2. Process Approach Incorporating the PDCA Model

  An organization must identify and manage a number of its activities to effectively operate its ISMS. JIS Q 27001 (ISO/IEC 27001) recommends that an organization should adopt a process approach when it establishes, implements, operates, monitors, reviews, maintains and improves the organization's ISMS.

  In the process approach, what are referred to as processes are any activities that are managed using management resources in order to transform inputs into outputs. A process approach means identifying the processes within an organization, grasping their interaction, and applying and managing a series of those processes as a system.

  The adoption of this process approach provides organizations with the benefit of being able to effectively operate their ISMS, through managing combinations of and interaction among processes together with links of individual processes.

  By the application of the "Plan-Do-Check-Act (PDCA)" model to processes associated with information security, the effect (information security managed as expected) of information security satisfying "information security requirements and expectations of interested parties" can be produced through the processes as outputs, from those requirements and expectations put into it as inputs. The main point of the JIS Q 27001(ISO/IEC 27001) is the continual improvement of the processes that produce the effects by applying this PDCA model.

Plan
(Establish the ISMS)		 Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organizationfs overall policies and objectives.
Do
(Implement and operate the ISMS)		 Implement and operate the ISMS policy, controls, processes and procedures.
Check
(Monitor and review the ISMS)		 Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review.
Act
(Maintain and improve the ISMS)		 Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS..

(ISO/IEC 27001:2005)

[Home] [ISMS]
Last modified: Tue Aug 17 14:04 JST 2004
Copyright © 2000-2004 JIPDEC All Rights Reserved.