Plan- Do – Check – Act ISO 27001

The Plan-Do-Check-Act (PDCA) cycle was created to stimulate continuous improvement of both people and processes. Although the PDCA cycle originates from quality assurance, it has now become a requirement in the Information Security Management System (ISMS) of the ISO 27001 standard. The PDCA cycle is also known as an internal audit check which should be conducted before understanding the required processes of ISO 27001.

When the ISO 27001 is analysed from a PDCA perspective, it leads to better governance implementation and faster alignment with improved business objectives. In this article, we discuss the PDCA cycle with respect to the ISO 27001, going on to describe the benefits of ISO 27001 certification.

Stages of the ISO 27001

As per the ISO 27001 recommendations outlined in clauses 4 to 10, an internal audit needs to be conducted before attempting to implement an ISMS. The purpose of conducting an internal audit using the PDCA cycle is that it allows organisations to recognise internal and external issues. Additionally, the internal audit helps to identify any gaps between the current management system and the recommendations stipulated in the standard. For more information, we suggest you read ISO 27001 requirements.

To understand how the PDCA is the underlying theme of ISO 27001, it is necessary to go through the stages of implementing an ISMS. These include:

PLAN: Establishing the ISMS

The planning phase of the ISO 27001 helps an organisation establish the scope, objectives and controls of the ISMS. This begins by determining the context of the organisation as per the recommendations of clause 4.2. While implementing the planning phase, organisations must analyse the external and internal issues that are pertinent to the company. We have already examined the internal and external Issues of ISO 9001.

The identification of these issues can help the organisation eliminate potential obstacles before they become hazardous. External issues refer to a list of threats that affect the external environment of a business including legal, economic and political obligations. On the other hand, internal issues involve inner factors that are under the direct control of a company and include organisational structure, culture, values, infrastructure, etc…

DO: Implementing the ISMS

The “do” phase is where an organisation implements and explores the ISMS policy, controls, processes and procedures. In this phase, an organisation creates a risk assessment and evaluates the causes behind each potential risk. Then, a list is prepared outlining a series of procedures which indicate potential risks and their customised/specific treatment. The PDCA cycle ensures that the procedure and policy documents are easily available and adequately protected, distributed and stored in the managed system.

All documents, especially those of external origin, such as the list of risks and treatment must be covered under the scope of the ISMS. The “do” phase is accomplished after data management, storage and control.

CHECK: Monitoring and reviewing the ISMS

During the “check” phase, the ISMS controls are monitored, measured, analysed and evaluated for their effectiveness. The individuals responsible for their operation must measure the performances of these processes against the policies, objectives and practical experience in a documented procedure that was established during the planning phase.

The responsible leaders must submit their findings and outcomes, going on to measure the implementation of these policy results against the predetermined objectives. Periodic monitoring is the best method to check whether the issues have been identified, treated and eliminated.

Additionally, the checking phase also helps the organisations identify the areas of weaknesses, allowing them to revise their interventions and adopt customised improvement strategies. In addition, you need a specific checklist for ISO 27001 audit. We have talked about this in the ISO 27001 audit checklist article.

ACT: Updating and improving the ISMS

During the last phase, an organisation must undertake corrective and preventive actions based on the findings of the internal audit and the results of the management review. Here, a Chief Information Officer (CIO) can be appointed for monitoring and measuring the functionality of the information security system. The CIO is responsible for the effectiveness of the ISMS, and thus, must act upon any potential or actual breaches of security.

As continual improvement is an integral part of ISO 27001, the standard requires that organisations must continually attempt to identify, eliminate or mitigate further threats. Additionally, in order to avoid stagnancy, this phase also focuses on strategies that can further enhance the performance of the ISMS so that a culture of continual improvement is created. As focusing on strategies of continual improvement requires further planning, the last stage of the PDCA cycle holistically begins again. The recurring nature of the PDCA cycle is what allows organisations to continually improve their performance.

Benefits of ISO 27001

By utilising the PDCA cycle, the ISO 27001 provides many benefits to an organisation. The ISMS secures your information in all its forms, including digital, paper-based, intellectual property and data on devices or in the cloud. Additionally, it provides a centrally managed framework that helps to keep your organisation’s information safe, secure and well managed in one location. However, one of the most pertinent advantages of an ISMS is that it helps to respond to evolving security threats. An ISMS reduces the threat of continually evolving risks by constantly adapting to changes both within the organisation and the environment.