PDCA for ISO 27001: The Improvement Cycle
The PDCA cycle - Plan, Do, Check, Act - is the operating model behind every ISO 27001 management system. It is not a concept you implement once and move on from. It is the recurring loop that takes your ISMS from initial implementation through certification and into genuine continual improvement. Understanding how PDCA maps to the standard’s clauses makes the difference between an ISMS that evolves with your business and one that gathers dust between audits.
How PDCA maps to ISO 27001 clauses
The ISO 27001:2022 clause structure follows the PDCA model directly. Here is how they align:
Plan - Clauses 4 through 7
The Plan phase establishes the foundation of your ISMS. This is where most of the upfront work happens:
Clause 4 - Context of the organization. Define your scope, identify interested parties, and understand the internal and external issues that affect your information security. For a SaaS startup, this might mean documenting your cloud infrastructure, regulatory requirements like GDPR, and customer contractual obligations.
Clause 5 - Leadership. Establish management commitment, define the information security policy, and assign roles and responsibilities. This is where leadership signs off on the ISMS scope and commits the resources needed.
Clause 6 - Planning. Conduct your risk assessment, define risk treatment plans, set information security objectives, and plan how to achieve them. Your Statement of Applicability gets produced here - mapping which Annex A controls you will implement and why.
Clause 7 - Support. Determine the resources, competencies, and awareness training needed. Establish your documentation framework - what documents you need, how they are controlled, and how they stay current.
Do - Clause 8
The Do phase is implementation:
Clause 8 - Operation. Execute your risk treatment plans, implement the controls you selected, and run the processes you designed in the Plan phase. This is where policies become operational - access controls get configured, encryption gets deployed, incident response procedures get tested, and your team starts following the documented processes.
For most organizations, the Do phase is where theory meets reality. A control that looked straightforward on paper - say, A.8.9 Configuration Management - turns out to need a configuration management database, change approval workflows, and baseline documentation. The Do phase reveals these implementation details.
Check - Clause 9
The Check phase evaluates whether your ISMS is working:
Clause 9.1 - Monitoring, measurement, analysis and evaluation. Define what you will measure, how you will measure it, and how often. Track metrics like incident response times, vulnerability remediation rates, access review completion rates, and training coverage percentages.
Clause 9.2 - Internal audit. Conduct internal audits to verify that your ISMS conforms to the standard and to your own policies. Audits reveal gaps between what your documentation says and what actually happens day to day.
Clause 9.3 - Management review. Present ISMS performance to leadership. Cover the status of actions from previous reviews, changes in external context, audit results, risk assessment updates, and improvement opportunities. This review closes the feedback loop between operational teams and management.
Act - Clause 10
The Act phase drives improvement:
Clause 10.1 - Nonconformity and corrective action. When something goes wrong - a failed audit finding, a security incident, a process breakdown - identify the root cause and implement corrective action. Document what happened, what you did about it, and verify the fix works.
Clause 10.2 - Continual improvement. Beyond fixing problems, look for opportunities to make the ISMS better. This might mean automating a manual process, consolidating redundant controls, or adopting a new tool that reduces operational overhead.
PDCA in practice - four scenarios
The PDCA cycle adapts to wherever you are in your ISMS lifecycle:
New implementation. A 20-person fintech company starting from scratch spends 8-12 weeks in Plan (scoping, risk assessment, SoA, documentation framework), 8-12 weeks in Do (implementing controls, training the team), then runs its first internal audit (Check) to identify gaps before the Stage 1 certification audit. The Act phase addresses audit findings and refines processes before Stage 2.
Post-certification maintenance. After certification, the cycle runs continuously. Quarterly internal audits (Check) feed into management reviews. Corrective actions from audit findings (Act) lead to updated risk assessments and control adjustments (Plan), which get implemented in the next sprint (Do). Most mature organizations run overlapping PDCA cycles on different timeframes - monthly for operational metrics, quarterly for audits, annually for full management reviews.
Major change management. A company migrating from on-premises to AWS runs a focused PDCA cycle: risk assessment on the new architecture (Plan), implement cloud security controls like A.5.23 and A.8.26 (Do), validate the controls work and no new gaps appeared (Check), adjust based on findings (Act). This targeted cycle fits within the broader annual ISMS cycle.
Surveillance audit preparation. Between certification audits, surveillance audits happen annually. The Check phase ramps up - review all corrective actions from previous findings, run an internal audit covering the clauses the external auditor will focus on, prepare the management review output. Act on anything that needs fixing before the auditor arrives.
Why PDCA works for startups and small teams
PDCA scales naturally. A five-person startup and a 500-person enterprise use the same cycle - they just adjust the depth and formality.
Start lean, grow deliberately. In your first cycle, your risk assessment might be a spreadsheet with 30 risks and your internal audit might be a single person reviewing controls against the SoA. That is perfectly valid. As your organization grows, the risk register expands, audits become more formal, and the management review involves more stakeholders - but the PDCA structure stays the same.
Align with agile workflows. If your engineering team already runs in sprints, PDCA fits naturally. Plan maps to sprint planning, Do maps to execution, Check maps to retrospectives, Act maps to backlog refinement. Some organizations run their ISMS improvement items through the same sprint board as product work - security improvements compete for priority alongside features, which is exactly how it should work.
Build audit evidence automatically. Each turn of the PDCA cycle generates documentation that auditors want to see: risk assessment updates, internal audit reports, management review minutes, corrective action records, training logs. If you run the cycle consistently, audit preparation becomes a matter of organizing evidence you already have rather than scrambling to create it.
Common mistakes to avoid
Running PDCA only once. The cycle is continuous. Organizations that treat implementation as a one-time project often struggle at their first surveillance audit because nothing has improved since certification. The standard explicitly requires continual improvement - not just maintenance.
Skipping the Check phase. Implementation without measurement is guesswork. If you deployed an access control policy but never verified whether people follow it, you have a documented control that may not actually work. Internal audits and metrics exist to catch this.
Overcomplicating the Plan phase. Analysis paralysis is real. Some organizations spend months refining their risk assessment methodology before implementing a single control. A good-enough risk assessment that leads to action is better than a perfect one that delays protection. You can refine the methodology in the next cycle.
Treating Act as optional. When internal audits find issues, the temptation is to log them and move on. The Act phase requires root cause analysis and verified corrective action. Auditors track whether you actually close findings - open items from previous cycles are a red flag.
How 27kay can help
We help organizations implement and maintain ISO 27001 using the PDCA cycle as the operating framework - not just a diagram in a presentation. Whether you are starting your first cycle or looking to mature an existing ISMS, we can help you build a practical improvement process that fits your team size and pace.
Not sure where you are in the cycle? Let’s talk - we will assess your current state and help you plan the next turn.