Skip links

PDCA in ISO27001 – Free guide to learn

PDCA in ISO27001
PDCA in ISO27001
PDCA in ISO27001

The plan, do, check and act cycle (PDCA)

Plan (establishing the ISMS): Establish the policy, the ISMS objectives, processes and procedures related to risk management and the improvement of information security to provide results in line with the global policies and objectives of the organization.

Do (implementing and workings of the ISMS): Implement and exploit the ISMS policy, controls, processes and procedures.

Check (monitoring and review of the ISMS): Assess and, if applicable, measure the performances of the processes against the policy, objectives and practical experience and report results to management for review.

Act (update and improvement of the ISMS): Undertake corrective and preventive actions, on the basis of the results of the ISMS internal audit and management review, or other relevant information to continually improve the said system.

About ISO 27001 

When it comes to keeping information assets secure, organizations can rely on the ISO/IEC 27000 family.

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.

What is the meaning of ISO 27001?

First, it is important to note that the full name of ISO 27001 is “ISO/IEC 27001 – Information technology — Security techniques — Information security management systems — Requirements.”

It is the leading international standard focused on information security, published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC). Both are leading international organizations that develop international standards.

ISO-27001 is part of a set of standards developed to handle information security: the ISO/IEC 27000 series.

ISO framework and the purpose of ISO 27001

ISO framework is a combination of policies and processes for organizations to use. ISO 27001 provides a framework to help organizations, of any size or any industry, to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System (ISMS).

Why is ISO 27001 important?

Not only does the standard provide companies with the necessary know-how for protecting their most valuable information, but a company can also get certified against ISO 27001 and, in this way, prove to its customers and partners that it safeguards their data.

Individuals can also get ISO 27001-certified by attending a course and passing the exam and, in this way, prove their skills to potential employers.

Because it is an international standard, ISO 27001 is easily recognized all around the world, increasing business opportunities for organizations and professionals.

What are the 3 ISMS security objectives?

The basic goal of ISO 27001 is to protect three aspects of information:

  • Confidentiality: only the authorized persons have the right to access information.
  • Integrity: only the authorized persons can change the information.
  • Availability: the information must be accessible to authorized persons whenever it is needed.

What is an ISMS?

An Information Security Management System (ISMS) is a set of rules that a company needs to establish in order to:

  1. identify stakeholders and their expectations of the company in terms of information security
  2. identify which risks exist for the information
  3. define controls (safeguards) and other mitigation methods to meet the identified expectations and handle risks
  4. set clear objectives on what needs to be achieved with information security
  5. implement all the controls and other risk treatment methods
  6. continuously measure if the implemented controls perform as expected
  7. make continuous improvement to make the whole ISMS work better

This set of rules can be written down in the form of policies, procedures, and other types of documents, or it can be in the form of established processes and technologies that are not documented. ISO 27001 defines which documents are required, i.e., which must exist at a minimum.

To

ISO 27001
ISO 27001

Update by NeuPart  :

The Plan-Do-Check-Act (PDCA) process originates from quality assurance in production environments, but has for some years also been a requirement in the ISMS standard ISO 27001 (ISMS = Information Security Management System).

If you look at the new ISO 27001 that was published in late 2013, you may notice that it no longer contains a specific requirement for a PDCA process. Although it does contain headlines such as Planning, Operation, Performance Evaluation and Improvement, which admittedly are very close to PDCA, your company can now follow the new ISO 27001 without having an actual PDCA process.

But there is a clear requirement that you continuously improve your ISMS, formally phrased as “the organization shall establish, implement, maintain and continually improve the ISMS”.

In general the new ISO 27001 introduces more flexibility in terms of selecting method and form than the previous version. A good example of this flexibility is the requirement for continuous improvement. You can choose to use PDCA – or another method – as your way of continuously improve your ISMS.

My recommendation is that you only use PDCA to the extent that it makes sense to you. There are many other ways of ensuring ongoing improvement. Start with something as simple as having (or getting) an overview of your ISMS tasks. Since information security applies to most, if not all, your business processes, information security also involves a number of people. If you want to improve your information security you need to maintain a continuos overview of the security and compliance tasks people are assigned to, and you need to monitor whether or not the tasks are carried out.

Strengthening information security by getting a grip on all security and compliance tasks is one of the main features in Workflow TNG, a new SecureAware module, which we are proud to announce. Read the news here.

For more ISO relates posts click here