Quiz Entry - updated: 2026.07.14
What are the four phases of the PDCA cycle as applied to an ISMS according to ISO 27001?
Plan (establish), Do (implement), Check (monitor), Act (improve) — a continuous cycle for managing and improving the ISMS.
* Der PDCA-Zyklus (Deming-Kreis): Plan – Do – Check – Act als nie endende Schleife der kontinuierlichen Verbesserung. *
| Phase | ISMS Activity | Description |
|---|---|---|
| Plan | Establish the ISMS | Create policies, objectives, processes, and procedures relevant for risk management and information security improvement |
| Do | Implement and operate | Implement and execute the ISMS policies, controls, processes, and procedures |
| Check | Monitor and review | Assess and measure process performance against policies, objectives, and practical experience; report results to management |
| Act | Maintain and improve | Take corrective and preventive actions based on audit results and management review to continuously improve the ISMS |
Important context: The PDCA cycle originates from quality management (Deming cycle). While ISO 27001:2013 no longer explicitly requires PDCA, it remains the most commonly taught approach. The key idea is that security management is never finished — it's a continuous cycle.
Input: Information security requirements and expectations from interested parties Output: Managed information security
Go deeper:
PDCA / Deming-Kreis (Wikipedia) — Hintergrund zum Plan-Do-Check-Act-Zyklus aus dem Qualitätsmanagement, den ISO 27001 für die kontinuierliche ISMS-Verbesserung übernimmt.