CHAPTER 10: PROCESS APPROACH AND THE PDCA CYCLE

The PDCA model or cycle is the Plan–Do–Check–Act cycle that was originated in the 1950s by W. Edwards Deming. It states that that business processes should be treated as though they are in a continuous feedback loop so that managers can identify and change those parts of the process that need improvement. The process, or an improvement to the process, should first be planned, then implemented and its performance measured, then the measurements should be checked against the planned specification, and any deviations or potential improvements identified and reported to management for a decision about what action to take.

PDCA and ISO27001

In the previous edition of ISO27001, Clause 0.2 clearly stated that the process required for implementing an ISMS was PDCA. With the release of ISO27001:2013, however, this is no longer a mandatory feature of the ISMS. In fact, ISO27001:2013 offers no explicit guidance with regard to the continual improvement approach, other than specifying that one is required, allowing the organisation to identify its own best practice for its ISMS.

Despite the removal of the PDCA cycle from the specification, it remains a valid and effective process for implementing the ISMS. In the absence of a defined process, it is sensible to apply PDCA, which has been a practical approach for many years.

Application of the PDCA cycle to a process approach means that, following the basic principles of process design, there needs to be both inputs to and outputs from the process. An ISMS takes as its input the information security requirements and expectations of the interested parties and, through the necessary actions and processes, produces information security outcomes that meet those requirements and expectations.¹

The PDCA cycle and the clauses of ISO27001

The correspondence between the PDCA cycle and the stages identified in the Standard for the development of the ISMS are as set out below.

Plan (establish the ISMS):

•  define the organisation and its context (Clause 4.1)

•  define the scope of the ISMS (Clause 4.3)

•  define the information security policy (Clause 5.2)

•  define a systematic approach to risk assessment (Clause 6.1.2)

•  carry out a risk assessment to identify, within the context of the policy and ISMS scope, the important information assets of the organisation and the risks to them (Clause 8.2)

•  assess the risks (Clause 6.1.2.d)

•  identify and evaluate options for the treatment of these risks (Clause 6.1.3)

•  select, for each risk treatment decision, the control objectives and controls to be implemented (Clause 6.1.3.b)

•  prepare a statement of applicability (SoA). (Clause 6.1.3.d).

Do (implement and operate the ISMS):

•  formulate the risk treatment plan and its documentation, including planned processes and detailed procedures (Clause 6.1.3.e)

•  implement the risk treatment plan and planned controls (Clause 8.3)

•  provide appropriate training for affected staff, as well as awareness programmes (Clause 7.2)

•  manage operations and resources in line with the ISMS (Clauses 7.2 and 8.1)

•  implement procedures that enable prompt detection of, and response to, security incidents. (Clause 8.1).

Check (monitor and review the ISMS):

•  the ‘check’ stage has, essentially, only one step (or set of steps): monitoring, reviewing, testing and audit (Clause 9)

•  monitoring, reviewing, testing and audit is an ongoing process that has to cover the whole system.

Act (maintain and improve the ISMS):

•  testing and audit outcomes should be reviewed by management, as should the ISMS in the light of the changing risk environment, technology or other circumstances; improvements to the ISMS should be identified, documented and implemented (Clause 9)

•  thereafter, it will be subject to ongoing review, further testing and improvement implementation, a process known as ‘continuous improvement’. (Clause 10).

¹ ISO/IEC 27001:2013, 4.2 and 4.3.