Juhani Anttila
Venture Knowledgist Quality Integration
Helsinki, Finland




This paper deals with two methodological frameworks, the PDCA Model and the Process Management Model, which are very basic elements in the newest international standardization of information security management. The models were originally developed to support quality of overall business management in any kind of organizations, and to the information security standards the models came from ISO 9000 standards for quality management. Multifarious possibilities of those models are highlighted in this paper for the needs of information security management that is seamlessly integrated (embedded) within general business management activities. Additionally, some significant aspects of modern business environments are considered in the context of these models and information security management.

Business-integrated information management

Information security is one of organizations' managerially interested issues because it is significant and in many cases even crucial issue from the business realization point of view. In this sense management of information security is fully analogous to many other highly specialized key areas for managing organizations to competitive business performance and success. These areas include management of finance, human resource, quality of products, innovation, etc. In all these areas it is useful for organizations to use established and recognized management approaches and practices.

Information security management can be defined as coordinated activities to direct and control an organization with regard to information security. Basic phenomena to be managed characterizing information security in organizations' products and business activities consist of:
- Integrity - information that one is using is accurate
- Availability - one has access to the relevant information when and so long it is needed
- Confidentiality - information one is using is not manipulated by anybody else

Because of its importance for organizations' sustainable business performance and success and business credibility, information security management is factually always squarely under the responsibility of business leaders, and all information security related activities should be integrated seamlessly with normal business management activities. Similar general managerial principles and methodology may be used in all specialized management areas and information security management is not any exception.

Applying the PDCA Model for managing information security

A well-known general model for all areas of management including information security is so called PDCA model or Deming / Shewhart cycle (see figure 1). This model became popular especially through American Dr. W. Edwards Deming's lectures of managerial quality during several decades (from 1950's to 1990's). However, originally the model was created by American Dr. Walter Shewhart in the 1920's. Later Japanese Dr. Shoji Shiba has made remarkable work by combining the original PDCA model with the ideas of managing knowledge and of Buddhist philosophy. Also American Dr. Joseph Juran's so called Trilogy Model contains the same elements as the PDCA model. The PDCA model has also consistent linkages with traditional systems theory and systems dynamics. As a summary one may notice that PDCA model has a great variety of different applications, possibilities, and uses.

PDCA model is also strongly related to the following international standards of information security management:
- ISO/IEC 27001:2005 - Information technology - Security techniques - Information security management systems    - Requirements
- ISO/IEC 17799:2005 - Information technology - Security techniques - Code of practice for information security management
- ISO/IEC 17799-1:1996 - Information technology - Security techniques - Key management - Part 1: Framework

These standards are most recognized reference documents for professional approach of information security management world-widely. These standards also emphasize the integration of information security management. Additionally OECD's guidance document:
- OECD Guidelines for the Security of Information Systems and Networks - Towards a Culture of Security, 2002,
states that information security management should be a flavor in all organizations' and societies' business cultures.

PDCA model describes how a consistent management consists of four consecutive activities:
- P: Planning business activities what should be done and what results should be achieved
- D: Doing business obligations according to the plans
- C: Checking what was done and what results achieved
- A: Acting rationally taking into account the observations and results of the checking

Figure 1. PDCA model for management (or so called Deming / Shewhart cycle) and its application in strategic and operational business management

In organizational environments the PDCA model is to be applied in three different scopes:
- Control: Managing daily operations in business processes in order to achieve the specified results. Normally rectifying nonconformities is carried out in connection with control.
- Prevention and operational improvements: Solving acute problems, preventing nonconformities, and finding / implementing operational step by step improvements in business processes
- Breakthrough improvements: Innovating and implementing strategically significant changes in the way doing business

Top business leaders (senior executives) are responsible of the breakthrough improvements. Control, prevention, and small step improvement should be carried out by the responsibility of operational managers. All people within organizations should be aware of the importance of information security so that they are able to take into account it in their normal every day business tasks in a simple and natural way without any additional measures.

For ensuring information security, an organization should carry out a lot of different information security specific measures in planning, doing, and checking business activities / results, and reacting to the situation. Also for information security, the organization should carry out correcting, preventing, and continual improving actions, and more comprehensive reengineering of business processes as necessary. From above mentioned international standards one may find a lot of information on detailed methodology for those tasks of information security. Although the standard ISO/IEC 27001 explicitly refers to the PDCA model, however, the model is applied in the standard rather unsystematically, inexplicitly, and poorly for the purposes of information security management.

There are no excuses why control, prevention, small step improvements, and breakthrough improvements were not relevant also in the field of information security management. Even normal organizational quality management practices oblige to use such methods also for information security. General managerial practices and means can be used but also professional information security expertise should be incorporated. This means a close and effective cooperation of business leaders and information security experts.

