Applicability of PDCA cycle to risk management

Tutorial 1 

Name:

Institution: Tutorial 1 

Exercise 1

Applicability of PDCA cycle to risk management

The PDCA cycle is principally used in organizations to ensure that the ISMS is are continuously monitored as well as improved (Humphreys, 2008, p.248). Risk management is always managed under three distinct phases: risk identification, assessment and mitigation. According to ISO 31000:2009, risks are handled by avoiding risk, accepting the risk to pursue an opportunity, eliminating the source of risk, altering the likelihood of risk occurrence, sharing the risk, retaining the risk, and altering the effects in case the risk happens (Ernawati & Nugroho, 2012, p.3). The PDCA cycle is applicable in risk management by virtue of being in a position to help in a methodical and systemic approach to solving problems and implementing solutions in four manageable steps. The steps encompass all concepts in ISO 31000:2009. 

Shortcomings of the PDCA Cycle

The process of PDCA in its structure oversimplifies the process of quality improvement. The shortcoming can be traced to the origin of the concept. The PDCA cycle was adopted from the Japanese method of improving the tight loop production process. The adoption of the cycle by Shewhart provided a summarized format of the original Japanese concept thereby omitting some key ideas (Nayab, 2013, p. 1).

The PCDA cycle is reactive in nature. The cycle recommends planning and performing a particular activity before responding to any drawbacks that may arise. In this format, the PCDA attempts to correct mistakes that have occurred as compared to identifying them earlier and preventing their occurrence (Nayab, 2013, p. 1)

Exercise 2

Summary of ISO/IEC 27001:2013

ISO/IEC 27001:2013 got its life on the September 25, 2013 as an upgrade of ISO/IEC 27001:2005. The standard is concerned with information security management system. The standard is more specific with the requirements for coming up with, executing, maintaining, and enhancing on a continued basis of information security management system in the perspectives of a given specific organization. The same standard has further included the needs for evaluation and handling of security risks related to information custom made for the specific organization.

The upgraded standard has parts that help the organization achieve standardization more easily. Part four concerns the establishment of need by means of understanding its context. Part five focuses on leadership. It seeks to rally management behind the standard before implementation. The sixth part shifts the organization’s focus towards planning where risk treatment options are profiled and a choice settled upon. Part seven moves the standard a notch higher towards implementation but prepares for it by requiring the organization for support in terms of resources. The eighth is the actual operation – actions that address information security in terms of risks and opportunities. The assessment of the same is advocated for to ensure that prioritization and keeping record of risks is done. The last parts, 9 and 10, involve the evaluation of the standard’s effect and improving by taking corrective actions to ensure that ISMS are up to task respectively. 

Exercise 3

The Concept of Risk and Risk Management

Risk refers to the likelihood of an event occurring or failing to happen with a known probability of occurrence. It combines the occurrence of a hazard and the probability of it happening. On the other hand, risk management is a continuous process of identifying, analyzing and managing the risks that may arise. Risk management considers the adverse effects, exposure levels, and the technical and social aspects related with the risks. Risk management aims at reducing the likelihood of an event occurring and decreasing the magnitude of its impact (Bergland, 2007, p 499).

The risks involved in IT security relate to incidences of cyber-attacks, hacking, and virus attacks. With the connectivity becoming more and more enhanced, so does the risks of threats to IT security systems. The risks facing the IT security have evolved into more complex and multi-faceted advanced persistent threats. These threats under the traditional threat detectors will pass undetected. The concept of risk management in IT security relates to how an organization carries out the assessment of possible risks, and puts up measures to mitigate and monitor these risks. The process guides the decision making process of the organization in terms of selecting approaches and priorities for control (Webb et al. 2014 p. 392).

References

Berglund, H. (2007). Risk Conception and Risk Management. International Journal of Innovation Management, 497-513.

Ernawati, T. and Nugroho, D.R., 2012, September. IT risk management framework based on ISO 31000: 2009. In System Engineering and Technology (ICSET), 2012 International Conference on (pp. 1-8). IEEE.

Humphreys, E. (2008). Information security management standards: Compliance, governance and risk management. Information security technical report, 13(4), 247-255.

Nayab, N. (2013). Exploring the Disadvantages of PCDA Methodologies. Retrieved from http://www.brighthubpm.com/methods-strategies/75929-exploring-the-disadvantages-of-pdca-methodologies/

Webb, J., Maynard, S., Ahmad, A., & Shanks, G. (2014). Information Security Risk Management: An Intellince-Driven Approach. Australasian Journal of Information System.