ISO 27001:2013 and continual improvement

ISO/IEC 27001:2013 outlines the requirements for establishing, implementing, maintaining and continually improving an ISMS (information security management system). As cyber security threats continue to proliferate, it has become vital to implement a robust ISMS.

This has resulted in the remarkable growth of ISO 27001 certifications in the APAC region, with 10,414 certifications in 2014 vs. 17,562 in 2017 – an increase of 68%.

Under clause 10.2 of ISO 27001, great emphasis is laid on the continual improvement of the ISMS, and it offers great flexibility in doing so.

Unlike older management system standards, it does not mandate the PCDA (Plan-Do-Check-Act) cycle. Instead, it allows the organisation to implement other procedures for continual improvement, such as Six Sigma, Lean and Kaizen.

Identifying a suitable continual improvement methodology is crucial for organisations seeking to implement ISO 27001. Of course, PDCA is still a valid and practical method that can be deployed by organisations of all sizes.

Clauses 5.1 and 5.2 of the Standard outline the role of the organisation’s leadership in promoting continual improvement. Their commitment towards continual improvement should be reflected in information security policies.

Similarly, Clause 9.3 asserts that the ISMS should be reviewed by the leadership at planned intervals to ensure its continuing suitability, adequacy and efficiency.

It specifically states that “The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.”

Clause 6.1.1 of ISO 27001 deals with the aspects of strategic planning of the ISMS, which is itself part of the process of continual improvement. It requires the organisation to examine its needs in relation to continual improvement on a regular basis.

It goes without saying that ISO 27001:2013 places considerable emphasis on continual improvement. If you plan to implement a robust ISMS based on ISO 27001, download our free green paper Information Security & ISO 27001: An introduction >>