Our template contains all the essential ingredients for conformance
  
  Already have an ISMS? perhaps we can help you create a better one!
 

IMS-Smart On-Line

In support of the IMS-Smart philosophy we have a Template IMS, called IMS-Smart On-Line, which contains all the essential ingredients necessary to produce the documented information in conformance with various ISO management system standards. The technology is offered as an on-line software-as-a-service (SAAS) by annual subscription.

The ISO/IEC 27001:2022 version was built from the ground up paying close attention to the precise requirements of this new standard. There are sixteen requirements for documented information and most of these concern results — long gone are the days when management systems required a documented this and a documented that.

Principal features

The principal features of our technology are:

  • Easy to demonstrate conformance — everything is just a click away
    • We use PHP generated HTML for our electronic documents and store all the documented information in a database. You view it using a browser. ISMS documented information is hyperlinked, so in many cases, what you need just a “click away”. No more searching filing cabinets for printed paper. Just click. This enormously speeds up certification audits. Once you see where the auditor’s questions are leading, you can click away and quickly display all the evidence needed to demonstrate conformance. This facilitates showcasing your ISMS — show off your ISMS with pride.
  • Risk assessment results that top management and risk owners can understand
    • We drive risk assessment using 9 event-scenarios, the necessary controls for which guarantee coverage of the ISO/IEC 27001 Annex A controls. The scenarios are easy to understand, e.g., Loss of a mobile device. Risk assessment is just the estimate of how often this could occur and the severity of the consequences.
  • Risk treatment plans that top management and risk owners can understand
    • We use the “tell-it-like-a-story” approach. Our risk treatment plans are designer plans, i.e., they specify the interrelationship between controls and explain how they work in concert to modify risk. Being written as a story, it is easy to comprehend how the controls act to prevent the event, detect the event should it occur and react to the consequence if all else fails.
  • Distinguish between controls performed by you and by other organisations
    • If your IMS organisation is part of a larger organisation, e.g., a department within a faculty of a university, or perhaps just part of that department, your organisation is unlikely to be responsible for implementing all your necessary controls. Controls concerning HR and physical security are likely to be performed by other parts of the larger organisation to which you belong. We have a way to deal with this.
  • Actions are recorded in a TDL and linked to the reports that generated them
    • As we use designer RTPs, we use a To-Do-List (TDL) to record ISMS actions (e.g., nonconformities, risks. improvements and implementation of new controls). These are linked to the reports (e.g. audits and management reviews) that generated them, so when reading, say an audit report, audit actions are marked as outstanding, overdue or completed, and are updated when their status in the TDL is changed.
  • Require people to acknowledge reading and understanding ISMS policy pages
    • There is an ISO/IEC 27001 requirement that persons doing work under the control of your ISMS organisation are aware of your information security policy, and there are information security controls related to this requirement that you are likely to consider as being necessary. We have a facility for users to acknowledge that they have read and understood all of your custom pages that you have so designated, and you can easily produce reports to see which pages have not been read and by whom.
  • Guarantee that every requirement in ISO/IEC 27001 has been fulfilled
    • We use a conformance table that lists every ISO/IEC 27001 in one column and an explanation of how it has been fulfilled in the adjacent column. Never get caught out unawares in a certification audit. Just ask what clause is the auditor is referring to and look up the conformance table to determine the source of evidence and show that to the auditor.
  • Automatic RTP and SOA generation
    • The technology uses the approach to risk assessment and risk treatment described in Dr David Brewer’s book “ISO/IEC 27001:2022 — Mastering Risk Assessment and the Statement of Applicability”. You just answer a set of questions about your information security controls and the RTPs and SOA are created for you — an approach that not only simplifies your task but guarantees that there will not be any inconsistences between your RTPs and your SOA.
  • Takes advantage of the richness of ISO/IEC 27002:2022.
    • The controls in ISO/IEC 27001 Annex A are derived exclusively from the control text in ISO/IEC 27002:2022. The purpose of comparing your necessary controls with the Annex A controls (Clause 6.1.3 c)), is to check that you have not inadvertently omitted any necessary control. There is so much more information in the purpose and guidance text in ISO/IEC 27002, that if you want a more comprehensive cross-check, it is better to compare your necessary controls with others derived from ISO/IEC 27002. IMS-Smart On-Line will assist you to do this.

The screen shot below shows the home page of IMS-Smart On-Line, showing the “Edit page” tab on the administration menu. If you are registered as an ISMS administrator you will see this option. It is your means to customise your instance of IMS-Smart On-line. The vertical menu window shows that some menu items have been collapsed.

