We are particularly expert in ISO/IEC 27001, having helped to write the standard…

  Already have an ISMS? perhaps we can help you create a better one!

Consultancy and training services

IMS-Smart specialises in Integrated Management System (IMS) services. We are particularly expert in ISO/IEC 27001, having helped to write the standard and create the original British Standard (BS 7799-2:2002). We are also experienced in ISO 9001 and ISO 22301.

Critical success factors for operating an ISMS

ISO/IEC 27001 specifies what you must do to achieve conformance, not how to do it. It is like being given the ingredients and told to make a cake, but not being given the recipe. Whilst there are many good recipes, some are much better than others. For success:

  • The standard should be moulded to your organisation, not the other way round. Much of what you need, likely as not, will already be in place — it just might not conform to ISO/IEC 27001. Just how far off can be determined by a gap analysis, and that is an analysis between what you are doing and the requirements of Clauses 4–10 of the standard, not the Annex A controls, as those are not requirements.
  • Treat your ISMS as a journey, not a destination. Clause 10 explains what to do about nonconformities and improvements. Record all your ISMS related actions on a To-Do-List; assign target completion dates and responsibilities, and monitor regularly. Don’t forget to reassess your information security risks at planned intervals and when significant changes are proposed or occur; and update your risk treatment plans accordingly — the information security threat landscape changes frequently😮
  • Look forward to your certification audits — they are opportunities to showcase your ISMS — show it off with pride.
  • Lead from the top. When top management leads by example, it increases awareness, builds information security into the culture of the organization and makes it much easier for everyone else to implement.
  • Treat information security as a management issue. This is why top management plays a leading role. It is to direct and control the organisation in all of its respects, one of which is information security.
  • Read and understand each and every requirement. Use the definition of terms given in ISO/IEC 27000 and where necessary, ISO 31000, the ISO identical core text and the Oxford English Dictionary or Oxford Dictionaries Online. The requirements of ISO/IEC 27001 are in Clauses 4–10. Notes are not requirements. The controls in Annex A are not requirements.
  • Documented information is not required for everything. ISO/IEC 27001 is very clear on what is required
    Documented informationISO/IEC 27001 Clause
    Scope of the ISMS4.3)
    Information security policy5.2 e)
    Information security risk assessment process6.1.2
    Information security risk treatment process6.1.3
    A Statement of Applicability6.1.3 d
    Information security objectives6.2
    Evidence of competence7.2
    ‘documented information determined by the organization as being necessary for the effectiveness of the information security management system7.5.1
    ‘...to have confidence that operational processes have been carried out as planned.’8.1
    ‘...results of the information security risk assessments.’8.2
    ‘...results of the information security risk treatment.’8.3
    ‘...evidence of the monitoring and measurement results.’9.1
    ‘...evidence of the audit programme(s).’9.2
    ‘...evidence of the audit results.’9.2
    ‘...evidence of the results of management reviews.’9.3
    ‘the nature of the nonconformities and any subsequent actions taken...’10.1
    ‘the results of any corrective action.’10.1
    and you are permitted to supplement the requirement, if you determine that it is necessary for the effectiveness of your ISMS. Write down what you do, not what you think would please an auditor. Many nonconformities are caused by documenting your aspirations rather than what you do.

IMS-Smart’s approach

It is essential that your project team takes ownership of the ISMS. IMS-Smart’s role is to assist you to do that. We start with a series of tutorials in which you will gain a correct understanding of the ISO/IEC 27001 requirements and how your organisation can fulfil them. Quite soon into the tutorials, the team will be set a variety of tasks to marshal your existing documented information and processes to fulfil as many of the requirements of ISO/IEC 27001 as possible. If required information or processes do not exist, you will be shown how to create them. 

As your work on these various tasks proceeds, the tutorial nature of our meetings declines, and the meeting transition into technical review meetings, as illustrated in the figure below. Still later, there will be another transition. Whereas in the first two groups of meetings IMS-Smart is the convenor, tutor and moderator, in this third phase you will be the convenor and IMS-Smart will just be a participant, albeit perhaps in an expert capacity. In this phase you will recognise that your organisation is ready for certification.


Remote working

Our work can be performed remotely using virtual meeting platforms.

Productised IP-led service for building IMS

Our approach to assisting organisations to develop their ISMS capability is well established – so much so that we can also offer it as a “Productised Intellectual Property-led Service”. This provides an elegant and fast way to construct integrated management systems, and, as explained in our more detailed page, and allows you to extend your ISMS capabilities to other parts of your organisation. This is the approach taken by the Civil Service in Mauritius, and uses the overarching-subordinate concept.

Privacy extension

The new PIMS standard (ISO/IEC 27701:2019) augments and refines ISO/IEC 27001 and ISO/IEC 27002. It adds about 50 controls to ISO/IEC 27001 Annex A. The extension assists with demonstrating compliance to the GDPR and is straightforward to implement with IMS-Smart On-Line. We can help you do this.

Management system integration

We can help you integrate your management system with other management systems that you might have or establish an integrated management system capability from scratch. All new and revised management system standards now conform to new ISO Directives concerning high level structure and identical core text, which assists to identify common elements.

Specialist ISMS services

Because of our in-depth knowledge of ISO/IEC 27001 we are able to offer a range of specialist ISMS services including:

  • helping you with information security policy, risk assessment/risk treatment, the Statement of Applicability, implementing controls, internal audit, staff training and much, much more;
  • finding out how you get the very best out of your existing ISMS by identifying how to make it more efficient and more effective.


We are able to offer you a variety of virtual concerning all aspects of implementing the new breed of management system standards. Some of these courses are part of our PIPS, whilst others are being especially developed to meet market demand.

Your next step

If you would like more information on these services, or you would like to find out what else we can do for you, please do not hesitate to contact us - we’d be happy to help.