Systems Thinking is at the base of the ISO 27001 Information Security Management System. A system has been defined as ?A collection of interrelated, interdependent components or processes that act in concert to turn inputs into some kind of output in pursuit of some goals. Systems influence and are influenced by their external environment?
A single process is defined as actions on inputs in a controlled manner which are transformed into outputs. The organization is a collection or system of interrelating processes which are glued by many input ?output relationships.
ISO 27001 states that ?Identifying, understanding and managing interrelated processes as a system contributes to the organization?s effectiveness and efficiency in achieving its objectives.?
System thinking is opposite to the normal form of analysis. Analyze comes from the root ?to break into constituent parts? Instead of isolating smaller and smaller parts of the system being studied, in systems thinking the view is expanded to look at larger and larger interactions. It focuses on how the thing being studied interacts with other constituents of the system. A system is a set of elements that interact to produce behavior, of which it is a part. The systems thinking results in sometimes different conclusions from the traditional form of analysis.
Examples of situations in which systems thinking has proved its use are
- Complex problems that require helping many actors see the big picture and not their part in it.
- Recurring problems or those problems that have been made worse by past attempts.
- Where the action influences the environment surrounding the issue.
- Problems in which the solution is not obvious.
Systems have been organized into four categories:
- The whole
- The goals
- The internal workings
- The long term results
Once we observe and understand the relationship between the system and behavior, we can understand how the system works. What makes it deliver poor results and how to shift it into better behavior patterns? Processes that cover the organization are managed and results are the outputs or outcomes of the organization which must satisfy all stakeholders and should lead to sustained success.
Feedback is an important element of the systems thinking. In the case of a quality management system, feedback is received from interested parties like vendors, customers, regulators, employees.
External boundary of the system may be set and the interaction with outside parties noted and how it effects the organization also understood.
A quality management system is made up of three sub systems, a social, a technical and a management sub-system.
- Social Subsystem
Requires a change in organizational culture (values, attitudes, norms and role expectations, communications (level of relationship between individual s and groups, symbols of power and reward structure) and behavioral attributes. It encapsulates customer satisfaction, respect for people, continuous improvement and management based on facts.
- Technical Subsystem
Includes a transformation process as an interaction among inputs, resources and outputs and all the tools, techniques, machinery and quantitative aspects of quality.
- Managerial Subsystem
Includes the framework for policies, practices, procedures and leadership in the organization. Includes the organizational structure, mission, vision, and goals of the organization as well as administrative activities like planning, directing, organizing, coordinating and controlling activities
The System approach enables the organization to meet customer requirements and achieve continual improvement by finding a cause and effect relationship in its processes and their interrelationship.