The display automatically adjusts according to whether you are using a PC, tablet or smart phone.
The menu tab adjusts according to what events you have defined.
There are global preferences.
You can move forwards and backwards between pages as in a book.
You can upload PDF files and images.
You may use your own logo in the top left hand corner of each page.
You can create custom pages.
You can create special ‘action pages’ for audit reports and reviews and link their actions to a ‘to-do-list’ for action tracking and management.
You can decide whether users must acknowledge pages that they have read and understood.
Custom data is held encrypted.

Access

Access is by user name and password.

Want to know more or buy a copy

Please use our enquiry facility to ask.

Logon to your IMS-Smart product
USER NAME
PASSWORD
Don’t have an IMS-Smart product? Learn more, register an evaluation copy, read the books.

Search the ims-smart.com website
SEARCH TEXT