| |
|
|
|
|
|
|
At an information security conference on 29 April 2004 there were gasps of awe from the audience as we announced that four
clients of ours based in that country had achieved ISMS attestation in
less than four months each from a standing start. Gamma's own
ISMS took three months to build and be certified, with much of that being spent waiting for
a convenient slot in BSI's and Gamma's busy schedules.
How can we do this?
The answer lies in our IMS-Smart approach to building true Integrated Management Systems, of which an ISO/IEC 27001 ISMS is just a component. |
|
|
IMS-Smart is a methodology with associated technology and productised IP-led services, including training for creating integrated management systems. And, we regard an Integrated Management System (IMS) as a management capability being the means by which an organisation establishes, polices and improves its system of internal control. It is supported by documentation and records and may be conformant with one or more management system standards. So for IMS-Smart, an integrated management system is much more than seeking compliance with ISO management systems - it is the key to sound internal control and corporate governance.
Our IMS-Smart productised IP-led service is a project management philosophy. Success follows from the ability to understand the purpose of a management system, and to plan and execute a well organised project that involves all the people who own the risks that the IMS will manage from the outset. Technology helps, such as that which we referred to in our original paper on this subject, but on its own it is no substitute for skill and ability. |
|
|
|
There are many approaches to building an IMS, but by far the quickest is to document your controls just as they are now and treat all desires for change as part of the continual improvement cycle. By all means opt for certification when the bulk of these have been completed, but at the very least you will have the benefit of having a fully operational IMS to assist you in your endeavours.
Key to success is the project plan. Typically, it will have four phases: |
- Construct the IMS
- Prepare it and the organisation for certification
- Support the certification
- Help to operate the IMS through to and including the first surveillance visit.
The improvement cycle is often started in earnest as part of the fourth phase.
Another key ingredient of IMS-Smart is the business-led approach to risk assessment
and the production of risk treatment plans, described in our paper on measuring the effectiveness of an internal control system. Not only is this a very quick and efficient way to perform the risk assessment, it can easily be performed by non-IT people, facilitating buy-in from the very senior people in the organisation. We found this particularly convincing in our work with the Government of Mauritius. In support is a Template IMS, presently covering all ISO/IEC 27001, ISO 9001 (quality) and BS 25999 (business continuity) requirements, which acts as a head start for creating the IMS and to ensure that nothing is omitted.
Feedback we have had from many people include:
Gamma offers a wide range of ISMS and IMS IMS-Smart services that take advantage of our skill and ability of using this methodology.
|
|