 

On-line page editing

When you select Allow editing the page goes into editor mode, see below.

The parts that you can edit are highlighted. Sometimes there are multiple regions on a page. These correspond to different ISO/IEC 27001 requirements.

 

 

You have control over headings, fonts, spell checking etc.. Version numbering is automatic.

Examples — to get you started

In many cases you can display an example and edit that to get you started. Take a look at the screen shot below. Pressing the EXAMPLE button will overwrite the editing window(s) with an example (or first give you a choice of examples to select from). Don’t like the example — then press CANCEL and revert to what you had before. Like the example — by all means edit it before saving. Note the buttons to PREVIEW, SAVE DRAFT, REPUBLISH CURRENT EDITION and PUBLISH AS NEW EDITION.

 

Help windows

You can toggle the help windows on and off. The following screen shots show them switched on.

 

The help is contextual, although there a facility to view the whole of the administration manual and the technical guidance text.

Risk assessment

Risk assessment is based on events and consequences (as advocated by ISO 31000) and is driven by a questionnaire.

The screenshot show the risk questionnaire wizard. Questions are answered using radio buttons and sliders. The graph shows the resultant inherent risk values. Once all the questions have been answered, the process of risk assessment is complete.

 

Control questions

The control question wizard speeds up risk treatment, and facilitates automatic production of the Statement of Applicability (SOA). There are 182 questions. Half of these correspond directly to the 93 Annex A controls. The other questions are derived from the control purposes and guidance text in ISO/IEC 27002:2022, plus some more to ensure that there are no gaps in the risk treatment plans (see below).

The answers to each question can be “yes”, “similar” or “no”. If the answer is no” and the question corresponds to an Annex A control, you will be asked to explain why. This explanation is required for the SOA, as a justification is required for all excluded Annex A controls.

If cannot truthfully answer “yes” because the question does not faithfully correspond to what you do, answer “similar”. You will then be invited to enter a replacement question (to which the answer would be “yes” The statement forms of these questions correspond to your necessary controls. They are used to populate the risk treatment plans (RTPs) and the SOA.

If you have some necessary controls in addition to those that correspond to these questions, don’t worry — there is a facility to create your own custom controls and assign them to the RTPs.

 

Risk treatment plans

The “yes” and “similar” answered questions are used to create the risk treatment plans (RTPs). There are 9 built-in plans, which guarantee coverage of the Annex A controls. You don’t need to use all of these. You can create your own. You can reorder them and rename them.

The principal component of the RTP is the story text. These are partitioned into three parts: preventing the event, detecting the event, and reacting to the consequence(s). In edit mode, the control statements can be reordered and the display text edited to create an easy to understand explanation of the risk treatment plan.

 

Effectiveness

Also in edit mode, you can specify the effectiveness of your RTPs, using radio buttons and sliders. The graph shows the effect. The black squares correspond to the inherent risk (defined by the risk assessment) and the white squares correspond to the residual risks, i.e., the risks after treatment.

 

The Statement of Applicability

The Statement of Applicability (SOA) page is automatically generated from the answers to the control questions.

There are two formats: traditional, which uses the structure of Annex A, or the modern layout, which puts all the necessary controls first and the excluded Annex A controls last. There is a drop down menu to help to to find the entry for a given Annex A or custom control.

 

Other features

There are many other features to IMS-Smart On-line:

  • The display automatically adjusts according to whether you are using a PC, tablet or smart phone.
  • The menu tab adjusts according to what events you have defined.
  • There are global preferences.
  • You can move forwards and backwards between pages as in a book.
  • You can upload PDF files and images.
  • You may use your own logo in the top left hand corner of each page.
  • You can create custom pages.
  • You can create special ‘action pages’ for audit reports and reviews and link their actions to a ‘to-do-list’ for action tracking and management.
  • You can decide whether users must acknowledge pages that they have read and understood.
  • Custom data are held encrypted.

Access

Access is by user name and password.

Want to know more or purchase a licence

Current pricing ranges from about £2,400 per year, exclusive of UK VAT.

Please use our enquiry facility to ask or email manager@ims-smart.com.

A free version? Try out our IMS-Smart Assistant. It comprises a large subset of IMS-Smart On-Line and is free of charge for one year from the date of registration. It will allow you to perform all the functions described in Dr David Brewer’s book “ISO/IEC 27001:2022 — Mastering Risk Assessment and the Statement of Applicability”, which is available on Amazon in e-book and paperback formats.

  
 
 
This site does not use cookies, but if you logon to an IMS-Smart product
you consent to that site setting authentication session cookies
© IMS-Smart Limited, 2013-25
Page last updated: June 24, 2025