MANAGEMENT & PROTECTION SYSTEMS

QUALITY ENVIRONMENTAL AND SAFETY : ISO 9001 - ISO 14001 - EMAS - ISO 45001
INFORMATION TECHNOLOGY: ISO 27001 - ISO 20000 - ISO 22301

 

 

 
 

ISO 27001

 

 

C- The Deming cycle: the phases of the ISMS

 

The ISO 27001 standard, like the other standards for the management of business systems, has adopted the scheme outlined by the Deming cycle to achieve continuous improvement, through the Planning, Implenation, Control and Action phases (Plan-Do-Check- Act).

 

 

1- PLANNING

 

In the planning phase the standard foresees the following activities:

  • the definition of a security policy (Information security policy)
  • the identification of an area (the purpose of the ISMS)
  • risk identification and assessment
  • the preparation of a risk management plan

These activities must be strictly documented.

 

 

2- IMPLEMENTATION

 

In this phase the planned activities are:

  • resource allocation (people, time, money)
  • the definition of awareness programs
  • the preparation of specific training programs
  • risk management: if the management has made the decision to reduce the risks, the controls selected must be implemented

 

 

3- CONTROL

 

The management system control phase involves the periodic execution of:

  • Routine checks
  • Internal audits of the ISMS
  • Check with regard to the policy

With regards to the controls relating to the Company Policy on information security, it is important to remember that the ISMS must always reflect the decisions of the management regarding safety, and therefore it is necessary to carry out the controls, periodically verifying that these they are in line with the provisions of the management through the policy (eg checking that this has not changed).

 

 

4- ACTION

 

The objective of this last phase is to aim at improving the system through:

  • Detection of Non-Conformity: a Non-Conformance may consist of the absence of one or more ISMS requirements, or the failure to implement and maintain these requirements, or a situation that raises significant doubts about the capacity of the ISMS to reflect the security policy and objectives of the organization
  • Preventive actions: aimed at eliminating the cause of potential non-conformities
  • Corrective actions: aimed at eliminating the cause of non-compliance that has occurred