Introduction

What is Deming?

Deming is an Open Source tool designed to help CISOs maintain their information security management system. Using this app, CISOs can easily plan and track the implementation of security controls and the continuous improvement cycle. The app is designed to be easy to use and customize, with a intuitive user interface.

Deming offers features such as security measures management, the planning of controls, the creation of control sheets, the recording of evidence, monitoring action plans as well as dashboards and ISMS management reports to help CISOs monitor the maintenance of information security measures.

The application is designed to be compatible with the ISO 27001:2022 standard, following the specific requirements of the standard for the planning, implementation, verification and continuous improvement of the security management system of the information. It is also designed to help CISOs prepare their organization for ISO 27001 certification audits by providing detailed reports on security controls and measuring their effectiveness.

This application is released under the GPL license, allowing users to use, modify and distribute it freely. This open source approach allows users to contribute to the development of the application by submitting change requests, bug reports or additional features.

This information security management application is a powerful and customizable tool for CISOs looking to implement and maintain an ISO 27001 compliant information security management system.

With its intuitive user interface, the ability to define new controls and its ISO 27001:2022 compatibility, it offers CISOs great flexibility to adapt the application to their specific needs.

What is not Deming?

Deming is not a miracle solution that performs risk analysis, imports all existing standards, automatically manages your documentation, provides default procedures or uses artificial intelligence autonomously...

But :

  • it's not in the cloud ;
  • you don't need 5 days' training to use it ;
  • you are not contacted by a consultancy firm and
  • it's free.

Why control?

To manage the security of the information system, it is necessary to put in place a set of security measures and regularly check that these measures are effective and efficient. These regular checks make it possible to guarantee that the security measures put in place achieve their security objectives.

The effectiveness measurement requirements are:

  • a) assess the effectiveness of controls;
  • b) assess the effectiveness of the information management system;
  • c) to verify the extent to which the identified security requirements have been met;
  • d) facilitate the improvement of information security performance against objectives;
  • e) provide input for management review to facilitate ISMS-related decision-making;
  • f) to justify the needs for improvement of the ISMS.

Evaluation of performances

The ISO 27001 standard in chapter 9.1 requires the evaluation of information security performance, as well as the effectiveness of the information security management system.

To assess this performance, it is necessary to determine:

  • a) what needs to be monitored and measured, including information security processes and measures;
  • b) the monitoring, measurement, analysis and evaluation methods, as applicable, to ensure the validity of the results;
  • c) when monitoring and measurements should be carried out;
  • d) who is to carry out the monitoring and measurements;
  • e) when the results of monitoring and measurements should be analyzed and evaluated and
  • f) who should analyze and evaluate these results.

Deming helps meet these requirements and retain appropriate documented information as evidence of monitoring and measurement results.

Definitions

Controls : set of provisions to be implemented. These are the controls to be taken to implement the security policy.

Measurement: process of obtaining relative to the effectiveness of an ISMS and security measures, using an evaluation method, a function assessment, analytical model, and decision criteria [ISO/IEC 27004].

Indicator: result of the application of an analytical model to one or more variables in relation to the decision criteria or an information need [ISO/IEC 27004].

Attribute: property or characteristic of an object that can be quantitatively or qualitatively distinguished by human or automatic means [ISO/IEC 15939:2007].