PDCA: An implementation guide to ISO 27001:2022

There are many different stages when implementing a system like ISO 27001 – Information Security Management System.

What is PDCA in ISO 27001?

The Plan-Do-Check-Act (PDCA) process originates from quality assurance and is now a requirement in the ISMS standard ISO 27001 (Information Security Management System). PDCA is also known as an internal audit check conducted before understanding the requirement processes of ISO 27001.

ISO 27001, if analysed by a PDCA cycle, will give you a better vision of implementing governance and alignment with improved business objectives. The ISO 27001 framework has rapidly grown worldwide, allowing you to achieve your certification virtually and globally.

Why PDCA is important for ISO 27001

The PDCA cycle is a key part of implementing and maintaining ISO 27001. It gives organisations a clear way to plan, apply, monitor, and improve their information security processes. Following this cycle helps align security objectives with business goals, ensures regular evaluation and corrective action, and supports continual improvement so the ISMS stays effective over time.

Stages of ISO 27001 implementation

As per clauses from 4 to 10 of the ISO 27001 standard, before you plan to implement ISO 27001 in your organisation’s systems, you need to run an internal audit, including the PDCA – Plan, Do, Check, and Act Cycle. What is this PDCA? This cycle will help you recognise internal and external issues, identify gaps, and determine how to address them.

The four stages of PDCA for ISO 27001

Plan: Establishing the ISMS

This phase of ISO 27001 helps an organisation establish the scope of ISMS objectives and controls. Many companies worldwide face cyberattacks. In the ISO 27001 standard, clause 4.2 determines the context of the organisation. During the planning phase, you must analyse the external and internal issues of the company. Identifying these issues can significantly aid your organisation in implementing the ISO 27001 ISMS procedures and eliminating obstacles. External issues include legal, economic, and political requirements. Internal issues encompass organisational structure, values, culture, ICT infrastructure, available resources, etc.

Do: Implementing the ISMS

This phase is where an organisation implements the ISMS policy, controls, processes, and procedures. In the Do phase, an organisation conducts a risk assessment and evaluates the reasons behind each structure. They must prepare procedures indicating the risks and their treatment. Ensuring that the procedure and policy documents are available, adequately protected, distributed, and stored in a managed system is crucial. Documents of external origin must also fall under the scope of ISMS 27001. This is how the Do phase is accomplished.

Check: Monitoring and review of the ISMS

This phase covers monitoring, measuring, analysis, and evaluation checks within the organisation. Responsible persons must measure the processes’ performances against the policies, objectives, and practical experience in a documented procedure established in the earlier phase. Responsible leaders must submit any outcomes following the implementation of these policy results. This is the best way to check where the issues have been identified, treated, eliminated, and require revision and improvement.

Act: Updates & improvements to the ISMS

An organisation must undertake corrective and preventive actions based on the ISMS internal audit and management review results. A Chief Information Officer (CIO) can be appointed to monitor and measure information security. The CIO must act on any findings related to information security breaches. Continual improvement is an integral part of ISO 27001, requiring organisations to continually improve to eliminate further threats.

Best practices for applying PDCA to ISO 27001

Applying PDCA effectively relies on consistent processes and clear communication across the organisation. The following practices can help maintain alignment with ISO 27001 requirements and support continual improvement.

• Keep documentation up to date and accessible to everyone involved in the ISMS.
• Conduct regular internal audits to check that processes meet ISO 27001 requirements.
• Train staff on information security policies and their roles in maintaining compliance.
• Review and update risk assessments as your business or technology changes.
• Record corrective actions and verify that issues are properly resolved.
• Hold management reviews to assess performance and identify opportunities for improvement.
• Communicate results and updates across all levels of the organisation to maintain engagement.

Recognising the PDCA elements and their applicability to the ISO 27001 ISMS is crucial. It also communicates that everyone responsible needs to be involved in implementing ISO 27001. All improvements require updating and documentation, respectively.