by The Open University
Available in 39 free installments
Owner:
In Section 5 you were introduced to the nine-stage ISMS planning process advocated by the Standard. You have also, in Sections 5 and 6, looked in some detail at some of these stages ? those comprising the ISMS documentation and asset identification tasks.
However, an ISMS must not only be planned, it must also be implemented, operated, monitored, reviewed, maintained and improved. Part 2 of the Standard provides guidance on these processes, which it suggests should be undertaken following a Plan?Do?Check?Act (PDCA) cycle. Here we introduce you to the PDCA cycle.
Walter Shewhart, a statistician working at Bell Laboratories in the 1930s, is credited with inventing the PDCA cycle. The PDCA cycle is the Standard's proposed methodology for the commission and continuous improvement of an ISMS. The PDCA cycle is also known as the Denning cycle, after the quality management guru W Edwards Denning.
Central to the PDCA cycle is the simple idea that we learn by doing. In the context of tackling a particular problem, the PDCA cycle relates to the idea that the act of building a solution to a problem leads to a better understanding of that problem, which can in turn lead to building a new and better solution, and so on. In its generic form, the PDCA cycle consists of the four iterated stages ? Plan, Do, Check and Act ? shown in Figure 7.
Figure 7 The PDCA cycleLong descriptionThe purpose of the Plan stage is to understand the problem and develop an initial, but fit-for-purpose, solution that can be created relatively quickly. Criteria against which the effectiveness of the initial and future solutions can be gauged are also agreed.
In the Do stage, the results of the Plan stage are implemented and then used. In the first iteration, this generally just means a pilot study to test the initial solution, so limiting any damage from mistakes in the Plan stage.
In the Check stage, the solution is observed in operation. The idea is to answer the following sorts of questions.
Does the solution work in the way it was expected to? How well does it stand up against the evaluation criteria set up in the Plan stage?
Has producing a solution changed our perception of the problem? Which parts of the problem do we understand well, and which parts not so well?
How could we change the solution to make it better? What changes would reflect our new perception of the problem? Which parts of the solution work well and which work poorly?
The answers to questions like these prepare for the Act stage, in which the current solution and the results of the Check stage are used to define a revised problem for initiating the Plan stage of the next iteration.
Although not appropriate for all types of problem, the PDCA cycle does provide a way of tackling those problems:
that exist in a complex and changing environment;
that need an initial solution relatively quickly;
for which there exist resources for continual improvement.
These characteristics certainly ought to apply to information security management.
(a) Describe one or more areas of your life in which you use or could use the PDCA cycle.
(b) Identify problems in your own organisation for which the PDCA cycle might be a useful strategy.
In tackling both parts of this activity, you may wish to consider the three characteristics of problems to which the PDCA cycle is suited ? complex and changing environment, quick initial solution, resources for continual improvement ? and assess whether they apply to any part of your work or home life. There may already be daily situations in which you unknowingly apply the PDCA cycle.
(a) One M886 Course Team member thought of the following two examples.
It would seem that I structure my work day using the PDCA cycle. The day starts with an initial to-do list (Plan); working through the list (Do), I complete tasks; I observe that the list grows and shrinks as new tasks come in, and existing ones are finished (Check). I alter priorities in the list (Act) to accommodate the day's unfolding requirements. Each day, therefore, consists of one or more iterations of the PDCA cycle.
Software development is an example of the PDCA cycle in action: an alpha release is an initial solution to a problem, which will be internally tried out, tested and changed to complete one PDCA cycle. Then a beta version is released to the wider world and the second iteration begins. Beta testers continue using the software, noting and feeding back problems to the developers, over many PDCA cycles. Later beta versions become candidate final releases, and then final versions are sold to the public. Nor is that the end of the matter, of course: as soon as a final release is in wide circulation, customers send in bug reports which drive further iterations of the PDCA cycle.
(b) The Open University is feeling competition ? for the first time ? in its provision of university degrees by distance learning, and this has resulted in pressure to move from its traditional teaching model to more widespread electronic presentation of courses. At the same time a raft of new legislation and regulation now applies to electronic presentation. Thus the problem of electronic presentation of courses would seem to fit the characteristics of a type of problem to which the PDCA cycle could usefully be applied.
The PDCA cycle is a significant tool in an organisation's work on information security management. However, it is beyond the scope of this unit to discuss how it can be applied to ISMS management
Original Copyright © 2007 The Open University. Now made available within the Creative Commons framework under the CC Attribution – Non-commercial licence (see http://creativecommons.org/by-nc-sa/2.0/uk/).
