Lean Thinking for ISMS and ISO 27001:13

We have now crossed the threshold of one year since the release of the 2013 revision for ISO/IEC 27001, the internationally recognized standard for information security management systems (ISMS) in enterprises of all industries and sizes. Since this was a revision to the previously released ISO/IEC 27001:2005 Standard, enterprises had a grace period for the re-certification or certification to the newly released standard. As of October, 2015 the 2005 version is no longer valid.

The previous versions of ISO 27001 clearly required the use of the Deming cycle or Plan-Do-Check-Act (PDCA) cycle for the continual improvement of the ISMS, but now other methodologies such as Lean and Six Sigma may be utilized instead. The change to the 2013 revision clause 10.2, Continual Improvement, is vaguer than it is assuring. Even organizations beginning the journey to certification of ISO 27001 will need to choose the best continual improvement process for their business and this may cause issues if the leadership disagrees about the ‚best‘ method.

Is it time to throw away all the work the enterprise has been doing and start fresh with a new method? Possibly, if your enterprise is restructuring or merging and the potential for excess systems, processes and people will limit the short and long term gains expected by the major changes. But as the popular cliché „if it ain‘t broke, don‘t fix it“ states, the need to use something new isn‘t necessarily the best decision.

The PDCA Cycle

Interestingly enough, Dr. W. Edwards Deming introduced the PDCA cycle to Japan at a Japanese Union of Scientists and Engineers (JUSE) in 1950, which was a modified version of the scientific method that traces back to Galileo in 1600‘s introduced by Walter Shewhart in 1939. The Japanese referred to this method as the Deming wheel and it was a major influence on the modern manufacturing in Japan leading to the highly regarded Lean Management thinking of Toyota popularized in the book The Machine that Changed the World by Womack, Roos and Jones (1990).

In the 80‘s Dr. Deming introduced to the Western World an evolved version he believed was more relevant to modern times, called the PDSA Cycle. The „Model for Improvement“ was the name of this cycle and the change of the ‚C‘ for ‚Check‘ to ‚S‘ for ‚Study‘ was to provide a clear understanding that the use of the cycle is best suited for learning and improving through an evolutionary process. In short, one must learn from the cycle in order to make the improvements that naturally yield desired results.

Enhancement is a term that represents improving what exists and that is the best course of action when discussing the quality and effectiveness of a risk management process for ISMS. Just as the tried and true scientific method developed by Galileo evolved over time, the effectiveness and continual improvement of ISMS can also benefit from a few intelligent modifications leading to a shorter implementation timeframe and higher quality of execution.

Lean Thinking

Why not apply Lean principles to the existing ISMS and risk management strategy when implementing the guidance provided by ISO 27001? The ISO 27001:2013 Standard is regarded as one of the best models for a successful implementation of ISMS in enterprises. The application of Lean Thinking and techniques to the implementation process will not only aid in increasing efficiencies, but also reduce wastes and improve the capabilities of the individuals involved (in most cases a successful ISMS involves everyone in the enterprise). This is not an endorsement for a full Lean implementation in your organization, but an intelligent nudge to evolve the thinking and actions of the crucial participants.

Now that you’re bought in, what is Lean? The narrow definition is improved tools and cost cutting, but the broader definition is enhanced thinking applied systematically to the entire enterprise and supporting business systems.

Lean is based on five principles that flow into one another and are continuous. The application of the five principles will vary depending on where the organization is when deciding to enhance the risk management strategy. Here are the 5 principles and there application to risk management:

• Principle One: Specify Value
  “Value” is the critical element in thinking Lean. Everything about Lean is to promote more value from within. You need to identify the highest stress points threatening value throughout the ISMS.  By determining the value on specific goods or services or combinations of them we can start to understand where to enhance value.
• Principle Two: Identify and map the Value Stream
  “Value stream” is the specific set of activities needed to carry a specific product (goods, services or a combination of both) to the ones who need it. Identifying and removing the steps that don‘t add value are also a crucial element of mapping the Value Stream. For example, a quality ISMS has the IT architecture mapped, but the efficiency and convenience are rarely top priorities. Taking into account the Lean principle for mapping the Value Stream, the enterprise can align the IT (high value) with a more efficient delivery system (value stream) to the customers (employees of the enterprise). In order to do this phase in a successful manner, we need to have transparency for a full view of related activities with an effect on one another.
• Principle Three: Continuous Flow
  “Flow” is the third step in Lean Thinking and the idea is to make the value-creating steps in tight sequence for a smooth flow of information. The risk management point of view puts this principle to the test, as the ISMS needs to provide a smooth flow of information but must also provide protection along the journey. “The lean alternative is to redefine the work of functions, departments, and firms so they can make a positive contribution to value creation and to speak to the real needs of employees at every point along the stream so it is actually in their interest to make value flow.” (Womack & Jones, 2003, p.24)
• Principle Four: Establish Pull
  The “Pull” principle states that as “Flow” is introduced, information access levels are required to maintain integrity. This may present the most challenging adaptation, but the idea is simple. In terms of Lean Thinking for ISMS secure all information until it is needed by someone with an approved access level for the data. The Pull mechanic is also a valuable process for gathering and reviewing information, especially by the decision makers.
• Principle Five: Seek Perfection
  “Seek Perfection” is the fifth principle in Lean Thinking and it is simply understood as continuous improvement for everything: people, process, policies, reporting, transparency, and expectations. The fifth principle also brings us back to the first principle, Identify Value, thus completing the wheel. Seeking perfection can be a tricky principle to apply, as it requires that vast majority of your co-workers to raise their level of awareness, knowledge, and willingness to follow the policies and controls being put into place. In risk management for ISMS you can begin to review the control implementation from a higher level by assessing the maturity by determining if the control is being executed regularly by all parties involved. You should also begin to evaluate the effectiveness of the control implementation. For any implemented control that doesn‘t meet your expectations, a best practice is to set the level of expected execution and assign someone to be responsible for achieving the desired level of execution by a set date. Essentially by using this exercise to self-audit your ISMS implementation you are fulfilling a task for the ISO 27001 certification, as well as preparing yourself for repeating the 5 step thought process (5 principles) to move closer to perfection.

Repeating the 5 step process may expose the hidden waste in the value stream or reveal obstacles to the flow of information. The ISMS or risk management teams need to be in closer contact with other employees in order to better understand the real-world issues preventing the expected level of execution. Transparency of assessment and audit results shared with everyone on a frequent basis will increase knowledge and help the employees discover better ways to create value. An additional key benefit is rapid and positive feedback for employees making improvement, a key feature of Lean work and a powerful motivator to continuing efforts to improve.

Lean Thinking and ISMS

Applying the 5 Principles of Lean Thinking to your ISMS and ISO 27001 projects can be intimidating at first, especially if you are unfamiliar with the Lean way of thinking and project management. We encourage you to seek out more information on Lean management and use your own intelligence to apply some of the best practices to your business.

We have designed RM Studio to be a dynamic risk management toolkit based on the methodology of ISO 27005. RM Studio is designed to help your enterprise organize and simplify the ISO 27001 certification process and cement the best practice behaviors into everyday use.