|Our template contains all the essential ingredients for conformance|
In support of the IMS-Smart philosophy we have a Template IMS, which contains all the essential ingredients necessary to produce the documented information in conformance with various ISO management system standards.
In particular we have an ISO/IEC 27001:2013 version that has been built from the ground up paying close attention to the precise requirements of this new standard. In particular there are just sixteen requirements for documented information and most of these concern results — long gone are the days when management systems required a documented this and a documented that.
The principal features of our technology are:
The screen shot below shows the home page of our latest ISO/IEC 27001:2013 version, showing the “Edit page” tab on the administration menu. If you are registered as an ISMS administrator you will see this option. It is your means to customise your instance of IMS-Smart On-line.
On-line page editing
The parts that you can edit are highlighted. In the original non-online versions of IMS-Smart technology that used Dreamweaver as an HTML editing tool, these custom text regions correspond to the Dreamweaver editable regions.
In the old Front Page technology these were the highlighted regions as shown in the figure above.
When you select Edit page the page goes into editor mode, see below.
You have control over headings, fonts, spell checking etc. The editing technology is by CKEDITOR.
Examples — to get you started
In many cases you can display an example and edit that to get you started. Take a look at the screen shot below. Pressing the EXAMPLE button will overwrite the editing window with an example (or first give you a choice of examples to select from). Don’t like the example — then press CANCEL and revert to what you had before. Like the example — by all means edit it before saving.
There is a wizard that will give you a choice of complete examples and load your chosen example into all the relevant custom regions as draft pages. A draft page cannot be seen by the regular users of your ISMS. For them to see it, you must publish it first.
You can toggle the help windows on and off. The following screen shots show them switched on.
The help is contextual, although there a facility to view the whole of the administration manual and the technical guidance text (which is taken from Dr. David Brewer’s book “An introduction to ISO/IEC 27001:2013”, published by BSI.
The Statement of Applicability
The Statement of Applicability (SOA) page works slightly differently in that editing is per control:
In the above SOA screen shot, the references to policy and RTP identifiers (S6, S9 etc) are automatically inserted if you associate a control with policy or an RTP.
In the new version of the standard, the SOA is used as a cross check that necessary controls have not been inadvertently omitted. Go through the SOA and in editing each control, decide whether it applies or not, and if it does, is it for policy, or one or more RTP reasons. Note that in addition to saying that the applicability is yes or no, you may also declare it as variant. Use this if the control you use is similar but not quite the same as an Annex A control. The idea is that if you say than an Annex A control is applicable but do not conform to the specification given in Annex A you will be found nonconformant. If you declare it as a variant, effectively you are saying “That Annex A control is not applicable f8r these reasons … but we do something similar which is …”
Particularly for organisations that are part of a larger organisation, e.g. a business unit within a company, you have the ability to declare a control as being:
This feature can be switched off (in which case all controls are deemed to be local). Alternatively you may set up overarching subordinate relations between the members of a hierarchy of ISMS. In this case a set of inheritance rules apply. For example:
Controls may also be associated with RTPs from the RTPs pages.
Risk assessments are performed using the IMS-Smart method. It’s quite simple. Identify the information security events that concern you. Determine how likely they are to occur and the severity of the impact that would then occur, and that’s the risk assessment done.
Note that ISO/IEC 27001:2013 does not require the identification of assets, threats or vulnerabilities.
You use the Edit page facility on the ‘risk assessments results’ page to enter the likelihood and severity data. IMS-Smart will then plot a graph for you.
Note that likelihood is expressed in an easy to comprehend manner (e.g. once a year, twice a day, …).
To help you there are 12 ‘standard’ events:
You can also add your own events.
There is a wizard which will register all the standard events for you, and associate them with the relevant C, I and A consequences and relevant controls.
It is that simple.
There are many other features to IMS-Smart On-line:
Access is by user name and password.
When you register an ISMS you register the owning organisation and a principal ISMS administrator. That administrator may register other ISMS users and declare them as fellow administrators or regular users. Administrators may edit pages. Regular users cannot.
There is a special type of user, referred to as a consultant. Consultants can be associated with more than one ISMS.
Why not take a look at our product videos.
you consent to that site setting authentication session cookies
|© IMS-Smart Limited, 2013-4|
|Page last updated: 31 July, 2013|