The IMS-Smart architecture pre-dates the ISO directives by 7 years, and is more embracing

  
  The third edition of ISO/IEC 27002 was published last February… the new controls are now in ISO/IEC 27001:2022 Annex A which was published on 25 October last
 

Architecture

The IMS-Smart architecture was first established by Brewer, Nash and List in their paper “Exploiting and integrated management system” published in 2005. The architecture was created through a consideration of similarities and differences between ISO management system standards of that time, and its superposition on the UK Audit Practices Board’s ideas on internal control. The architecture has stood the test of time. It has been brought up-to-date to accord with new ISO terminology. Its is wholly compatible with the new high level structure and identical core text requirements for all new and revised management system standards must conform to, but goes further indicating what some future high level structure might look like.

The IMS-Smart architecture has four quadrants respectively called ESTABLISH, IMPLEMENT, MAINTAIN and IMPROVE.

ESTABLISH is the uppermost left hand quadrant and the logical sequence of activities cycles counter-clockwise in accordance with ISO tradition. The first box, mission, reminds us that no matter what the organisation we must start with a clear statement of purpose. This box flows into another called business objectives. Its purpose is to establish what the organisation seeks to achieve. It can be long or short term in nature, it matters not. What is important is that the combination of mission and business objectives sets the objectives of the organisation. In carrying out these activities the organisation would take account of the issues that are relevant to its purpose and may its ability to achieve its objectives. An organisation also needs to understand the needs and expectations of interested parties so that it may also take account of their requirements. These activities establish what ISO refers to as the “context of the organisation”.

Flow then separates into three paths and although it might at first view appear complex it is really quite simple. To the right are three boxes. They deal with opportunity exploitation. The first of these three boxes requires the organisation to consider business opportunities in general and the second to identify those that are relevant to the achievement of its business objectives and are realistic in practice. These, as this second box indicates, are referred to as the applicable opportunities. This box also indicates that non-applicable opportunities should also be identified. These are important as the failure to spot the transition of a non-applicable opportunity into an applicable one represents a risk. Indeed this is not so strange as it may at first sound. How often have we missed an opportunity simply because we were unprepared for it? An important feature of the IMS-Smart philosophy is to prepare an organisation for this eventuality. The third box requires the organisation to develop its opportunity exploitation plans to specify how it intends to create opportunities, act promptly to those created by others and exploit them successfully to create benefit and reward in accordance with its business objectives.

To the left are three similar boxes. They deal with risk management and are respectively marked business risks, applicable and non-applicable risks and risk treatment plans. The purpose of risk management is to ensure the success of the opportunity exploitation side of the house.

In the middle is a box marked policy. It purpose is to choose out of all possible ways in which an organisation could meet its business objectives which ones it wishes to pursue. History affords us an excellent example of such policy in the remarks attributed to Henry Ford: "a customer can have any colour of car they wish - provided it’s black". This box serves to constrain the manner in which the opportunity exploitation and risk treatment plans are developed. It defines for example the targets for opportunity exploitation and the organisation’s risk appetite.

Beneath this box is one marked safety net. If the opportunity exploitation and risk treatment plans are properly developed the organisation should have identified all the sprites and controls that it needs. However, suppose there has been an error of judgment and something important has been overlooked? The purpose of the safety net is to protect the organisation against this possibility. It requires the organisation to perform a cross check against something called an AIL, which is often presented in the form of sprites or controls that other organisations use, for example a code of best practice. The organisation determines which of these are applicable and records these in a statement of applicability. If this process identifies additional sprites or controls as being applicable then, as the IMS-Smart architecture diagram shows, the policy and opportunity exploitation and risk treatment plans may need to be reworked.

Moving into the next quadrant, to the bottom left, we enter the IMPLEMENT part of the cycle. Here there are two boxes, one representing the controls and the other representing the sprites. Taken together these two boxes represent the organisation’s working practices, which are usually a mixture of sprites and controls. For example, we have a sales and marketing practice which has about three times as many sprites as it does controls. In addition, this quadrant contains three additional processes that are essential to this part of the cycle and they are: the means by which management manages its resources; the processes to ensure staff competence and awareness and incident management and business continuity procedures. Note that we would consider business continuity exercises to be part of the training activity associated with staff competency and awareness.

Moving to the third quadrant, to the bottom right, we enter the MAINTAIN part of the cycle. Here there would be a variety of checking activities and we cite here four: management review, internal audit, effectiveness measurement and routine checking. Management review, is where the top management of the organisation take stock of the IMS and ask whether it is delivering on its expectations and assisting the organisation. If not, what action is required to put it back on track. If no action is required, can it be improved? Internal audit, checks whether what is being done in practice in terms of the execution of sprites and controls, and indeed the management process within the IMS-Smart architecture are conformant with the stated policies, procedures, OEPs and RTPs etc. Effectiveness measurement, as the name suggests is a process for measuring the effectiveness of the sprites and controls. Routine checking is perhaps the most commonest form of checking in everyday life. Examples are checking that the front door is locked, that there is fuel in the car and that bank accounts reconcile.

Moving to the fourth and final quadrant, to the top right, we enter the IMPROVE part of the cycle. Here, the outputs of internal audit, effectiveness measurement, incidents, management review, any other check activity and finally operational change are taken and a decision made by or on behalf of the IMS owners (depending on the management system of the organisation concerned) as to whether it constitutes a nonconformity, a potential nonconformity or an improvement. Corrective action is then taken, or improvements made in accordance with their business priority. It is important, when nonconformities are found to identify their cause and take action about that as well. For example, internal audit might discover that a work instruction is not being carried out. The cause might be lack of awareness or training, but it could be because the work instruction is flawed and it is this that requires change.

Conceptually, the cycle then repeats, cycling around forever. Note, however that unless the architecture is deployed at the start up of an organisation, it superposition on an existing system of internal control actually starts in the MAINTAIN phase. This is because sprites and controls are already in place and planning of these was done prior to the introduction of IMS-Smart. The process of installation is effectively one of reverse engineering but the outputs generally give rise immediately to a host of corrective actions and improvements.