Fast Track IMS

             
             
  Home About Gamma Tour our Web Site Events White Papers Services Visitors' Book How to contact us
        IMS Internal Control ISMS Smart Cards Common Criteria
                 

At an information security conference on 29 April 2004 there were gasps of awe from the audience as we announced that four clients of ours based in that country had achieved ISMS attestation in less than four months each from a standing start. Gamma's own ISMS took three months to build and be certified, with much of that being spent waiting for a convenient slot in BSI's and Gamma's busy schedules. 

How can we do this?

The answer lies in our "fast track" approach to building Integrated Management Systems, of which an ISO/IEC 27001 ISMS is just a component.

 
A web page from an ISMS built by Gamma showing conformance with ISO/IEC 27001
It is a project management philosophy. Success follows from the ability to understand the purpose of a management system, and to plan and execute a well organised project that involves all the people who own the risks that the IMS will manage from the outset. Technology helps, such as our Template IMS referred to in our original paper on this subject, but on its own it is no substitute for skill and ability.
A typical Gamma project plan, showing four phases: (1) create the ISMS; (2) prepare it and the organisation for certification; (30 support the certification and (4) assist the organisation to operate the ISMS through to and including the first surveillance visit
 

There are many approaches to building an IMS, but by far the quickest is to document your controls just as they are now and treat all desires for change as part of the continual improvement cycle. By all means opt for certification when the bulk of these have been completed, but at the very least you will have the benefit of having a fully operational IMS to assist you in your endeavours.

Key to success is the project plan. Typically, it will have four phases:
  • Construct the IMS
  • Prepare it and the organisation for certification
  • Support the certification
  • Help to operate the IMS through to and including the first surveillance visit.

The improvement cycle is often started in earnest as part of the fourth phase.

Another key ingredient of the methodology is the business-led approach to risk assessment and the production of risk treatment plans, described in our paper on measuring the effectiveness of an internal control system. Not only is this a very quick and efficient way to perform the risk assessment, it can easily be performed by non-IT people, facilitating buy-in from the very senior people in the organisation. We found this particularly convincing in our work with the Government of Mauritius. In support is a Template IMS, presently covering all ISO/IEC 27001, ISO 9001 (quality) and BS 25999 (business continuity) requirements, which acts as a head start for creating the IMS and to ensure that nothing is omitted.

Feedback we have had from many people include:

  • We like the "tell it like a story" approach to developing RTPs that engages the Board by starting with the business issues rather than the technology

  • Excitement by the realisation that we have a fast track approach that really does work.

Gamma offers a wide range of ISMS and IMS Fast Track services that take advantage of our skill and ability of using this methodology.
             
             
             
 
Gamma is an ISO/IEC 27001:2005 and BS EN ISO 9001: 2000 registered company, certified for the provision of information security consultancy.  BSI certificate numbers IS 85916 and FS  30710.  Please send comments to webmaster@gammassl.co.uk or complete our Visitors'Book. Gamma Secure Systems, Diamond House, Frimley Road, Camberley, Surrey, GU15 2PS, UK Tel: +44 1276 702500 - Fax: +44 1276 692903Copyright © Gamma Secure Systems Limited 2004-8
 
 
Page last updated: 17 March, 2008