The ‘engine’ that forever drives the management system towards continual improvement

  
  The third edition of ISO/IEC 27002 was published last February… the new controls are now in ISO/IEC 27001:2022 Annex A which was published on 25 October last
 

Continual improvement

The IMS-Smart approach to continual improvement is shown diagrammatically in the diagram below.

Reading from left to right:

  • All IMS activities that determine the need for action feed into this continual improvement process. Note that the management review process has the special task of reviewing actions once completed to determine whether they have met their objectives. If they have not, then the cycle repeats itself as some further action will be required. Note also the special relationship between risk assessment and potential nonconformities, which in this instance are the nonconformities that would have occurred if the controls identified through the process of risk assessment had not been in place.
  • Step 1 is to determine whether the input is a nonconformity. For all inputs, apart from operational change, the organisation must determine whether the input is a nonconformity. If it is not, or the input results from an operational change, then the organisation must determine whether the input is a potential nonconformity. Furthermore, it is prudent to consider if the event could result in an incident in the future. If it is neither, then it is either an improvement or no further action is required.
  • Step 2 is to take immediate action as necessary, by reacting to the event (i.e. nonconformity, incident, accident etc.), taking action to control the situation, correct any nonconformity and deal with the consequences.
  • Step 3 is to plan considered action, by first considering the cause of the event and secondly by considering whether similar consequences have occurred or could potentially occur. A potential nonconformity or incident is treated as a risk, and therefore the action is to treat the risk and consequently modify an existing risk treatment plan or create a new one.
  • Step 4 is to take the action identified in Step 3. This will be in the form of corrective actions (e.g. to eliminate the causes of a nonconformity, in order that it does not recur or occur elsewhere), risk treatment plans and improvements.

The actions that are taken should be recorded. The nature of that record will in the first instance be governed by the need for action was identified in the first place. For example, if the need for action was identified as part of an internal audit, the action would be documented as part of that internal audit. Further records should be made, for example when the performance of the action is reviewed at a management review, the record in this case being a item in the minutes of the review meeting.

It should go without saying that if an action results in a change to the IMS or its controls than that change must be reflected in the IMS documentation and there will be version control records to support it.

However, in order to avoid IMS management becoming a bureaucratic and ineffective process, it is important to ensure that all actions:

  • are appropriate to the benefit or impact that would occur if the action was not taken;
  • are consistent with IMS policy and objectives;
  • can be regarded as improvements.

Indeed priority should be assigned on the basis of reward (i.e. the likelihood of that benefit occurring) and/or the risk (i.e. the likelihood of that impact occurring). Key to successful internal control is the ability to focus corrective action and improvements on new rewards and risks and significantly changed rewards and risks. Thus it must be these that received the greatest priority of any corrective/preventive action or improvement.

Our preferred way to do this is use a To-Do-List. This serves as a permanent record of actions taken to manage the IMS. An example layout is show in the figure below:

The overall effect of this phase of the cycle is to hone the IMS to ensuring that the organisation marshals its resources in the most effective manner to achieve its objectives and continues to do so despite the changing world around it.