Governance, Risk Management, and Compliance blog

Has ‘Plan-Do-Check-Act´disappeared in the new ISO 27001?

[fa icon="calendar"] Friday, 04 April 2014 / by Jakob Holm Hansen

The Plan-Do-Check-Act (PDCA) process originates from quality assurance in production environments, but has for some years also been a requirement in the ISMS standard ISO 27001 (ISMS = Information Security Management System).

If you look at the new ISO 27001 that was published in late 2013, you may notice that it no longer contains a specific requirement for a PDCA process. Although it does contain headlines such as Planning, Operation, Performance Evaluation and Improvement, which admittedly are very close to PDCA, your company can now follow the new ISO 27001 without having an actual PDCA process.

But there is a clear requirement that you continuously improve your ISMS, formally phrased as "the organization shall establish, implement, maintain and continually improve the ISMS".


In general the new ISO 27001 introduces more flexibility in terms of selecting method and form than the previous version. A good example of this flexibility is the requirement for continuous improvement. You can choose to use PDCA - or another method - as your way of continuously improve your ISMS.


My recommendation is that you only use PDCA to the extent that it makes sense to you. There are many other ways of ensuring ongoing improvement. Start with something as simple as having (or getting) an overview of your ISMS tasks. Since information security applies to most, if not all, of your business processes, information security also involves a number of people. If you want to improve your information security you need to maintain a continuous overview of the security and compliance tasks people are assigned to, and you need to monitor whether or not the tasks are carried out.

Strengthening information security by getting a grip on all security and compliance tasks is one of the main features of our compliance platform for all GRC purposes.


We have a number of resources and offers for you:

How to manage security tasks

Educational webinars on information security management

Emner: ISO 27001:2013, ISO 27001, Information Security Management, Information risk management, overview information security management, Compliance and task management, plan-do-check-act, ISMS, ISO Standards

GRC blog

The NorthGRC blog offers advice and knowledge of effective information security management, security strategies, risk management, compliance with information security standards and other requirements, business continuity planning, ISO2700x, EU Data Protection Regulation, PCI DSS, etc.

Popular Posts