Root Cause Analysis Techniques

Root cause analysis (RCA) is the detective work of your ISMS—finding the true underlying causes of nonconformities rather than just treating symptoms.

Why Root Cause Analysis Matters

Without proper RCA, you're just putting band-aids on problems:

Symptom Treatment:

• "The server went down, so we restarted it"
• Result: Server goes down again next week

Root Cause Analysis:

• "The server went down due to memory leak in custom application caused by inadequate code review process"
• Result: Implement code review standards, prevent future memory leaks

Popular RCA Techniques

1. The 5 Whys Method

Ask "why" five times to drill down to root cause.

Example:

1. Why did the incident occur? → Sensitive data was emailed externally
2. Why was it emailed? → Employee didn't know the data classification
3. Why didn't they know? → They weren't trained on data classification
4. Why weren't they trained? → New employees don't receive security training
5. Why don't they receive training? → No onboarding security training program exists

Root Cause: Lack of security awareness training in onboarding process

Corrective Action: Implement mandatory security training for all new hires

2. Fishbone Diagram (Ishikawa)

Visualize causes across categories. For example, investigating unauthorized access to a customer database:

Categories:

• People - No training, high turnover
• Process - Weak access control policy, no approval workflow
• Technology - Default passwords, no MFA, shared accounts
• Environment - Rapid growth, pressure to deliver, remote work

3. Pareto Analysis (80/20 Rule)

Identify the vital few causes that create most problems.

Example:

Focus: Password policy and patching process yield 87% improvement

4. Barrier Analysis

Identify which protective barriers failed:

Example: Malware infection

Conducting Effective RCA

Step 1: Define the Problem Clearly

• What happened exactly?
• When and where did it occur?
• What was the impact?
• What evidence exists?

Step 2: Collect Data

• Interview witnesses
• Review logs and documentation
• Examine physical evidence
• Timeline of events

Step 3: Identify Possible Causes

• Brainstorm with team
• Don't dismiss any ideas initially
• Look at people, process, technology

Step 4: Determine Root Cause

• Apply RCA techniques
• Test hypotheses
• Validate with evidence
• Distinguish causes from symptoms

Step 5: Develop Solutions

• Address root cause, not symptoms
• Consider multiple solutions
• Evaluate feasibility and cost
• Prioritize based on impact

Step 6: Implement and Monitor

• Execute corrective actions
• Track effectiveness over time
• Measure recurrence rate
• Adjust if needed

Common RCA Mistakes

1. Stopping Too Soon

Wrong: "The backup failed" Right: "The backup failed because the schedule wasn't updated after system migration because change management process doesn't include backup configuration"

2. Blaming People

Wrong: "John forgot to apply the patch" Right: "No systematic patching process exists to ensure critical updates are applied"

3. Accepting the First Answer

Always dig deeper. The first answer is usually a symptom.

4. Analysis Paralysis

Don't overthink simple issues. Use techniques appropriate to severity.

5. Ignoring Contributing Factors

Root cause may be complex with multiple contributing factors.

When to Use Which Technique

Key Principles

1. Focus on processes, not people - Blame-free analysis
2. Use evidence - Facts, not assumptions
3. Go deep enough - Find true root causes
4. Be systematic - Follow structured methods
5. Validate findings - Test your conclusions
6. Document thoroughly - Others must understand your logic

Next Lesson: Learn how to integrate incident management with your improvement process.