Information security management through business process management

Process approach was used already in ancient plant and construction activities. The concept is often referred to in cases of natural development. Through industrialization processes became an everyday concept in so called process industry. From 1980's process approach has been used for computers' internal activities according to structured analysis and design technique (SADT). However, in a large scale business process approach has been used comprehensively for the benefits of business management only for less than twenty years, and during that time a lot of practical means have been developed for that purpose. In these approaches, especially learning from system theory and system dynamics was used. To the quality management standards ISO 9000, process concept was introduced in the 1990's, and later just in very recent years the methodology came to the international standards of information security management.

Processes adhere always to all kinds of daily doings or activities within any organization. In fact, originally the process concept just denotes any kind of activity or operation. Structural questions of business processes have become an interesting management issue in order to increase effectiveness and efficiency of the business operations. In some cases, however, there has been a danger that structural aspects, e.g. formal process diagrams, were being harmfully over-emphasized in process management. Due to its business significance, process management is a comprehensive business management issue by its basic nature. Today, however, truly effective and efficient process management implies a radical change to the established management thinking and structures in many organizations.

All business results - including information security - are achieved through managing business processes and projects. Basic (or core or key - different terms are used in different organizations) business processes imply continuously running interlinked business activities, and projects are singular processes for unique business tasks. Both strategic and operational management levels are involved in this process approach, the strategic one focusing on managing the network of inter-linked business processes (i.e. the whole business system) and the operational one on managing single processes and projects.

In integrating information security practices, it is extremely important to understand information security issues in the context of business processes. This is because, in practice (operationally), information security originates from processes. That is based on the fact that all process-activities are nowadays very strongly information-intensive, and information flows between these activities and between different performers and even between distant operational locations (see example of figure 2). Thus, information security is affected directly in real time through process arrangements, tools, and people in practical work and how these are managed by appropriate and systematic practices.

Figure 2. Information security is realized in the activities and information flows of business processes (e.g. order/delivery process).

Process management (see figure 3) implies how strategic and operational business objectives are realized through business processes according to PDCA (Plan - Do - Check - Act) principle. The operations are managed by feedback through measurements. There are in fact three PDCA loops for a comprehensive process management:
a) the loop of control and corrective actions
b) the loop of prevention
c) the loop of real improvements through innovative re-designing and re-engineering of process(es).

Figure 3. PDCA loops in business process management

Both the whole process network (the business system) and individual business processes are being managed according to this systematic model. Management of the comprehensive process network includes normal responsibilities of the business management, e.g. using business plans, action plans, business performance assessments, and regular business reviews. It is essential, that the business system is understood here especially as a network of business processes and not only as functional units (organizational "silos"). The scope of managing individual processes consists of process planning, control of the operation, performance improvement, and quality assurance. Bases for a process management are the process plan, process performance assessment, and monitoring process performance indicators. Process plan is the most important managerial tool for process management.

In order to take information security issues into account, one should understand which phenomena within single business processes and between different processes are critical from the information security point of view. After that one may be able to define suitable performance indicators and set quantitative target values for information security according to the relevant needs and expectations. A key management issue is to monitor these indicators in a real time and to initiate - as needed - necessary measures for correction, prevention, or improvement of performance just according to the PDCA model. From the above mentioned standards one may find general guidance for defining information security control means to be applied within business processes.

Also information security performance should be considered both from strategic and operational point of view. Strategic performance management of processes consists of an organization's vision- and strategy-based measures and evaluations of the overall process performance. Needs of operational process performance measures for daily management are focused on diagnostics and analysis for corrective and preventive actions.

Process performance in general and also information security performance of processes is a fuzzy concept. Process performance evaluation consists of strategic assessment of the whole business performance (process network), and operational assessment of individual processes. Assessment results are useful both for company-internal process improvement and for quality assurance. Quality assurance includes all those measures through which an organization demonstrates to its stakeholders that the organization is capable to fulfill effectively all agreed requirements.

Factors affecting on the use of systematic managerial tools in business-integrated information security management

Information security management - or more generally business management as a whole - by using PDCA model and process management calls for responding to the realities of business environments. Especially nowadays the needs for managing variety and agility of the operations set new requirements for all management practices. Fundamental reason is that today's business environment is uncertain and ambiguous. That includes:
- Emergence and self-organizing networks of actors affecting to business
- Many heterogeneous global actors in virtual networks on the market-place
- All and everything are linked with everything else, all linkages are not known
- Paradox freedom of the actors ("both-and" instead of "either-or")
- Significance of immaterial issues (information, knowledge, services)
- Increased speed of activities and change
- Significance of transaction phenomena

All these aspects are big challenges also in information security management.

