Plan > Do > Check > Act

Security Core Concept 3: Security Management Systems

If Governance (Core Concept 4) is the most ‘diversely interpreted’ of the 6 Core Concepts, Information Security Management Systems (ISMS) is the most widely MIS-interpreted and mis-understood.

As the de facto standard for ‘security frameworks’ , ISO 27001 is designed to; “…provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS.”. Or more simply; It’s how you keep your security program in place, relevant, and appropriate to your business.

ISMS can be summarised by the old ‘Plan > Do > Check > Act (PDCA)’ cycle:


  • The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls;
  • The Do phase involves implementing and operating the controls;
  • The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS;
  • In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.

We already covered the Plan in Core Concept 1, and Do in Core Concept 2, so this; Core Concept 3, is a continuation of the security life cycle development.

With reference to a misquoted cliché; “You can’t manage what you can’t measure.”, the Check phase is designed to ensure that the controls you put in place to mitigate the risks detailed in the Risk Assessment (RA), are actually working. For example; your RA calls for segmentation between trusted and untrusted segments. Are the rules now in place to effect the segmentation? Is there any negative impact on performance? Are the firewall logs part of the established monitoring processes? Is the asset management system updated with all relevant detail? And so on…

If the answer to all of your success metrics above is positive, you must prepare to perform the cycle all over again at a time specified by your Governance Committee (usually annually at the very least). If the answer is no to ANY of the agreed metrics, you must go back and determine if the impact of the short-fall is sufficiently material to warrant major adjustment; e.g. fix it NOW, or no action at this time, or anything in between. This is the Act part of the ISMS.

As you can see, this is not actually that complicated. ‘ISO certification’ would be relatively easy if you were performing the first 3 Core Concepts correctly. However, because you can perform ISO certification of any aspect of your business, it is fairly meaningless unless you cover your entire infrastructure. Basically, unless you have a real business need to be ISO ‘certified’, don’t bother, just follow the Core Concepts.

While this Core Concept would SEEM to be the easiest (after all, it’s just determining if something is working or not), it’s the one that gets most ignored. It seems that most organisations lose interest after ‘fixing the problem’, so the additional expense of seeing if the controls actually worked gets put on hold. That ‘hold’ turns into forever, and continuous improvement is nothing more than a pipe-dream.

This is almost the same as doing nothing at all. Because not only do you not know if you are more secure than before, even if you WERE for while, you would soon fall back into your old ways. The entire investment is lost. In fact, it’s worse, because now you’ve wasted all that time and money as well.

Ensuring your ISMS is maintained is a critical function of the Governance Committee, along with Change Control, so we’ll tackle that in the next blog in the series; Security Core Concept 4: Governance & Change Control.

ISMS is where the rubber meets the road in terms of your corporate policies, standards, and procedures. These are the true baseline from which to measure the success of your security program. This is why they are one of The 4 Foundations of Security, and must receive the attention they deserve.

[If you liked this article, please share! Want more like it, subscribe!]

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.