Designing management systems for complex organisations
Growing the IMS
It is possible to grow a complex arrangement of IMS in conformance with the overarching-subordinate concept from a single IMS that is in part responsible for setting some aspect of common policy, for example (in the context of ISO/IEC 27001), the IT department, an information security department or even the HR department. We will refer to this first department as Department X. The IMS will probably conform to at least one management system standard, but for simplicity let us say just one and call that standard S1. In fact, ISO/IEC 27001 is a good example of such an initial standard as in general everyone in the organisation is responsible for conforming to a majority of its controls, whilst often no single department is responsible for setting all of the policies that it covers. So in this example let S1 be ISO/IEC 27001.
The first step is to create the IMS for Department X. Ultimately, that part which deals with common policies and procedures will break away to become a component of the Overarching IMS. It is therefore prudent to construct the IMS for Department X with this in mind. Pay particular attention to the AIL for this standard:
The second step (actually it is really a tranche, since there are likely to be several departments involved) is to create the IMSs for the departments identified in the SOA for Department X as being responsible for particular policies and procedures (e.g. the IT department and the HR department). Ultimately, that part which deals with common policies and procedures in each of these IMSs will also break away to become a component of the Overarching IMS. Indeed on completion of this tranche the overarching IMS in respect of S1 will be complete. It is likely that the IMSF for this overarching IMS will comprise the heads of all the subordinates IMSs created so far.
The third step/tranche is to create further subordinate IMSs. These will primarily concern the business units and it is highly likely that each will want to augment at least some of the common controls and add others that are peculiar to that units business risks. For example, the subordinate IMSs in the Government of Mauritius for the Passport and Immigration Office are quite distinct from that of the Treasury. Once this tranche is complete the whole of S1 has been properly rolled out to the whole of your organisation.
But why stop here? In parallel with these activities, similar tranches can be used to add in other standards, S2, S3, etc, following exactly the same procedures. IMS-Smart is not confined to the management system standards. In principle AILs can be added to deal with codes of practice such as CobiT, laws such as SOX and HIPPA, regulations such as Basel II and those used by air traffic controllers and port authorities. Here is one such strategy:
If the full IMS-Smart architecture is not included at the outset, then it is best to include it around stage 4. Note that the full IMS-Smart architecture is not currently available in IMS-Smart Online.
you consent to that site setting authentication session cookies
|© IMS-Smart Limited, 2008-21|
|Page last updated: March 1, 2021|