Friday 4 April 2014

Has ‘Plan-Do-Check-Act´disappeared in the new ISO 27001?

The Plan-Do-Check-Act (PDCA) process originates from quality assurance in production environments, but has for some years also been a requirement in the ISMS standard ISO 27001 (ISMS = Information Security Management System). If you look at the new ISO 27001 that was published in late 2013, you may notice that it no longer contains a specific requirement for a PDCA process. Although it does contain headlines such as Planning, Operation, Performance Evaluation and Improvement, which admittedly are very close to PDCA, your company can now follow the new ISO 27001 without having an actual PDCA process. But there is a clear requirement that you continuously improve your ISMS, formally phrased as "the organization shall establish, implement, maintain and continually improve the ISMS". In general the new ISO 27001 introduces more flexibility in terms of selecting method and form than the previous version. A good example of this flexibility is the requirement for continuous improvement. You can choose to use PDCA - or another method - as your way of continuously improve your ISMS. My recommendation is that you only use PDCA to the extent that it makes sense to you. There are many other ways of ensuring ongoing improvement. Start with something as simple as having (or getting) an overview of your ISMS tasks. Since information security applies to most, if not all, your business processes, information security also involves a number of people. If you want to improve your information security you need to maintain a continuos overview of the security and compliance tasks people are assigned to, and you need to monitor whether or not the tasks are carried out. Strengthening information security by getting a grip on all security and compliance tasks is one of the main features in Workflow TNG, a new SecureAware module, which we are proud to announce. Read the news here.

We have a number of resources and offers for you:



3 comments: