Designing management systems for complex organisations

  
  Already have an ISMS? perhaps we can help you create a better one!
 

Implementation strategies

Growing the IMS

It is possible to grow a complex arrangement of IMS in conformance with the overarching-subordinate concept from a single IMS that is in part responsible for setting some aspect of common policy, for example (in the context of ISO/IEC 27001), the IT department, an information security department or even the HR department. We will refer to this first department as Department X. The IMS will probably conform to at least one management system standard, but for simplicity let us say just one and call that standard S1. In fact, ISO/IEC 27001 is a good example of such an initial standard as in general everyone in the organisation is responsible for conforming to a majority of its controls, whilst often no single department is responsible for setting all of the policies that it covers. So in this example let S1 be ISO/IEC 27001.

The first step is to create the IMS for Department X. Ultimately, that part which deals with common policies and procedures will break away to become a component of the Overarching IMS. It is therefore prudent to construct the IMS for Department X with this in mind. Pay particular attention to the AIL for this standard:

  • The RTPs have to be constructed from the perspective of the organisation as a whole and thereby establish the SOA as the lowest common denominator. Other departments may augment the controls specified by Department X if they are exposed to a greater risk. No department will thank for setting controls that are too onerous.
  • Determine who is responsible for setting policy associated with each control. It might not be Department X. If X is the information security department, policies (and indeed their implementation in the most part) for controls listed in section A.8 of the standard are likely to be set by the HR department. The IT department is likely to be similarly responsible for the controls listed in section A.12 (and others).

The second step (actually it is really a tranche, since there are likely to be several departments involved) is to create the IMSs for the departments identified in the SOA for Department X as being responsible for particular policies and procedures (e.g. the IT department and the HR department). Ultimately, that part which deals with common policies and procedures in each of these IMSs will also break away to become a component of the Overarching IMS. Indeed on completion of this tranche the overarching IMS in respect of S1 will be complete. It is likely that the IMSF for this overarching IMS will comprise the heads of all the subordinates IMSs created so far.

The third step/tranche is to create further subordinate IMSs. These will primarily concern the business units and it is highly likely that each will want to augment at least some of the common controls and add others that are peculiar to that units business risks. For example, the subordinate IMSs in the Government of Mauritius for the Passport and Immigration Office are quite distinct from that of the Treasury. Once this tranche is complete the whole of S1 has been properly rolled out to the whole of your organisation.

But why stop here? In parallel with these activities, similar tranches can be used to add in other standards, S2, S3, etc, following exactly the same procedures. IMS-Smart is not confined to the management system standards. In principle AILs can be added to deal with codes of practice such as CobiT, laws such as SOX and HIPPA, regulations such as Basel II and those used by air traffic controllers and port authorities. Here is one such strategy:

  1. Convert existing ISO/IEC 27001 for IMS-Smart
  2. Build IMS for IT department, covering ISO 22301 and ISO/IEC 27001
  3. Could add ISO 9001 and ISO/IEC 20001 to deal with other aspects of IT
  4. Re-deploy using overarching-subordinate concept to deal with business applications elsewhere in the organisation
  5. Grow full blown IMS across whole of the organisation and all standards
  6. Extend to cover other (non-ISO) regulations.

If the full IMS-Smart architecture is not included at the outset, then it is best to include it around stage 4. Note that the full IMS-Smart architecture is not currently available in IMS-Smart Online.