PDCA: An implementation guide to ISO 27001:2022

There are many different stages when implementing a system like ISO 27001 – Information Security Management System.

The Plan-Do-Check-Act (PDCA) process originates from quality assurance and is now a requirement in the ISMS standard ISO 27001 (Information Security Management System). PDCA is also known as an internal audit check conducted before understanding the requirement processes of ISO 27001.

ISO 27001, if analysed by a PDCA cycle, will give you a better vision of implementing governance and alignment with improved business objectives. The ISO 27001 framework has rapidly grown worldwide, allowing you to achieve your certification virtually and globally.

Stages of ISO 27001

As per clauses from 4 to 10 of the ISO 27001 standard, before you plan to implement ISO 27001 in your organisation’s systems, you need to run an internal audit, including the PDCA – Plan, Do, Check, and Act Cycle. What is this PDCA? This cycle will help you recognise internal and external issues, identify gaps, and determine how to address them.

Plan: Establishing the ISMS

This phase of ISO 27001 helps an organisation establish the scope of ISMS objectives and controls. Many companies worldwide face cyberattacks. In the ISO 27001 standard, clause 4.2 determines the context of the organisation. During the planning phase, you must analyse the external and internal issues of the company. Identifying these issues can significantly aid your organisation in implementing the ISO 27001 ISMS procedures and eliminating obstacles. External issues include legal, economic, and political requirements. Internal issues encompass organisational structure, values, culture, ICT infrastructure, available resources, etc.

Do: Implementing the ISMS

This phase is where an organisation implements the ISMS policy, controls, processes, and procedures. In the Do phase, an organisation conducts a risk assessment and evaluates the reasons behind each structure. They must prepare procedures indicating the risks and their treatment. Ensuring that the procedure and policy documents are available, adequately protected, distributed, and stored in a managed system is crucial. Documents of external origin must also fall under the scope of ISMS 27001. This is how the Do phase is accomplished.

Check: Monitoring and review of the ISMS

This phase covers monitoring, measuring, analysis, and evaluation checks within the organisation. Responsible persons must measure the processes’ performances against the policies, objectives, and practical experience in a documented procedure established in the earlier phase. Responsible leaders must submit any outcomes following the implementation of these policy results. This is the best way to check where the issues have been identified, treated, eliminated, and require revision and improvement.

Act: Updates & improvements to the ISMS

An organisation must undertake corrective and preventive actions based on the ISMS internal audit and management review results. A Chief Information Officer (CIO) can be appointed to monitor and measure information security. The CIO must act on any findings related to information security breaches. Continual improvement is an integral part of ISO 27001, requiring organisations to continually improve to eliminate further threats.

Recognising the PDCA elements and their applicability to the ISO 27001 ISMS is crucial. It also communicates that everyone responsible needs to be involved in implementing ISO 27001. All improvements require updating and documentation, respectively.