Our template contains all the essential ingredients for conformance

  Already have an ISMS? perhaps we can help you create a better one!

IMS-Smart On-Line

In support of the IMS-Smart philosophy we have a Template IMS, called IMS-Smart On-Line, which contains all the essential ingredients necessary to produce the documented information in conformance with various ISO management system standards.

In particular we have an ISO/IEC 27001:2013 version that has been built from the ground up paying close attention to the precise requirements of this new standard. In particular there are just sixteen requirements for documented information and most of these concern results — long gone are the days when management systems required a documented this and a documented that.

Click here to register, or here if you are a returning user, or here if you just want to have a peak at at live evaluation system.

Principal features

The principal features of our technology are:

  • It is all you need to establish, operate, maintain and improve your ISMS;
  • There are examples and templates for all the required documented information;
  • There a detailed explanation of all requirements and how to meet them;
  • It is easy to use and maintain;
  • You can achieve certification in a short period of time;
  • License by subscription, does not need large one-off investment;
  • It runs on-line, or within your own network;
  • There are built-in copies of the standards and the guidance text.
  • There are extensions to demonstrate conformance to ISO 9001:2015 and ISO/IEC 27701:2019.

The screen shot below shows the home page of our latest ISO/IEC 27001:2013 version, showing the “Edit page” tab on the administration menu. If you are registered as an ISMS administrator you will see this option. It is your means to customise your instance of IMS-Smart On-line. The vertical menu window shows that some menu items have been collapsed and that this IMS-Smart On-Line instance demonstrates conformance to ISO 9001 and ISO/IEC 27701, as well as ISO/IEC 27001.


On-line page editing

The parts that you can edit are highlighted. In the original non-online versions of IMS-Smart On-Line that used Dreamweaver as an HTML editing tool, these custom text regions correspond to the Dreamweaver editable regions.

In the old Front Page technology these were the highlighted regions as shown in the figure above.

When you select Edit page the page goes into editor mode, see below.



You have control over headings, fonts, spell checking etc..

Examples — to get you started

In many cases you can display an example and edit that to get you started. Take a look at the screen shot below. Pressing the EXAMPLE button will overwrite the editing window with an example (or first give you a choice of examples to select from). Don’t like the example — then press CANCEL and revert to what you had before. Like the example — by all means edit it before saving.


There is a wizard that will give you a choice of complete examples and load your chosen example into all the relevant custom regions as draft pages. A draft page cannot be seen by the regular users of your ISMS. For them to see it, you must publish it first.

Help windows

You can toggle the help windows on and off. The following screen shots show them switched on.


The help is contextual, although there a facility to view the whole of the administration manual and the technical guidance text (which is taken from Dr. David Brewer’s book “An introduction to ISO/IEC 27001:2013”, which available for purchase in paperback and Kindle format on Amazon — 3rd Edition (2019).


The Statement of Applicability

The Statement of Applicability (SOA) page works slightly differently in that editing is per control:


In the above SOA screen shot, the references to policy and RTP identifiers (S6, S9 etc) are automatically inserted if you associate a control with policy or an RTP.

In the new version of the standard, the SOA is used as a cross check that necessary controls have not been inadvertently omitted. Go through the SOA and in editing each control, decide whether it applies or not, and if it does, is it for policy, or one or more RTP reasons. Note that in addition to saying that the applicability is yes or no, you may also declare it as variant. Use this if the control you use is similar but not quite the same as an Annex A control. The idea is that if you say than an Annex A control is applicable but do not conform to the specification given in Annex A you will be found nonconformant. If you declare it as a variant, effectively you are saying “That Annex A control is not applicable f8r these reasons … but we do something similar which is …”

Particularly for organisations that are part of a larger organisation, e.g. a business unit within a company, you have the ability to declare a control as being:

C (corporate) A control that is specified by an external organisation that your organisation must implement
O (other) A control that is specified by an external organisation and implemented by them
A (augmented) Either of the above controls, that being inadequate for your purposes, has additional features added to it by your organisation
L (Local) A control that you specify and implement.

This feature can be switched off (in which case all controls are deemed to be local). Alternatively you may set up overarching subordinate relations between the members of a hierarchy of ISMS. In this case a set of inheritance rules apply. For example:

  • The overarching ISMS may assign controls to a particular subordinate or require all subordinates to implement the control.
  • The overarching ISMS cannot declare the implementation status of a control, that being done sole by the subordinates that implement it.
  • A subordinate may declare a nonapplicable control (as decided by a superior) as being applicable, but not vice versa
  • A subordinate may augment a superior control.

Controls may also be associated with RTPs from the RTPs pages.

Risk assessment

Risk assessments are performed using the IMS-Smart method. It’s quite simple. Identify the information security events that concern you. Determine how likely they are to occur and the severity of the impact that would then occur, and that’s the risk assessment done.

Note that ISO/IEC 27001:2013 does not require the identification of assets, threats or vulnerabilities.

You use the Edit page facility on the ‘risk assessments results’ page to enter the likelihood and severity data. IMS-Smart will then plot a graph for you.

Note that likelihood is expressed in an easy to comprehend manner (e.g. once a year, twice a day, …).

To help you there are 12 ‘standard’ events:

  1. Theft/loss of mobile devices
  2. Office break-in
  3. Acts of God, vandals and terrorists
  4. Software failure
  5. Hardware failure
  6. Power failure
  7. Internet/communications failure
  8. Regular fraud
  9. Hacking
  10. Web DOS
  11. Disclosure
  12. Breach of the law

With the ISO/IEC 27701 extension, there are three additional standard events.

You can also add your own events.

There is a wizard which will register all the standard events for you, and associate them with the relevant C, I and A consequences and relevant controls.

It is that simple.

Other features

There are many other features to IMS-Smart On-line:

  • The display automatically adjusts according to whether you are using a PC, tablet or smart phone.
  • The menu tab adjusts according to what events you have defined.
  • On certain pages you can set “page preferences”. There are also global preferences.
  • You can move forwards and backwards between pages as in a book.
  • You can upload PDF files and images.
  • You may use your own logo in the top left hand corner of each page.
  • You can create custom pages and choose whether users must acknowledge that they have read and understood them.
  • You can create special ‘action pages’ for audit reports and reviews and link their actions to a ‘to-do-list’ for action tracking and management.
  • Custom data is held encrypted.


Access is by user name and password.

When you register an ISMS you register the owning organisation and a principal ISMS administrator. That administrator may register other ISMS users and declare them as fellow administrators or regular users. Administrators may edit pages. Regular users cannot.

There is a special type of user, referred to as a consultant. Consultants can be associated with more than one ISMS.

Evaluation registration

You may register for an evaluation copy. This will give you a 30 day licence to try out the new technology. Pricing is then an intial charge of £104.44 for the first month and then £58.04/month plus applicable taxes thereafter. 

Product videos

Why not take a look at our product videos.