In all business processes there are three different kinds of activities, mechanistic, organic, and dynamic, and all of them are inherent in all business processes and their activities. Mechanistic aspects are highly disciplined tasks (e.g. access control to certain information in the order-delivery process), organic aspects relate e.g. to necessary business interactions with internal and external operational partners, and dynamic aspects reflect spontaneous human activities in on-time situations. Business performance and its competitiveness are today mainly based on organic and dynamic actions. Business management includes that all these variety dimensions are addressed appropriately in a process network as a whole and in individual processes. These various aspects of process activities should be also taken into account e.g. in the process documentation. Managing complexity is a requirement of every process, and it goes beyond simplistic tools. In fact, today most business processes are complex responsive processes of relating.

Information security may be controlled adequately by strict rules and instructions or by automatic technological solutions only in the mechanistic parts of process activities. People skills, competences, awareness, initiatives, commitments and responsibilities, and general security culture are most essential in the organic and dynamic business situations.

Achievements in information security management depend on the quality of management. That is how the business management is really carried out and how the systematic tools are used over the whole organization. There are management actions on several levels in an organization relating to the whole organization, its business units or functions, business processes, and individuals and teams. Leadership emphasizes managers' or superiors' personal and human aspects in conducting their business actions (see figure 4).

Figure 4. Quality of leadership performance. A successful business leader's primary quality feature is awareness.

A critical issue for process performance is the operation of individual performers within processes and how they understand their roles and responsibilities for information security. There should not be any conflicts between person's activities in a business process and his/her internal mental process. This kind of conflict causes often significant threats for information security. Chance to prevent and resolve these conflicts in an effective manner depends a lot of on social networking culture in the organization and practices of human resource management including procedures of compensation, rewarding, incentives, and recognition. Only some problems may be avoided by replacing human activities within business processes by automatic IT solutions.


In order to be effective information security management should be carried out in integration with the normal business management practices of an organization. Distinct solutions for information security are abnormal, ineffective, and finally frustrating. Integration is realized through practical managerial tools. PDCA model is a proved and recognized methodology for all kind of management. It is very suitable also in information security management but its use has been rather vague and all advantages of this methodology have not taken in practice.

Proved business cases demonstrate that process management is in principle a very simple thing, but its implementation in practice seems incredibly difficult because it always puts a strain on the organization's leadership issues. Development of the business processes and their management is a long-term effort and should take into account realities of business environments in question. This is also the reason for the difficulty of its applications in information security management. Another point is that security professionals are not familiar of the foundations and practical approaches of process management.


1. Anttila J.: Managing and assuring information security in integration with the business management of a company, Information security, Small systems security & information security management, Volume 2, IFIP TC 11, Vienna - Budapest 1998, http://www.qualityintegration.biz/Tonava.html
2. Anttila, J., Business-integrated information security management, European intensive programme on information and communication technologies security IPICS'2003, Oulu 2003, http://www.qualityintegration.biz/InformationSecurityIntegration.html
3. Anttila J.: Tacit knowledge - the essence of quality management systems, EOQ 2005 Annual Congress in Antalya, 2005, http://www.qualityintegration.biz/TacitKnowledge.html
4. Anttila J.: A comprehensive process approach for overall performance excellence, Quality Conference in Ostrava, 2002, and workshops in Mumbai and Tallinn, http://www.qualityintegration.biz/BusinessProcessManagement.html
5. Anttila J., Vakkuri J.: Luovan johtajan ISO 9000, Sonera, Helsinki 2001
6. ISO/IEC 27001:2005: Information technology - Security techniques - Information security management systems - Requirements, ISO, Geneve 2005
7. ISO/IEC 17799:2005: Information technology - Security techniques - Code of practice for information security management, ISO, Geneve 2005
8. ISO/IEC 11770-1:1996: Information technology - Security techniques - Key management - Part 1: Framework, ISO, Geneve 1996
9. OECD Guidelines for the Security of Information Systems and Networks - Towards a Culture of Security, OECD, Paris 2002
10. ISO 9000/9001/9004: Quality management systems, ISO, Geneve 2000
11. Juran J.: Juran on planning for quality, New York 1988
12. Latzko W. J., Saunders D. M.: Four days with Dr. Deming. A strategy for modern methods of management, Reading 1997
13. Shewhart W. A.,: Economic control of quality of manufactured product,
14. Shiba S.: Evolution of quality: From control to breakthrough TQM, EOQ Annual Congress, Trondheim 1997

[This text was presented as a paper at IPICS Winter School of the University of Oulu, Taivalkoski Finland in April 2006 and also published with Jorma Kajava and Rauno Varonen in the University of Lapland, Department of Research Methodology Reports, Essays and Working Papers No. 2 / 2007]