Take advantage of the richness of ISO/IEC 27002:2022

  
  Already have an ISMS? perhaps we can help you create a better one!
 

The IMS-Smart Assistant

David Brewer’s book: “ISO/IEC 27001:2022 — Mastering Risk Assessment and the Statement of Applicability”, advocates an innovative approach to performing the ISO/IEC 27001 risk management processes — risk assessment, risk treatment and the statement of applicability (SOA). It uses an 182 control set, much of it derived from the control purpose and guidance text in ISO/IEC 27002:2022, in addition to the control text which makes up ISO/IEC 27001, Annex A. Thus, it permits organisations to take advantage of the richness of ISO/IEC 27002 leading to a more comprehensive set of necessary controls, and thus better information security.

It consists of five easy steps:

  • Answer questions regarding the characteristics of your organisation, your preferences, the impact of the loss of confidentiality, integrity and availability, and the likelihood that certain events will occur.
  • Answer questions regarding the information security measures that you have in place (or intend to put in place).
  • Review the risk stories and decide how effective they are about reducing your information security risks to an acceptable level.
  • Answer some questions about your necessary information security controls (e.g. their implementation status) and excluded ISO/IEC 27001, Annex A controls.
  • Export the results and incorporate them into your existing ISMS.

How is this possible?

  • BS 7799-3:2017Information security management systems — Part 3: Guidelines for information security risk management (revision of BS ISO/IEC 27005:2011), Table 4, page 13

    Please note:
    ISO/IEC 27005:2022 (Guidance on managing information security risk) has just been published and incorporates much of BS 7799-3.
    Please also note:
    Whilst ISO/IEC 27001 does not use the term “risk register” (and therefore there is no requirement to have one), the definition of a risk register given in ISO Guide 73 is “record of information about identified risks”. Therefore, a record of the risks that you have identified and assessed in fulfilment of ISO/IEC 27001, Clause 6.1.2, constitutes a risk register. Specifically, the risks identified and assessed in the IMS-Smart On-Line constitutes a risk register.
    presented a set of risks in terms of example event-scenarios and consequences that give coverageThis is an essential property of the chosen event-scenarios. Expand the more detailed explanation accordion to find out why. of the controls in ISO/IEC 27001 Annex A. A fully ISO/IEC 27001 conformant risk assessment can therefore be performed just by estimating the likelihood of the occurrence of each of these events and the severity of their consequences.
  • Once you have determined the controls necessary to mitigate these risks, coverageThis is an essential property of the chosen event-scenarios. Expand the more detailed explanation accordion to find out why. ensures that comparison with the reference controls in ISO/IEC 27001 Annex A is guaranteed not to discover any control that you have inadvertently overlooked.

This approach greatly speeds up the process of risk assessment, risk treatment and production of your statement of applicability.


Want a more detailed explanation?


The IMS-Smart SAAS that automated the prescription given in the book has now been withdrawn and replaced with an emulator that is part of IMS-Smart On-Line. It uses the same database, to if you decide to buy an IMS-Smart On-Line licence, there will be no need to exporting and importing of data.

The layout of the emulator is similar to that of IMS-Smart On-Line, with two differences: the welcome page is a dashboard (just like the original Assistant SAAS) and, of course, not all the pages in IMS-Smart On-Line are displayed or accessible.

Dashboard

The home screen of the Assistant is a dashboard showing just where you are in terms of answering the various questions and other activities necessary to complete the ISO/IEC 27001 risk assessment, treatment and SOA processes.

Other pages

The layout and purpose of other assistant pages are identical to those in IMS-Smart On-Line. Indeed the pages share the same code.

Exporting data

When the Assistant is first used, not all of its functions (pages) are available. The status of your instance of the Assistant is “in progress”. Risk data can only be exported when the status becomes “ready to export”. This happens when:

  • The risk questions concerning the severity of consequence for the loss of confidentiality, integrity and availability have been answered
  • All the control questions that correspond to ISO/IEC 27001 Annex A controls have been answered.

Pricing and purchase

The assistant is available free of charge for one year. The book “ISO/IEC 27001:2022 — Mastering Risk Assessment and the Statement of Applicability” (available to buy on Amazon) explains the method in detail and can be used without the Assistant. However, the Assistant renders the method described in the book far easier to use. Ideally, buy the book and use the Assistant.

 
 
 
    
localResize