When it comes to improving your business’s information security, ISO/IEC 27001 is one of the most recognised standards in the world. But for many small or medium-sized organisations, the idea of implementing it can feel overwhelming. Where do you even start? That’s where the PDCA cycle comes in.
Key Takeaways
It offers a structured, repeatable approach, making what may feel overwhelming into manageable, iterative phases. Whether you’re just beginning your ISO 27001 journey or advancing through it, PDCA keeps your implementation grounded, practical, and focused on continual improvement.
PDCA stands for Plan-Do-Check-Act, and it’s a straightforward, repeatable process that helps you build and continuously improve your Information Security Management System (ISMS). The cycle provides a roadmap and, whether you’re just getting started or already on the journey, it’s a useful guide to implementation and ongoing improvement.
Let’s look at a more detailed breakdown of the cycle.
Plan
In the “Plan” phase, you’re laying the foundation for your ISMS. It is a crucial stage for identifying and assessing your information security risks and determining the treatment options to build an effective ISMS.
Before you start this stage, you need to ensure that you have the commitment of your top leadership and an agreement on the allocation of resources and budgets. There are some big decisions that need to be made before you start, so it’s important to have these discussions with your top management.
Firstly, you’d need to decide on whether to appoint an external consultant to assist you on your journey or DIY your implementation.
A second, and equally important, decision is related to how you will manage your ISMS. It is completely possible to manage your ISMS documentation in existing tools that are already used in your business, like Confluence or Google Docs. Some companies though choose to make use of specialised tools to manage their ISMS and other governance and compliance frameworks.
Key activities
- Understand your organisation’s context (what you do, who you serve, and what data is critical)
- Identify stakeholders and their expectations (customers, partners, staff, regulators)
- Define your ISMS scope (which parts of your business the ISMS will cover)
- Identify and assessing your information security risks
- Set objectives (what you want to achieve with your ISMS)
- Create policies and procedures to manage identified risks
Key outputs
- Defined context of your organisational (internal and external issues relevant to the ISMS)
- A list of your stakeholders (showing their needs and expectations)
- Documented scope of your ISMS
- The objectives of your ISMS
- Your information security policy
- ISMS Roles, responsibilities and authorities assigned to your team
- Documented risk management methodology
- Log of your assets, risks and your risk treatment plans
- Your statement of applicability (SoA) (controls from Annex A and elsewhere that you will use to treat your risks)
Do
The “Do” phase has a dual focus; implementation of the controls and policies that you planned, and carrying out awareness and training activities.
The outputs from the “Plan” phase are critical inputs to the “Do” phase, as you will only implement controls according to your context and your risk treatment plan.
This is why the planning is so critical – you are not going to change everything on day 1, so it’s important to refer back to your scope, and your risk management methodology and plans regularly. If you don’t, you risk going overboard with “doing” and may end up implementing controls that are not appropriate to your identified risks.
This is where your policies turn into daily habits. It’s about making sure your team knows what’s expected and has the tools to do it.
Key activities
- Allocate resources for implementation
- Put relevant security controls in place (e.g. access controls, data backups or employee training)
- Document processes and procedures as required (e.g. IT SOPs, Incident Management, Supplier management and records management)
- Communicate roles, responsibilities and authorities to employees
- Develop and roll out security awareness campaigns
- Identify training needs and implement relevant training.
Key outputs
- Resource and implementation plan
- Documented and approved policies as required
- Documented and approved processes and procedures
- Updated employee contracts if appropriate
- Employee communications plan
- Records of training provided
- Metrics fro monitoring
- Updated risk assess (to assess residual risk)
- Updated risk treatment plans
Check
During the “Check” phase you’re monitoring and reviewing your ISMS to ensure that it is effective in managing your risks, and aligned with your organisational objectives.
Checking what you’ve implemented and identifying opportunities for improvement are key to the ongoing effectiveness of your ISMS. You will want to adapt as the threat landscape changes, or the context of your organisation evolves. Your ISMS should be now be fully integrated into your business as usual operations. If not, now’s a chance to identify that and make the necessary changes to your ISMS.
Key activities
- Monitor controls to ensure their effectiveness
- Measure your progress against your objectives
- Conduct internal audits
- Review incidents or near-misses
- Gather information from your team and other stakeholders
- Identify areas for improvement, scope changes and changes in objectives
- Conduct a management review o your ISMS
Key outputs
- Performance reports
- Internal audit plan
- Internal audit findings
- Management review results
- Updated scope/objectives if required
- Improvement plan
Act
The last step is all about improvement. Based on what you found in the “Check” phase, you take action to correct or improve your ISMS.
Inputs into the “Act” phase include your management review minutes and your audit findings. This is where you will identify opportunities for improvement and be able to address any weaknesses identified in your ISMS.
It is important to note that any improvements that are identified at this stage, are properly planned. This is the link back to the “Plan” phase of the PDCA cycle.
The goal here is not perfection – it’s progress. Over time, these small adjustments build a stronger, more resilient ISMS.
Key activities
- Create improvement plan to address non-conformities and propose opportunities for improvement
- Identify areas for improvement from the Management Review minutes
Key outputs
- Non-conformities log to prioritise improvements and assign responsibilities
PDCA is a cycle, not a one-off task
One of the great things about PDCA is that it never really ends. Once you’ve gone through the full cycle, you start again – this time with a better understanding of your organisation and how to protect it.
ISO/IEC 27001 is not a “set and forget” project. It’s a living system that grows with your business, is fully integrated into your business operations, and the responsibility of every person in the business.
The PDCA model helps you stay organised, proactive, and responsive to change.
Conclusion
If you’re looking to implement ISO 27001, the PDCA cycle is your friend. It breaks the journey into clear, manageable steps and keeps your focus on continuous improvement. You don’t need to do it all at once, and you don’t need to do it alone.
Whether you’re just exploring ISO 27001 or already halfway there, using the PDCA cycle will keep your implementation grounded, practical, and effective.
Want to know more or need support getting started? Please get in touch, we’d be happy to guide you through it.
