Using the Deming wheel for ISO 27001 certification: Plan phase (1/4)

What is the Deming wheel (PDCA)?

The Deming wheel (also known as the PDCA method, for Plan, Do, Check, Act) is a method particularly used to improve an organisation's performance, regardless of the business line concerned: marketing, human resources, finance or logistics.

It is a tool for continuous improvement, encouraging the optimisation of practices and the resolution of problems, thanks to short improvement cycles that encourage agile practices.

The Deming Wheel is based on four complementary stages:

• Plan: Plan actions.

• Do: Implement these actions, launch operations.

• Check: Evaluate and monitor the results of these actions.

• Act: If necessary, develop and optimise them.
  

Each phase is fairly short, to enable iterative work and rapid, continuous improvement of an organisation's practices.

The overall approach to project management proposed by the Deming Wheel consists of planning a set of actions to meet a targeted need, implementing these actions, analysing the results quickly and, if necessary, optimising or correcting them just as quickly.

How can the Deming wheel be used for ISO 27001 certification?

This project management tool can be used in any department of an organisation: in marketing, human resources, finance and sales, as well as for IT security projects.

In fact, this continuous improvement tool is perfectly suited to security governance strategies. Information systems security strategies require regular monitoring and continuous improvement if they are to remain fully relevant. This is the case, for example, with ISO 27001 certification.

The aim of ISO/IEC 27001 certification is to implement an information security management system (ISMS) within the certified organisation.

The implementation of this ISMS is made possible by the iterative approach favoured by the Deming wheel!

• Plan: The ISMS is designed, planned and prepared in such a way as to take account of and anticipate all the risks relating to information security.

• Do: Operational controls are implemented to create the ISMS and make it functional in the organisation's environment.

• Check: The controls implemented are regularly monitored, evaluated and measured so that they can be improved.

• Act: Corrective actions are taken quickly to achieve the planned objectives.

It is therefore on the use of this project management methodology (PDCA) applied to the ISO/IEC 27001 standard and to the creation of an ISMS, that we are going to focus over the next few blog posts.

How can this methodology, illustrated by the Deming Wheel, be used in companies to implement an ISMS?

How do each of these stages work? And what are the benefits of this tool in terms of information security and corporate security management?

The Deming wheel: the Plan phase for building your ISMS

During this first planning stage, the staff in charge of managing and monitoring the ISO 27001 certification project must gather the information and resources needed to make the ISMS feasible, identify the organization's needs and identify the security risks.

It is on this basis that the organisation's security processes and policies will be defined.

During this first stage of planning its ISMS, the organisation must take into account the challenges linked to the organisation and its context, as well as the requirements of the various stakeholders.

At this stage, the organisation plans:

• The roles and responsibilities of the stakeholders (decision-makers, employees involved, external service providers, etc.)

• The financial, material and human resources that will be required and that are available;

• The actions to be taken to deal with the project's risks and opportunities;

• The way in which these actions will be implemented, and their effectiveness assessed.

This first planning phase therefore consists of organising the progress of the project, identifying the risks and associated actions, and defining the information security objectives.

1- Assessing information security risks

To begin with, the organisation needs to define and apply an information security risk assessment process.

Put another way, this ultimately involves :

• Identifying information security risks: risks relating to the loss of confidentiality, integrity and availability of information;

• Identifying the risk owners (which employees are responsible for the area associated with each risk, and therefore in charge of risk management);

• Establish risk acceptance criteria (which risks are acceptable and which are not?);

• And finally, analysing the potential consequences of these risks should they arise, and prioritising the risks analysed to build a risk treatment plan.

This risk assessment stage therefore involves identifying precisely what the potential information security risks are, in order to understand in detail the consequences and dangerousness of these risks.

2- Determining actions to deal with information security risks

Once the risks have been identified and prioritised, the next step is to determine what actions will be taken to remedy these risks (avoid them), and what actions will be taken if the risk is proven (to correct it).

