What is the PDCA cycle, and why is it the heart of every modern management system?
PDCA = Plan → Do → Check → Act. It is the continuous feedback loop that every modern management system uses to drive continuous improvement (kontinuierlicher Verbesserungsprozess, KVP).
* PDCA as a closed feedback loop — Act feeds lessons back into Plan (KVP / continuous improvement). *
| Phase | What happens |
|---|---|
| Plan | Define objectives, identify risks, plan controls and processes |
| Do | Implement and operate the plan |
| Check | Monitor, measure, audit — compare to the plan |
| Act | Fix what didn't work, raise the bar, feed lessons back into Plan |
PDCA is the engine behind ISO 9001, ISO 14001, ISO 27001, BSI 200-1 and essentially every "Managementsystem nach ISO". Visualised as a spiral, each turn lifts the organisation to a higher level of maturity ("Quality Improvement over Time").
Where it came from:
- Originally Walter Shewhart in the 1930s as a statistical quality control loop.
- Popularised by W. Edwards Deming in post-war Japan, which is why it's sometimes called the Deming cycle.
Why this matters for security: "Sicherheit" is not a state you reach once — threats change, the organisation changes, and controls decay. Without an explicit feedback loop, a security programme drifts back into chaos within a couple of years.
Tip: ISO 27001:2022 dropped the explicit PDCA labels from the standard, but the structure (Plan ≈ clauses 4–6, Do ≈ 7–8, Check ≈ 9, Act ≈ 10) is still PDCA in disguise.
Go deeper:
PDCA (Plan-Do-Check-Act) — origin (Shewhart), Deming's Japan work, and the continuous-improvement loop behind every ISO management system.