Quiz Entry - updated: 2026.07.14
Which four phases make up the process of building an ISMS, and which classic management cycle do they follow?
Vorbereitung → Dokumente → Risikomanagement → KVP — following the Plan-Do-Check-Act cycle.
* The four ISMS build phases as a PDCA cycle — Vorbereitung → Dokumente → Risikomanagement → KVP. *
| Phase | Content |
|---|---|
| Vorbereitung (preparation) | Mandate from management, stocktaking, proposal, budget approval |
| Dokumente (documents) | InfoSec policy, issue-specific & system-specific policies, guidelines, approval & communication |
| Risikomanagement | Asset register, risk estimation, risk evaluation, risk treatment, implementation & training |
| KVP (kontinuierlicher Verbesserungsprozess — continuous improvement) | Control, sanctions, improvement, audit, report to management |
The order matters: you cannot write meaningful documents without a mandate, you cannot treat risks you haven't identified against an asset register, and without the KVP loop the whole construction decays.
Tip: KVP is the German term for what ISO calls continual improvement — the "Act" in PDCA. An ISMS is a cycle, never a finished project.
Go deeper:
Demingkreis / PDCA (Wikipedia DE) — KVP als Act im PDCA; Ursprung (Shewhart/Deming) und Einbettung in Managementnormen.