Continuous improvement in the ISO context | The key to sustainable success and value creation

Continuous improvement is required in several ISO standards, such as ISO 27001 and ISO 9001. An organization must therefore constantly work on improving quality, information security, value creation and efficiency in order to obtain the relevant certifications—and be able to demonstrate this accordingly. However, companies benefit not only in the course of the ISO 27001 and ISO 9001 audit if processes are improved in a long-term and measurable way.

How does a continuous improvement process (CIP) work?

In practice, the PDCA cycle has proven itself by repeating the Plan-Do-Check-Act phases at periodic intervals. This method is also generally recognized as practical in audits.

• Plan (planning): Define objectives using measurable figures and define the scope of the measures
• Do (implement): Put planned measures into practice for a defined period of time
• Check: Check results (target values and actual values) and use this data to analyze correlations
• Act: Implement and consolidate improvements or reverse changes if the quality or efficiency of processes or products has deteriorated

The CIP always takes place on a small scale. On the one hand, this makes it easier to measure success; on the other hand, negative effects on systems, processes and subareas tend to be minimal. This is because it is not clear in advance whether every change will work in the overall system or even cause damage. It should therefore also be possible to reverse changes.

There is no end to the continuous improvement process; as an organization, you are always striving to reduce costs and improve the quality of products and services.

Where can the CIP or PDCA cycle be found in ISO standards?

The PDCA cycle, which can be used in practice to achieve the continuous improvement of process structures, can be found directly and indirectly in various chapters of ISO standards; the overarching high-level structure creates clarity and standardization in the structural design of various ISO standards.

• Plan phase - Chapter 6 describes the planning of all measures that are relevant to quality (ISO 9001) or information security (ISO 27001). This also includes the use of resources, the focus on customer satisfaction, responsibilities, risks and the (measurable) objectives. The fulfillment of the requirements from chapters 4 (corresponding to the context, requirements and scope) and 5 (including leadership, roles and authorities) must be taken into account during planning. In chapters 4 and 5 of the ISO standards, the requirement to improve the QMS or ISMS is literally demanded in several places.
• Do phase - Chapters 7 (Support) and 8 (Operation) are assigned to the Do phase. This is also about the resources, know-how and skills required for implementation. Targeted internal and external communication and documentation during the Do phase are also included here. Improvement is also mentioned literally as a maxim in several subchapters.
• Check phase - Chapter 9 (evaluation of performance) describes the requirements for internal audits and for the evaluation of the management level. In these performance analyses, “opportunities for improvement” must be specifically considered.
• Act phase - The Act phase comprises the transfer of all findings from the Do phase and (positive and negative) deviations from the Check phase into practice (Chapter 10 “Improvement”). In other words, the review of all results and the introduction of measures to achieve the objectives form the conclusion of a run in the PDCA cycle.

The Act phase is in turn relevant for the subsequent Plan phase in the PDCA cycle. This creates a perpetual cycle of planned improvement-oriented action and data/figure-based, measurable assessments and the derivation of measures, including recurring checks on target achievement.

Competitive advantages thanks to a continuous improvement process

• In the long term, quality, customer satisfaction, process throughput times and efficiency improve. At the same time, there are fewer accidents, complaints or errors and costs are reduced.
• Clear responsibilities and sensitization for improvement—employees in all positions develop an eye for quality management.
• In good quality management structures, all employees are involved—unlike in an improvement suggestion system, for example, where often only a small part of the workforce is actively involved.
• The way of looking at quality and cost reduction is changing to thinking in terms of processes and standardization. Only through standardized processes and documented procedures can a structured, controlled and targeted improvement take place.
• Risk awareness is increased as processes are viewed as a whole and “adjusting screws” are examined more closely. This creates synergy effects, as risk assessments are also required in most ISO standards.
• Coordinated organization-wide communication on quality improvement and maximum added value is promoted.

Conclusion and practical tips for a successful continuous improvement process (CIP) within the framework of ISO standards

Of course, the benefits of a CIP can only be realized if the management system is put into practice in day-to-day work and is not just a theoretical construct that is used to strive for ISO certification with as few resources as possible.

The introduction of an integrated management system (IMS), including the GRC software to be used, should be accompanied by transparent communication and training. Listen to the concerns and questions of your employees, because a successful CIP requires motivation, clear responsibilities and comprehensible and realistic objectives.

Implement an IMS (ideally GRC software) to record and assess risks and for software-supported management of measures and controls.

And last but not least: don’t forget to communicate successful and implemented improvements—this provides additional motivation.