Gamma's IMS

             
             
  Home About Gamma Tour our Web Site Events White Papers Services Visitors' Book How to contact us
        IMS Internal Control ISMS Smart Cards Common Criteria
                 

Introduction

We are very pleased to announce that we have extended the scope of our ISO 9001 certification to ISO/IEC 27001. BSI performed the initial BS 7799-2 certification on 14 and 21 July 2004, and on 18 January 2006 we upgraded to the new ISO standard, ISO/IEC 27001.  In this article we explain our motivation and present an overview of the management system that drives our system of internal control.  Click here to download a paper sharing our experiences of that initial certification process.

Motivation

We first developed our web technology based Integrated Management System(IMS) to ensure compliance with the new management requirements of quality standard ISO 9001:2000, and to research the problems faced by our clients with new corporate governance guidelines and regulations such as Turnbull and Basel II.  Although we are not within scope of these regulations, we wanted to understand at a practical level the problems of our clients who are obliged to comply with them.  We also wanted to gain BS 7799-2 certification, which was the ISMS standard in force at that time.  Not only because we are authors of the standard, but we believe that quality and information security are just part of an organisation’s internal control system.  Our own certification success demonstrates that we are right.

An Overview of Gamma's IMS

The following figure shows a collage of a number of pages from Gamma's IMS, and may be briefly described as follows (the numbers in the diagram refer to the paragraph numbers below):

  1. The main navigation bar follows the methodological order recommended by the Audit Practices Board's recommendations on providing assurance on the effectiveness of internal control. Namely, we start with the business objectives and proceed to analyse the risks and then establish an internal control system to assist us to meet our objectives and manage our risks. The navigation bar also has a link to "management review", which contains the procedures and documents the results of our internal audits and management system reviews.
  2. Each page in the electronic document is under configuration control.  Clicking on the "DCR" banner takes you directly to the document control records from which one can determine the entire document change and approval history.
  3. Risks are categorised under four major headings and utilise the definition of operational risk as given in Basel II .
  4. It sentences those risks as being applicable or non-applicable, in accordance with the Audit Practices Board guidance.
  5. However, Risk Treatment Plans are established for both applicable and non-applicable risks as it is necessary to guard against the case when a non-applicable risk becomes an applicable risk.
Extracts from Gamma's web-technology based internal control system. It consists of a collarge of webpages. Each is numbered and explained in the main text.

Extracts from Gamma's web-technology based internal control system, see text

Certification

Gamma's internal control system is certified to both ISO 9001:2000 and ISO/IEC 27001:2005.  We have a single management system covering both standards (and a lot more besides) and therefore we have just one audit covering both standards.

There is a site map (see figure below) that identifies where in the site an auditor can look to find out how a particular ISO 9001 or ISO/IEC27001 requirement is met. The figure also shows how the various requirements map onto the Deming cycle and the commonality between the two standards.  In fact we designed the ISMS standard with regard to having integrated management systems in mind.

A lot of our project documentation uses similar web-based technology, so virtually everything is just a click away.  That makes the IMS easy to use and maintain and allows us to make reliable informed decisions.

Index showing that some of Gamma's internal control system exists soley because of ISO 9001 or ISO/IEC 27001 or none of these. Other aspects are common to several standards.

Site map showing correspondence between (a) the different ISO 9001 and ISO/IEC 27001 requirements (b) the overall internal control system and (c) the Deming cycle (Plan-Do-Check-Act)

Further Information

For further information read our papers on Fast Track ISMS, Measuring the Effectiveness of Internal Control Systems and A Tale of BS 7799-2 Certification.  We also offer a variety of commercial services, including helping clients to establish an ISMS using our fast track approach.  Please so not hesitate to contact us.
             
             
             
 
Gamma is an ISO/IEC 27001:2005 and BS EN ISO 9001: 2000 registered company, certified for the provision of information security consultancy.  BSI certificate numbers IS 85916 and FS  30710.  Please send comments to webmaster@gammassl.co.uk or complete our Visitors'Book. Gamma Secure Systems, Diamond House, Frimley Road, Camberley, Surrey, GU15 2PS, UK Tel: +44 1276 702500 - Fax: +44 1276 692903Copyright © Gamma Secure Systems Limited 2004-8
 
 
Page last updated: 17 March, 2008