The organisation is then responsible for:

• Choosing the risk management options best suited to its challenges and resources. These correspond to the preventive actions needed to prevent the identified risks from occurring;

• Determining the controls needed to implement these risk management options;

• And draw up an information security risk management plan.

The risk management measures selected (as well as those not selected) must be set out in a declaration of applicability. Each measure, whether selected or not, must be justified.

The entire process must therefore be documented, retained and validated by the risk owners.

3- Information security objectives and plans for achieving them

The organisation must establish the information security objectives that will be pursued through ISO/IEC 27001 certification, and draw up a clear action plan to achieve these objectives.

To be relevant, the objectives must meet a set of criteria such as:

• Be consistent with the organisation's information security policy;

• Be measurable;

• Take into account the requirements applicable to information security and the results of risk assessment and treatment;

• Be communicated with teams;

• Be updated when necessary.

Once again, the organisation must document and retain all this information.

4- The support and resources needed to achieve information security objectives

Finally, the organisation must identify and provide the resources needed to establish, implement, maintain and continuously improve the information security management system.

Three elements need to be taken into account here: the necessary skills, the necessary awareness actions, and the necessary communication actions.

Necessary skills

The aim is to determine what skills are needed by people doing work that has an impact on information security performance, whether they have been sufficiently well trained and whether they have appropriate experience. If this is not the case, thought needs to be given to the actions that need to be put in place to enable employees to acquire the necessary skills and to evaluate the effectiveness of the training actions undertaken.

Once again, all this information must be documented and kept as evidence.

Necessary awareness-raising actions

The organisation's employees must be made aware of the information security policy in place.

• They must be aware not only of their contribution to the effectiveness of the information security management system (ISMS), but also of the positive effects of improved information security performance;

• And they must be fully aware of the implications of any non-compliance with the requirements of the information security management system (e.g. via an IT or security charter).

Necessary communication actions

Finally, the organisation must determine the communication needs (internal and external) that are relevant to the information security management system (ISMS), and in particular :

• What subjects should be communicated about?

• When to communicate?

• Who needs to communicate, and to whom?

• As well as the processes with which the communication must take place.

Creating an ISMS: a documented process

The Information Security Management System (ISMS) must be documented by the organisation so that its effectiveness can be assessed.

The information required in this documentation depends largely on the size of the organisation, its areas of activity, its processes, products and services, and the skills of the people involved.

When creating and updating this documentation, the organisation must ensure that certain elements are appropriate, in particular:

• Identification and description of risks, measures and stakeholders;

• The format of this documentation and its medium.

The documented information required by the ISMS must be regularly checked and kept up to date to ensure that :

• It is available and suitable for its intended use;

• It is properly protected (in terms of confidentiality, integrity and availability).

In order to control this information, the organisation must ensure that:

• The distribution, access, retrieval and use of this information;

• The storage and retention of this information,

• The control of modifications to this information (for example, version control);

• The length of time information is retained and deleted.

To conclude

To conclude, the first stage of this Deming wheel, the 'Plan', when applied to corporate cyber security, mainly consists of identifying the project's needs and potential risks, and determining the actions to be taken to prevent and correct these risks, through four main stages:

• Assessing information security risks;

• Choosing a risk management process;

• Defining information security objectives;

• Identifying the resources needed to implement the action plan.

In the next blog post, we'll look at how to apply the second step of the Deming wheel, 'Do', to the creation of an ISMS.

Related blog posts:

• "Using the Deming wheel for ISO 27001 certification: Do and Check phases"

• "ISO 27001 certification: requirements and certification process"

• "ISO 27001 and the ISMS (Information Security Management System)"

Did you enjoy this blog post?

Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!

Find out more about our ISO 27001 certification support service!

We need your answers!

By completing this survey, you are helping us to better understand your interactions with our site and your potential needs.

Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information is requested!

Thank you for your responses!

Would you like to be informed of our news and receive our latest blog articles directly in your mailbox? Subscribe to our monthly newsletter!

Would you like to discuss your difficulties, your needs, our offers? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts!