Cybersecurity Humour, For Infosec professionals

Cybersecurity Humour, For Infosec professionals
Library Risk Quotient

The case of the missing PDCA cycle

Posted on: 18-Feb-2014
Author: cmk
‘My dear Watson!’ exclaimed Holmes. “You are no doubt wondering about how they work in Japan.” I looked up in surprise. I was indeed pondering about the work culture in Japan. “Have you started performing black magic, then, Holmes? There can be no other explanation to this” I spake with wide eyes. “How can you even know what I am thinking?” “Elementary! I have been observing you for the past ten minutes. You started reading the new ISO 27001:2013. A few minutes later, your eyes widened. You left your seat, went to the shelf and retrieved the ISO 27001:2005.” “And how can that possibly tell you that I am thinking about Japanese work culture?” “Come now, Watson, let me tell my story at my own pace! You opened both the standards, the old ISO 27001:2005 and the new ISO 27001:2013. You spent a few minutes pondering over  a page that contained a diagram - the Deming’s cycle. I realised then, that you are wondering what happened to the diagram in the new standard. However, I saw you starting to fidget a little. You had started to wonder about the significance of that cycle. The only way to question the cycle is to question the origin of the cycle. You started to think about Edwards Deming. You were, no doubt, wondering about his series of lectures in Japan related to the continuous process of quality. Then you looked up at the shelf where the books - Made in Japan and The Toyota Way are kept. The only logical chain of thought after that, my dear Watson, is about how Japanese companies work and how the culture of quality set in.” “Ah, now that you mention it that way, I see it was simple!” “However,  you digress from the critical topic. Where did the Deming’s cycle go? Did they take it off just like that? Is it an old fashioned 1950’s idea who’s time had come? There is more than what meets the eye, Watson!” “Indeed!” I couldn’t agree more. “What do you think, Watson? Why did they remove the Deming’s cycle?” I gathered my thoughts.  I wanted my thinking to be as clear as Holmes. “Like you always say, Holmes, let me put the facts before making  deductions.” Holmes, by now, was seated in his favourite armchair. His eyes closed and the tips of his fingers lightly touching each other. “Go ahead, Watson!” “It is clear that the diagram is missing from ISO 27001:2013. However, it is also clear that stages like ‘planning’, ‘operations’ ‘ performance evaluation’ and ‘improvement’ are mentioned. There is no denying the fact that there exists a similarity between the two. Also, they clearly mention that their structure is in line with the requirements of ISO directives, part 1, Annex SL. This annex SL, has been released in 2013. Keeping in line with Annex SL while trying to retain the cycle of continuous improvement seems to have made this change!”, I concluded, feeling proud of myself for this deep and detailed analysis, and also for the fact that I knew so much about the way ISO works “As always, Watson, your observations are right, but your deduction leaves a lot of questions unanswered. They could have just propped the whole standard under one section, like they did with ISO 27001:2005 (clause 4.2). Why did they move away from that?”, said Holmes as he started filling his pipe. “I don't know Holmes. What do you make of it?” A puff of smoke rose from Holmes' armchair. “Clearly, Watson, there are some additional facts that need to be considered here. First and foremost, we need to understand the psyche of the team that wrote the new standard versus the psyche of the team that wrote the old standard. I have penned a few oft cited articles about behavioural psychology of standards writers in popular journals, should you care to look it up.” “When the standard was first written, the focus was to adopt the BS 7799 to an ISO standard and bring it in line with the quality management system. The easiest way to do this was to write the whole standard in one section and keep the other requirements of QMS the same. Are you with me so far, Watson?” I nodded. “ This time round, the writers had a chance to review the ISMS in action for the last eight years. This is substantial experience coming to play here, Watson. This new breed of people had spent their entire career in information security. They had no inkling about QMS and they did not see how it would make a difference to the ISMS. Have you heard of the philosophy called ‘no two management systems are alike’? Quite a few of the new writers came from this point of view. They wanted to scrap everything old and write everything new. However, the robustness of a PDCA approach was not lost on them. They put the PDCA cycle in a way that they had implemented it, not in a way Deming wanted them to implement it, or the QMS wanted them to implement it. The PDCA still exists, Watson. Just as you say, it is hidden in the new standard behind planning, support, operation, performance evaluation and improvement as required by the ISO directives!” “Why remove a perfectly good diagram, Holmes?” I persisted. I could not get over the fact that the new standard does not have a single diagram. “You are letting your previous biases cloud your judgement, Watson! Answer this for me: Where do you begin reading the standard?” I was taken aback. “What do you mean ‘where’”? “From what section do you read the standard, Watson? Do you start reading it from 0. Introduction?” “Actually, I started reading it from introduction only when I wanted to compare. Generally, I would start reading it from the section immediately after the terms and definitions” I admitted. “There you go, Watson. If anything, the PDCA cycle has been moved from a not so widely read section (0.2 Process Approach) to the centre stage of the ISMS implementation and yet, you worry about a little diagram? It is time to move away from these vile comparisons and learn to implement a good information security system!” “Enough of this, Watson. Unless I am very much mistaken, I hear Mrs. Hudson setting the tables for dinner. Can you hand me my violin while we wait for dinner? ” This is my personal tribute to Sir Arthur Conan Doyle and my favourite fictional character.
Library Risk Quotient