ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining, and continually improving an organization’s information security management system (ISMS).
ISO 27001:2005 mandated the Plan-Do-Check-Act (PDCA) approach for continual improvement, but with the introduction of the new version of ISO 27001 in September 2013, methodologies other than PDCA are now acceptable.
Companies transitioning to the new Standard should be aware that ‘continual improvement’ in ISO 27001:2013 has been extended to cover the suitability and adequacy of the information security management system (ISMS) as well as its effectiveness, but no longer specifies how an organization achieves this. Other methodologies such as Lean, Kaizen, and Six Sigma can now also be used.
Clause 10.2 in the new Standard stipulates the requirements for continual improvement. For organizations with an existing ISMS, the change to remove the requirement of the PDCA model may be negligible – the PDCA process is still valid.
Organizations beginning a new ISO 27001:2013 ISMS, however, will need to identify the best continual improvement process for their business, if one is not already in place. For most organizations, PDCA will still prove to be a practical and sound method to deploy.
Clauses 5.1 and 5.2 specify that the organization’s leadership shall promote continual improvement, and require that this commitment to continual improvement be contained in the information security policy.
Clause 9.3 states that top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. “The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.”
Lastly, clause 6.1.1 of the new Standard, covering planning, stipulates the following:
“When planning for the information security management system, the organization shall consider the issues referred to in 4.1 (the organization and its context) and the requirements referred to in 4.2 (the needs and expectations of interested parties) and determine the risks and opportunities that need to be addressed to:
- a) ensure the information security management system can achieve its intended outcome(s);
- b) prevent, or reduce, undesired effects; and
- c) achieve continual improvement.”
ISO 27001:2013 places a much greater emphasis on continual improvement, and organizations should continue to maintain and operate their ISMS during the transition process.
If you are in the process of transitioning to ISO 27001:2013, IT Governance has a range of resources that will help you get there faster.