3 Process approach
3.1 Process
Process types, management, realization and support processes
If you cannot describe what you are doing as a process, you do not know what you're doing. Edwards Deming
The word processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) comes from the Latin root procedere = go, development, progress (Pro = forward, cedere = go). Each processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) transforms inputs into outputs, creating added value and potential nuisances.
A processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) has three basic elements: inputs, activities, outputs.
A processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) can be very complex (launch a rocket) or relatively simple (audit a productany outcome of a process or activity (see also ISO 9000, 3.4.2)). A processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) is:
- repeatable
- foreseeable
- measurable
- definable
- dependent on its context
- responsible for its external providers
A processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) is determined, among others, by its:
- title and type
- purpose (why?)
- beneficiary (for whom?)
- scope and activities
- initiators
- documented information
- inputs
- outputs (intentional and not intentional)
- restraints
- people
- material resources
- objectives and indicators
- person in charge (owner) and actors (participants)
- means of inspection (monitoring, measurement)
- mapping
- interaction with other processes
- risks and potential deviations
- opportunities for continual improvement
A processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) review is conducted periodically by the processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) owner (cf. annex 02).
Review: a survey of a file, product or process so as to verify if pre-set objectives are achieved
The components of a process are shown in figure 3-1:
Figure 3-1. Components of a process
Figure 3-2 shows an example that helps to answer some questions:
- which materials, which documents, which tooling? (inputs)
- which title, what objective, which activities, requirements, constraints? (process)
- which products, which documents? (outputs)
- how, which inspections? (methods)
- what is the level of performance? (indicators)
- who, with what competence? (people)
- with what, which machines, which equipment? (material resources)
Figure 3-2. Some elements of a process
Often the output of a processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) is the input of the next processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1).
Any organizationa structure that satisfies a need (see also ISO 9000, 3.3.1) (company) can be considered as a macro processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1), with its purpose, its inputs (customeranyone who receives a product (see also ISO 9000, 3.3.5) needs and expectations) and its outputs (products/services to meet customeranyone who receives a product (see also ISO 9000, 3.3.5) requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2)).
Our preference is to identify a processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) using a verb (buy, produce, sell) instead of a noun (purchases, production, sales) to differentiate the processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) of the company's department or documented information to maintain and recall the purpose of the processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1).
The processes are (as we shall see in the following paragraphs) of management, realization and support type. Do not attach too much importance to processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) categorizing (sometimes it's very relative) but ensure that all the company's activities fall at least into one processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1).
3.1.1 Management processes
The following processes can be part of this family (* mandatory):
- assess risks*
- treat risks*
- communicate*
- conduct an audit *
- plan the ISMS
- establish process ownership
- develop strategy
- establish policy
- deploy objectives
- conduct management review
- improve
3.1.2 Realization processes
They are mainly (* mandatory):
- meet security requirements*
- control outsourced processes*
- register and unsubscribe*
- distribute access*
- manage authentication*
- develop and support security*
- manage security continuity*
- implement security*
- inspect security*
- design and develop
- purchase
- maintain equipment
- manage networks
- manage changes
- control nonconformities
- implement corrective actions
3.1.3 Support processes
The support processes are often (* mandatory):
- apply discipline*
- manage the employment contract*
- maintain regulatory watch
- acquire and maintain infrastructure
- manage inspection means
- provide training
- provide information
- control documentation
3.2 Process mapping
Process mapping and house
Par excellence processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) mapping is a multidisciplinary work. This is not a formal requirementexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) of the ISO 27001 standard but is always welcome.
The three types of processes and some interactions are shown in figure 3-3:
Figure 3-3. Process house
In the outputs, do not underestimate unwanted productsany outcome of a process or activity (see also ISO 9000, 3.4.2) such as rubbish, pollution and rejects.
Mapping, among other things, allows you to:
- obtain a global vision of the company
- identify the beneficiaries (customers), flow and interactions
- define rules (simple) for communication between processes
- develop strategy
- establish policy
- assess risks
- treat risks
- plan the ISMS
- deploy objectives
- establish process ownership
- improve
An example of the "design" process is shown in figure 3-4:
Figure 3-4. Design process
Minute of relaxation. Game: Process
3.3 Process approach
Process approach and continual improvement
Simple solutions for now, perfection for later
Process approach: management by the processes to better satisfy customers, improve the effectiveness of all processes and increase global efficiency
The process approachmanagement by the processes to better satisfy customers, improve the effectiveness of all processes and increase global efficiency (see also ISO 9004, Annexe B.5) contributes enormously to the efficient management of the company (cf. annex 04).
When the process approachmanagement by the processes to better satisfy customers, improve the effectiveness of all processes and increase global efficiency (see also ISO 9004, Annexe B.5) is integrated during the development, implementation and continual improvementpermanent process allowing the improvement of the global performance of the organization (see also ISO 9000, 3.2.13 and ISO 14 001, 3.2) of an information security management system, it allows one to achieve objectives that are related to customer satisfactiontop priority objective of every quality management system (see also ISO 9000, 3.1.4), as is shown in figure 3-5.
Figure 3-5. Model of an ISMS based on process approach and continual improvement
- emphasizes the importance of:
- understanding and complying with customer requirements
- prevention so as to react to unwanted elements such as:
- customer returns
- waste
- measuring process performance, effectiveness and efficiency
- permanently improving objectives based on pertinent measurements
- process added value
- relies on:
- methodical identification
- interactions
- the sequence and
- process management, which consists of:
- determining objectives and their indicators
- piloting related activities
- analyzing obtained results
- permanently undertaking improvement
- allows one to:
- better view inputs and outputs and their relationship
- clarify roles and responsibilities
- judiciously assign necessary resources
- break down the barriers between departments
- decrease costs, delays and waste
- and ensures in the long run:
- control
- monitoring and
- continual improvement of processes
- crisis management ("You will not solve the problems by addressing the effects")
- blaming people ("Poor quality is the result of poor management." Masaaki Imai)
- prioritizing investments ("Use your brain, not your money." Taiichi Ohno)
Minute of relaxation. Paganini's violin concert performed with facial expressions.