Continual Improvement in ISO 27001 PDCA Life Cycle
- deming wheel, information security life cycle, iso 27001, PDCA cycle
The soul of continual improvement has been the fundamental of any ISO standards, including Information Security Management System standard, ISO 27001.
The concept behind the continual improvement on ISO 27001 is to ensure the sustainability achievement is maintained across the time, by doing some of the strategic activities such as periodic audit, surveillance audit, cold eyes review, project compliance review, etc.
In the basic understanding, the continual improvement by using Deming Wheel, known as PDCA cycle, Plan Do Check Action, it has full cycle core activities that can drive the long term establishment of the IT security assurance by using ISO 27001 standard framework.
In the summary, each step of the PDCA cycle that being mapped into ISO 27001 standard framework is as per following description (each step in PDCA is being mapped to ISO 27001 Chapter):
“Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives.”
- Chapter 4. Context
- Chapter 5. Leadership
- Chapter 6. Planning
- Chapter 7. Support
This step is the beginning process in the ISO 27001 life cycle. The main focus on this step is to establish the ISO 27001 framework on the organization. There are 4 correlated chapters in ISO 27001 that belong to this step, each of them are supporting each other in order to come up with the proper ISO 27001 establishment in the internal environment.
Different institution will have different establishment program against ISO 27001, because they are different in the nature of system characteristic, volume, complexity, people, management in place, technology that being used, future planning and etc.
This step will be very crucial for the next 3 steps in ISO 27001 life cycle PDCA concept since all of the strategic planning and implementation including assessment and audit portion will be designed and established on this step.
“Implement and operate the ISMS policy, controls, processes, and procedures.”
- Chapter 8. Operations
Moving form PLAN step to DO step, usually we will face with commissioning & testing term. This is the transition between the Design into the Real World Activities. Alignment between entities should be ensured, since the whole IT security assurance that going to be achieved is require an integrated approach between each step in the PDCA cycle. Therefore the use of well known standard such as ISO 27001 is one of the best approach to ensure the integration and unity in the ISMS activities, especially during the Operations phase ( the longest phase within the PDCA cycle).
“Assess and, where applicable, measure process performance against ISMS policy, objectives, and practical experience and report the results to management for review.”
- Chapter 9. Performance Evaluation
Maintain the optimum performance is a must if we want to ensure the result of some process still within the expectation. Therefore the implementation and operations of ISO 27001 framework should be evaluated to explore the weaknesses that still can be fixed, to improve the current practice to the better level, to make efficient in working activities, to capture new vulnerabilities and threats that faced by the organization, etc.
The performance evaluation usually will be performed in the form of Audit. The Audit that being executed should adhere to the standard audit that governed by ISO 27001. As an organization, the ISMS audit should be in periodic frequency, usually it will be once in 3 years, and there will be some smaller audit scope within the 3 years full audit scope.
The audit has main goal to ensure the ISMS is adhere to the ISO 27001 standard in proper way, if there is some gaps between current practice versus the standard then some activities should be performed (if agreed to do so) in order to fix the holes.
“Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.”
- Chapter 10. Improvement
The last cycle step is Improvement, it has very close correlation with the third step, Check step, since the audit results are the fundamental references for this step to do its improvement activities. Surely there will be some new projects will take part, or some strategic activities that require man hour to be done, or even redesign the existing system, etc. as the consequence of the audit result and recommendation.
As long as the activities for improvement is being based to the risk management, then each organization can determine which gaps should be followed up immediately and which one can be hold. The PDCA cycle is a close loop activities that require dynamic improvement across the time.
The IT security is also a dynamic thing, it is moving so fast by the time, and it is require the internal organization to always keep the pace with the changes by ensuring the ISO 27001 PDCA life cycle process is under control.