These papers concern internal control and the role played by information security and assurance.  Our own internal control system is certified compliant with ISO 9001:2000 and ISO/IEC 27001:2005. Take a closer look at Gamma's internal control system and learn about our experiences of using it and the certification process See how closely ISO 9001 and BS 7799-2 (the predecessor to ISO/IEC 27001) fit together; an important factor in creating integrated management systems See how a fully integrated management system can be exploited and used to manage activities other than information security and quality, such as sales and marketing

Management systems such as those specified by ISO/IEC 27001 (ISMS), ISO 9001 (QMS, ISO 14001 (EPMS) and BS 25999 (BCMS) are just part of an internal control system

We have assisted other organisations to build ISMSs using the same methods that we use for ourselves.  Take a closer look at our Fast Track approach.

Management establish an internal control system to marshal their organisation’s resources to achieve their business objectives and manage the associated risks. A key question is how effective is an internal control system? We have a good answer to this question in our paper:

• "Measuring the effectiveness of an internal control system"

This paper advocates time as the key metric.  Simply put, can the internal control system detect an event fast enough for something to be done before the impact arises?  We first published this concept as part of our work on the GlobalPlatform Card Security Requirements Specification, and we showed how to apply the full concept to GlobalPlatform smart cards e-Smart 2004.  We have also used the concept to demonstrate the link between the Common Criteria (ISO/IEC 15408) and Sarbanes-Oxley.

Our latest research looks at the concept of Opportunity Exploitation Plans (OEPs), which consider how an organisation plans to take advantage of the opportunities for meeting its business objectives.  OEPs result in an organisation's processes/ procedures for "getting the job done" and constitute the first part of an internal control system.  They are the counterpart of Risk Treatment Plans, which form the second part of internal control, i.e. the controls for ensuring that the" job is done the right way".  In our paper on "Exploiting an Integrated Management System" we combine the OEP and RTP concepts, and add a third - the Alternative Ideas List (AIL) as a safety net, just in case the OEPs and RTPs initially fail to identify all the processes and controls necessary for an organisation to meet its mission.  The AIL/Safety-net concept is key to management system integration.

The IT Faculty of the Institute of Chartered Accountants in England and Wales also publishing a number of supporting articles, which we will reproduce here as they are published.  We are presenting the subject at number of conferences and other events.