Our template contains all the essential ingredients for conformance
In support of the IMS-Smart philosophy we have a Template IMS, called IMS-Smart On-Line, which contains all the essential ingredients necessary to produce the documented information in conformance with various ISO management system standards.
In particular we have an ISO/IEC 27001:2022 version that has been built from the ground up paying close attention to the precise requirements of this new standard. In particular there are just sixteen requirements for documented information and most of these concern results — long gone are the days when management systems required a documented this and a documented that.
The principal features of our technology are:
The screen shot below shows the home page of our latest ISO/IEC 27001:2022 version, showing the “Edit page” tab on the administration menu. If you are registered as an ISMS administrator you will see this option. It is your means to customise your instance of IMS-Smart On-line. The vertical menu window shows that some menu items have been collapsed and that this IMS-Smart On-Line instance demonstrates conformance to ISO 9001 and ISO/IEC 27701, as well as ISO/IEC 27001.
On-line page editing
When you select Allow editing the page goes into editor mode, see below.
The parts that you can edit are highlighted. Sometimes there are multiple regions on a page. These correspond to different ISO/IEC 27001 requirements.
You have control over headings, fonts, spell checking etc.. Version numbering is automatic.
Examples — to get you started
In many cases you can display an example and edit that to get you started. Take a look at the screen shot below. Pressing the EXAMPLE button will overwrite the editing window(s) with an example (or first give you a choice of examples to select from). Don’t like the example — then press CANCEL and revert to what you had before. Like the example — by all means edit it before saving. Note the buttons to PREVIEW, SAVE DRAFT, REPUBLISH CURRENT EDITION and PUBLISH AS NEW EDITION.
You can toggle the help windows on and off. The following screen shots show them switched on.
The help is contextual, although there a facility to view the whole of the administration manual and the technical guidance text.
Risk assessment is based on events and consequences (as advocated by ISO 31000) and is driven by a questionnaire.
The screenshot show the risk questionnaire wizard. Questions are answered using radio buttons and sliders. The graph shows the resultant inherent risk values. Once all the questions have been answered, the process of risk assessment is complete.
The control question wizard speeds up risk treatment, and facilitates automatic production of the Statement of Applicability (SOA). There are 182 questions. Half of these correspond directly to the 93 Annex A controls. The other questions are derived from the control purposes and guidance text in ISO/IEC 27002:2022, plus some more to ensure that there are no gaps in the risk treatment plans (see below).
The answers to each question can be “yes”, “similar” or “no”. If the answer is no” and the question corresponds to an Annex A control, you will be asked to explain why. This explanation is required for the SOA, as a justification is required for all excluded Annex A controls.
If cannot truthfully answer “yes” because the question does not faithfully correspond to what you do, answer “similar”. You will then be invited to enter a replacement question (to which the answer would be “yes” The statement forms of these questions correspond to your necessary controls. They are used to populate the risk treatment plans (RTPs) and the SOA.
If you have some necessary controls in addition to those that correspond to these questions, don’t worry — there is a facility to create your own custom controls and assign them to the RTPs.
Risk treatment plans
The “yes” and “similar” answered questions are used to create the risk treatment plans (RTPs). There are 9 built-in plans, which guarantee coverage of the Annex A controls. You don’t need to use all of these. You can create your own. You can reorder them and rename them.
The principal component of the RTP is the story text. These are partitioned into three parts: preventing the event, detecting the event, and reacting to the consequence(s). In edit mode, the control statements can be reordered and the display text edited to create an easy to understand explanation of the risk treatment plan.
Also in edit mode, you can specify the effectiveness of your RTPs, using radio buttons and sliders. The graph shows the effect. The black squares correspond to the inherent risk (defined by the risk assessment) and the white squares correspond to the residual risks, i.e., the risks after treatment.
The Statement of Applicability
The Statement of Applicability (SOA) page is automatically generated from the answers to the control questions.
There are two formats: traditional, which uses the structure of Annex A, or the modern layout, which puts all the necessary controls first and the excluded Annex A controls last. There is a drop down menu to help to to find the entry for a given Annex A or custom control.
There are many other features to IMS-Smart On-line:
Access is by user name and password.
Want to know more or buy a copy
Please use our enquiry facility to ask.
you consent to that site setting authentication session cookies
|© IMS-Smart Limited, 2013-23|
|Page last updated: February 14, 2023|