Clause 4.4 of the ISO27001 standard is one of the smallest in size, but the one that, in my opinion, has the greatest day-to-day impact on the organization.

Maintenance – Photo by Markus Spiske on Unsplash

Establishing and implementing

In the context of ISO 27001 on information security, the term “establish” means to put in place a process, procedure, policy, system or other form of documentation or practice. It’s about creating and putting something in place for the first time, formalizing it and establishing it operationally.

This also includes security policies and procedures, risk management processes, an incident management system, etc.

There should be no documents in draft mode. Your practices must be documented, shared and operationalized throughout the organization.

Maintain and continuously improve

The term “continuous improvement” means that the organization must put processes in place to continue to identify and correct deficiencies in the information security management system (ISMS), and to ensure that the ISMS is effective and compliant with corporate and regulatory requirements.

This means continuing to monitor and evaluate the ISMS, identifying opportunities for improvement, implementing them and monitoring the results to ensure they have the desired effect. It is also about taking account of internal and external changes, technological developments, regulatory developments, stakeholder needs, etc. to ensure that the ISMS is fit for purpose and effective.

In short, “continuously improve“means that the organization must be constantly evolving to ensure that the ISMS continues to meet the organization’s needs and achieve its security objectives.

In addition to all this, ISO27001 requires that your documents comply with the standard’s requirements.

Impact on the organization

This clause has a far-reaching impact for the organization, since it must have a clear way of doing things, reviewing its practices, and validating the conformity of its procedures and directives, as well as its documents, with the standard. We’re not talking about an internal audit, but about knowing whether each policy, practice or procedure is maintained, reviewed and improved on a regular basis!

PDCA – The deming wheel?

The concept of continuous improvement comes from W. Edwards Deming, an American statistician and quality management expert. He is best known for his work in quality and production improvement using statistical methods during the 1940s. He devoted his career to teaching these principles to companies to help improve their performance.

PDCA is an acronym representing the four stages of a quality management cycle known as the “Deming Loop” or “Deming Circle”. The stages are:

  1. Plan (Planning): Determining objectives and strategies for achieving them.
  2. Do (Execute): Implement the plans and strategies determined in the first step.
  3. Check: Evaluate the results obtained and measure them against the objectives set.
  4. Act: Make changes and improvements based on the results of the verification stage.

PDCA is an iterative process that can be used to continuously improve processes and products. It helps identify opportunities for improvement and develop plans to implement them effectively.

Origin and purpose

The aim of the Deming Loop (or Deming Circle) is to improve product and process quality using a systematic, iterative approach.

Deming developed this approach in response to the unsatisfactory quality of manufactured products in the USA at the time. He wanted to help companies improve the quality of their products and become more competitive by adopting a systematic approach to continuous improvement.

The aim of the Deming Loop is to enable companies to identify opportunities for improvement, implement the necessary changes and monitor the results to assess the effectiveness of the improvements made. This approach applies to all aspects of a business, including production, internal processes, employee management and customer relations.

Success criteria

To determine whether we have met clause 4.4 of ISO27001, here are some questions an auditor might ask:

  • Show me your ISMS documents to make sure they’re not several years old.
  • Do you have an activity calendar?
  • How do you keep track of documents so that you can review them?
  • Explain to me how the procedures were communicated, how the teams were trained for these new procedures.

I invite you to click on “Follow” to continue learning more about the field of information security.