BG Beter Geregeld ICT
Compliance · 2 min leestijd · 02 November 2025

The PDCA Cycle Explained for Managers

Plan-Do-Check-Act sounds bureaucratic. In practice it means: write down what you do, do it, check whether it works, adjust accordingly. Here's the shortest useful explanation.

PDCA is the backbone of every ISMS. ISO 27001 expects you to apply this cycle. In practice it operates on three levels: strategic (yearly), tactical (quarterly), operational (continuous).

\n\n

Strategic: annually

\n
    \n
  • Plan: annual plan with 2–5 security objectives.
    • \n
  • Do: execution throughout the year.
    • \n
  • Check: internal audit + management review.
    • \n
  • Act: findings feed into the next annual plan.
    • \n
\n\n

Tactical: quarterly cadence

\n
    \n
  • Plan: which controls need attention this period?
    • \n
  • Do: access reviews, backup tests, policy updates.
    • \n
  • Check: collect findings, update the risk register.
    • \n
  • Act: schedule corrective measures.
    • \n
\n\n

Operational: continuous

\n

Log incidents, run phishing simulations, perform vulnerability scans, apply patches. Every week there is something to address.

\n\n

One common rule

\n

Record all cycles (yearly, quarterly, weekly) in the same calendar or tool. An ISMS that lives only in people's heads is an ISMS that won't survive its first busy audit period.

\n\n

See also what is an ISMS.

Onderwerpen

#governance #iso-27001 #pdca #management

Volledige gids: ISO 27001 para pymes sin gastar €50k en consultores

Dit artikel is onderdeel van onze uitgebreide Compliance-gids. Lees de pillar voor het complete plaatje.

Lees de pillar →

Verwant leesmateriaal

Compliance

ISO 27001 for SMBs without €50k in consultancy fees

ISO 27001 is manageable once you understand the structure. Here's the minimum work a 30-person SMB needs to pass a Stage 2 audit, what it costs, and where consultants actually add value.

2 min
Compliance

ISO 27001 costs: from initial gap analysis to certificate

A realistic budget breakdown for a 30-person SMB. Internal hours, external audit, consultancy (kept to a minimum), and annual maintenance. No marketing fluff.

2 min
Compliance

ISO 27001 or SOC 2? Which one fits your Dutch SMB?

ISO 27001 is Europe-oriented, SOC 2 is American. Which one do your clients actually need — and can you combine them? Here's the practical difference for an SMB.

2 min
Compliance

NEN 7510 for healthcare businesses: a step beyond ISO 27001

Do you work in or with healthcare? Then NEN 7510 — alongside or instead of ISO 27001 — is a real requirement. The overlap is significant; the differences lie in patient data and specific Annex controls.

2 min
Compliance

The management review: what goes in it and who takes part?

One of the clause-9 requirements of ISO 27001. Annual, with senior management, 2 hours. Here is the agenda that an auditor will accept — and that works as a practical exercise for you.

2 min
Compliance

Setting up an incident log that auditors trust

An empty incident log is a red flag for auditors. It doesn't mean nothing went wrong — it means you're not recording it. Here's how to set up a log that actually works.

2 min
← Alle artikelen in "Compliance"