Plan Do Check Act PDCA in ISO 27000

Information security is a significant concern for businesses, no matter the size and industry of operation. ISO 27000 is a standard developed by the International Organization for Standardization to help organisations keep their data and information systems secure from cyber security threats. It protects customer data, financial information, employee details, and other crucial information assets.

Like most information security standards, ISO 27000 requires you to integrate a technique for continuous improvement in your information security practices. Many information security professionals use the PDCA model, also called Plan-Do-Check-Act.

Below, the business coaching experts from Next Practice describe everything you need to know about the PDCA model and how it can benefit your business’s information security systems.

What is a PDCA Cycle?

The PDCA cycle (Plan-Do-Check-Act) is an iterative design and management technique used by companies to continually improve and control processes. PDCA applies whenever you want to make changes in your organisation. These changes could be integrating a new policy, installing new firewalls, changing training content, or asking your team to change how devices are installed.

The basic steps are always the same for each change you make: Plan-Do-Check-Act, as described below:

  • Plan – The continuous improvement model begins with a plan step. In this step, you need to identify the activity you’re seeking to improve and how you’ll track the change. Implement a method for evaluating effectiveness. It’s also important to determine the current value of your system before improvement and establish your target value after the change.
  • Use a metric that’s relevant to your business and aligns with organisation goals. You can use the average score of a security question, time spent on system configuration, or the number of incidents.
  • Do – This phase involves implementing what you have in your plan: before-value, goals, objectives, and metrics. Depending on your goals, you may want to change how you install devices, modify training, or create new firewalls.
  • Check – After making changes, you should be able to check the progress by tracking changes in the metrics. Simply put, this is a performance evaluation step where you will check or measure the effect of the change. Note that while you expect some improvement, there is a chance of getting no change results.
  • Act – What you do at this step depends on the outcomes of the ‘check’ phase. If the change was fruitful, you should integrate it into your system by updating documentation, instructing your team, or changing the process description. If the change was unsuccessful, update your metrics’ existing values and repeat the process.

ISO Consulting from Next Practice

If you need help improving your information security management system, Next Practice can help. As the leading business and coaching consultant firm, we can help you leverage the Plan Do Check Act (PDCA) to improve your information security process and procedures.

We have over 25 years of experience coaching and mentoring business owners. We can help you solve any business issue you’re facing and provide a framework for PDCA implementation. Contact us today or fill out our online form to discuss your business coaching needs with us.