We have now crossed the threshold of one year since the release of the 2013 revision for ISO/IEC 27001, the internationally recognized standard for information security management systems (ISMS) in enterprises of all industries and sizes. Since this was a revision to the previously released ISO/IEC 27001:2005 Standard, enterprises had a grace period for the re-certification or certification to the newly released standard. As of October, 2015 the 2005 version is no longer valid.
The previous versions of ISO 27001 clearly required the use of the Deming cycle or Plan-Do-Check-Act (PDCA) cycle for the continual improvement of the ISMS, but now other methodologies such as Lean and Six Sigma may be utilized instead. The change to the 2013 revision clause 10.2, Continual Improvement, is vaguer than it is assuring. Even organizations beginning the journey to certification of ISO 27001 will need to choose the best continual improvement process for their business and this may cause issues if the leadership disagrees about the ‚best‘ method.
Is it time to throw away all the work the enterprise has been doing and start fresh with a new method? Possibly, if your enterprise is restructuring or merging and the potential for excess systems, processes and people will limit the short and long term gains expected by the major changes. But as the popular cliché „if it ain‘t broke, don‘t fix it“ states, the need to use something new isn‘t necessarily the best decision.
Interestingly enough, Dr. W. Edwards Deming introduced the PDCA cycle to Japan at a Japanese Union of Scientists and Engineers (JUSE) in 1950, which was a modified version of the scientific method that traces back to Galileo in 1600‘s introduced by Walter Shewhart in 1939. The Japanese referred to this method as the Deming wheel and it was a major influence on the modern manufacturing in Japan leading to the highly regarded Lean Management thinking of Toyota popularized in the book The Machine that Changed the World by Womack, Roos and Jones (1990).
In the 80‘s Dr. Deming introduced to the Western World an evolved version he believed was more relevant to modern times, called the PDSA Cycle. The „Model for Improvement“ was the name of this cycle and the change of the ‚C‘ for ‚Check‘ to ‚S‘ for ‚Study‘ was to provide a clear understanding that the use of the cycle is best suited for learning and improving through an evolutionary process. In short, one must learn from the cycle in order to make the improvements that naturally yield desired results.
Enhancement is a term that represents improving what exists and that is the best course of action when discussing the quality and effectiveness of a risk management process for ISMS. Just as the tried and true scientific method developed by Galileo evolved over time, the effectiveness and continual improvement of ISMS can also benefit from a few intelligent modifications leading to a shorter implementation timeframe and higher quality of execution.
Why not apply Lean principles to the existing ISMS and risk management strategy when implementing the guidance provided by ISO 27001? The ISO 27001:2013 Standard is regarded as one of the best models for a successful implementation of ISMS in enterprises. The application of Lean Thinking and techniques to the implementation process will not only aid in increasing efficiencies, but also reduce wastes and improve the capabilities of the individuals involved (in most cases a successful ISMS involves everyone in the enterprise). This is not an endorsement for a full Lean implementation in your organization, but an intelligent nudge to evolve the thinking and actions of the crucial participants.
Now that you’re bought in, what is Lean? The narrow definition is improved tools and cost cutting, but the broader definition is enhanced thinking applied systematically to the entire enterprise and supporting business systems.
Lean is based on five principles that flow into one another and are continuous. The application of the five principles will vary depending on where the organization is when deciding to enhance the risk management strategy. Here are the 5 principles and there application to risk management:
Repeating the 5 step process may expose the hidden waste in the value stream or reveal obstacles to the flow of information. The ISMS or risk management teams need to be in closer contact with other employees in order to better understand the real-world issues preventing the expected level of execution. Transparency of assessment and audit results shared with everyone on a frequent basis will increase knowledge and help the employees discover better ways to create value. An additional key benefit is rapid and positive feedback for employees making improvement, a key feature of Lean work and a powerful motivator to continuing efforts to improve.
Applying the 5 Principles of Lean Thinking to your ISMS and ISO 27001 projects can be intimidating at first, especially if you are unfamiliar with the Lean way of thinking and project management. We encourage you to seek out more information on Lean management and use your own intelligence to apply some of the best practices to your business.
We have designed RM Studio to be a dynamic risk management toolkit based on the methodology of ISO 27005. RM Studio is designed to help your enterprise organize and simplify the ISO 27001 certification process and cement the best practice behaviors into everyday use.