Achieving continual improvement through the use of maturity models

Like any other ISO management system, ISO 27001 has a requirement for continual improvement (clause 10.2). It is like that because no process, no matter how well established and implemented, compliant with ISO standards or not, can maintain high levels of performance without continuously making adjustments to adapt to scenario changes.

Therefore, achieving continual improvement is beyond a standard requirement; it is a business survival question only made clear and mandatory by ISO management systems. However, how can an organization achieve continual improvement? ISO management systems clauses about this issue are vague, so to help you with that, I will talk a little about maturity models.

What are maturity models?

A maturity model is any systematic framework with structured levels that describe how well-defined aspects of an organization can produce reliable and sustainable outcomes. I put together this broad definition because a search of the Internet can provide you with maturity models about a variety of issues: project management, quality management, learning, security, and, of course, processes.

Maturity models - general viewFigure 1: Maturity models general view

Between the many existing models (e.g., COBIT, CMMi, OPM3, SSE-CMM, etc.), let’s see the model defined by ISO/IEC 15504 (see graphical interpretation on Figure 2), the ISO standard for maturity models. Its maturity levels are the following:

0 – Incomplete: No process implemented or little / no evidence of any systematic achievement of the process purpose
1 – Performed: The process achieves its expected purpose
2 – Managed: The process is implemented in a managed way (planned, monitored, and adjusted) with appropriately established, controlled, and maintained work products

These levels are mostly related to punctual processes and individual knowledge required to make the process work as expected. The other, more mature, levels are:

3 – Established: The process is implemented using a defined (standard) process that is capable of achieving the expected outcomes
4 – Predictable: The process operates within defined limits to achieve its expected outcomes
5 – Optimized: The process is continuously improved to meet relevant current and projected enterprise goals

These last three levels require an enterprise view and corporate knowledge to make different processes of different organizational units work together.

ISO/IEC 15504 Maturity ModelFigure 2: ISO/IEC 15504 Maturity Model

If you compare these levels with ISO 27001, or any other ISO management systems, you will see that they establish requirements for level five of the maturity model. However, how about your own processes – the processes that make your business happen? How can you make them achieve this level?

Using maturity models to drive your processes improvement

If you pay close attention to the level descriptions, you will see that the upper levels are built on small increments over the previous ones. So, to gradually improve them (accordingly with your resources capacity or defined objectives), you have to:

  1. assure the process can achieve the expected purposes (e.g.: make a cake, assemble a piece of equipment);
  2. include management tasks (e.g.: identify what you have to do/control to make the cake/assemble the equipment before completing the tasks);
  3. assure that all the people working with that process do the same steps/tasks (e.g., for the same flavor everyone uses the same recipe, and for the same equipment, all people use the same instructions). This step is critical because you have to balance the level of standardization with the specific needs of the business units. I would recommend the rule “define global, implement local” at the beginning, where you standardize only the common aspects of the processes and let the business units define some specific aspects according to their local scenarios. With time, more common aspects can show themselves and be added to the global model;
  4. define lower and upper tolerance levels within which the process can work. Not achieving the exact expected result isn’t always a bad result, since the effort to achieve low error levels can be costly and the actual result can be accepted by the client; and
  5. make use of the monitoring results and other information to proactively work on adjustments, preventing losses and taking advantage of opportunities.

Generally, management systems implementation projects fail because of lack of management support or an inadequate perception of the maturity level of the processes. Assuming a process to be more or less mature than it really is can lead to errors in the project resources/schedule planning and increase the stress between the project team and the users. The most common case is that the processes inside the organization are not at the same level, and a maturity model can help you identify those gaps.

Know yourself before going to battle

The ISO 27001 ISMS is a great tool to add value to your business, but the evaluation of the maturity level of your organization’s processes is fundamental for planning the implementation, establishment, ongoing operation, and improvement of the information security. Doing this homework beforehand can save you a lot of time and effort.

Learn more about the concept of continual improvement in this free  ISO 27001 Foundations Online Course.

Advisera Rhand Leal
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.

Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.