Finding The Hidden InfoSec Story

How the Deming Cycle can Reinforce Safety

– for Information Systems and Divers

The Deming cycle (Plan – Do – Check – Act) forms the foundation of continual improvement principles in a wide range of management systems such as ISO9001, ISO20000, ISO22301, ISO27000,…

The four phases are:

P: Objectives and processes necessary to deliver results
D: Implement the Plan, Execute the process, Make the Product, …
C: KPI (Key Performances Indicators) – Measures
A: Corrective actions



In information security systems, the ISO/IEC 27001:2013 standard places an emphasis on measuring and evaluating how well an organisation’s information security management system (ISMS) is performing. Underpinning this is the ISO/IEC 27003 standard for ISMS implementation guidance, which focuses on the critical aspects needed for successful design and implementation of an ISMS in accordance with the 27001 standard.

By following a clear methodology such as this, an organisation can be sure it is meeting the requirements of an ISMS, and it can also benefit from the continuous improvements that come from implementing such a methodology.

The main steps in implementing an ISMS are in the figure below:


Now let’s see how this would apply to a completely different field, that of the recreational diver…..

A recreational scuba diver is trained to be familiar with continual improvement. It allows him to reduce the risk factors encountered in diving and to improve his performance and benefit fully from his hobby and from each dive as long as possible.

We compare briefly the Deming cycle (PDCA) with what a diver does to satisfy his passion (prior to the dive, during the dive, after the dive,…)

Where the Deming’s cycle is divided in four big steps, the diver compresses it into three.

The Check step is combined with the Do step (during all the dive, and not after the dive) on an ongoing basis. Because we don’t want to wait until we are out of the water to check if we still have enough air in our tank(s), this is a continuous process throughout the dive. We also need to react quickly should an incident occur.


P: Plan the Dive  

  • The Diver prepares and controls his gear prior to dive (alone and with his buddy), he reviews “ad-hoc” signs used underwater with his buddy to ensure they understand each other.
  • He follows a determined procedure to prepare his gear
  • He defines what will be performed during the dive. It is processed prior each dive, even if we dive always with the same buddy and always on the same dive spot, as each dive is unique.
  • The briefing allows him to review or discover the Dive spot (schemas, explanations on the tides, waves, species and threats)
  • He configures his Dive Computer (according to the type of water, altitude, gas mixture, local time)

Do : We Dive  

   The shortest step to describe and the most fun for a Diver !

Check :  Underwater, the Check is an ongoing process within the Do 

  • The diver checks on a ongoing basis that he still follows the Diving plan, ocean currents, the local environment, and that he is staying on course
  • He checks regularly the air remaining in his tank  (and those of his buddy),
  • He  checks his dive computer (his depth, if he must perform safe stops and for how long depending on the remaining air)

The diver doesn’t have his nose glued to the dive computer screen otherwise he wouldn’t enjoy the dive, but he does check it at regular intervals. Often the divers perform the OK sign “between them”, to verify if everything is OK, the expected answer is an OK, otherwise specific signs exist to describe the problem or the situation. It is essential for divers to detect problems swiftly, as this reduces the risk of accidents that could lead to the paralysis or even the death of a diver.


A: we act  

We are out of the water and it’s time to compare notes with the others divers We learn what it has been discovered, (new species seen, global management underwater, buoyancy, errors). The diver synchronises his dive computer with the software installed on his computer, and can compare air consumption against the previous dives (Check).

When we choose a control (the diver computer), we need to be able to measure what’s happened. Otherwise, how can you improve ? The same goes for information systems, of course.

The dive profile shown below shows us that the diver went down to 35m, and stayed there around 10 minutes and then came back up. He encountered a problem at 15m (by rising too fast) and stayed at 10m untill the end of the dive. We see he then came up too fast from 10m to 5m, and had to spend three minutes of decompression to remove the nitrogen from his bloodstream. He can see all this on the dive computer, and by exporting the data to a suitable software system, he can compare his dives and make improvements.



In writing this article, I have drawn on a couple of ISO standards that apply specifically to recreational diving:

ISO 24801-1:2014 Recreational diving services — Requirements for the training of recreational scuba divers — Part 1: Level 1 — Supervised diver

ISO 24801-2:2014 Recreational diving services — Requirements for the training of recreational scuba divers — Part 2: Level 2 — Autonomous diver

Diving schools training new divers usually follow an ISO standard although these are usually incorporated in the training and certification schemes operated by bodies such as PADI ( or Scuba School International ( So even divers have security audits.


Conclusions : 

The Deming’s Cycle allows you to repeat things, to set standards, to improve and avoid rolling backwards ; it applies both to an ISMS, and also to the recreational diver. The Deming Cycle can also be used in everyday life and in many organisations that may even use it without realising, because it is really a matter of common sense.

In information security, organisations need to keep improving their information systems in order to meet new types of threat. By following the path of continuous improvement, they can set new levels of security that need to be achieved, and they must keep in mind that once they have set their controls, these controls need to be measured (Check).

The diver also follows the Deming Cycle by learning about his equipment, about the risks and accidents, in order to reduce the risk of future accidents, and stay in control during a dive. He willingly shares information and experiences with other divers, so that they are all aware of any new risks.

Continuous improvement can be applied in all aspects of life. Although change can be hard for many people to accept, it is essential for any form of progress. Errors are only errors if we do nothing about them. On the other hand, if we learn from them and take corrective action, then we are going in the right direction.

It’s not enough to know where we are ; we need to know where we want to be.


This analogy was originally published on 29th January 2015 and is available in the following alternative languages.

French flag

Share This Post On