Lately I’ve been receiving (too) many questions asking, “Why did the new revision of ISO 27001 cut out the PDCA cycle?” And, on first sight, you might be misled because the standard really doesn’t mention the Plan-Do-Check-Act cycle explicitly; but, you should read the standard a bit more carefully…
Annex SL of ISO/IEC Directives
Let’s start from the beginning – the International Organization for Standardization has issued ISO/IEC Directives where they describe in Annex SL how the management standards should be structured. This is the required structure, by clauses:
2 Normative references
3 Terms and definitions
4 Context of the organization
9 Performance evaluation
So, all the newly published standards like ISO 27001:2013 and ISO 22301:2012 have this identical structure. And all the new revisions of ISO 9001, ISO 14001 and others will have the very same structure.
The intention of the ISO with this Annex SL was, of course, to align all the management standards in order to make them more compatible and enable the integration of management systems in an easier and more convenient way.
What is the PDCA cycle?
For those of you who don’t know what this PDCA cycle is, it is basically a concept developed about 60 years ago by a famous consultant and quality management guru called William Edwards Deming. Essentially, it says the following:
- Before you start implementing anything, you should know exactly what you really need, and exactly what it is you want to achieve (objectives) – this is the Plan phase.
- Once you know what you want to achieve, you can start implementing your information security, business continuity, quality procedures, or whatever the ISO standard is focused on – this is the Do phase.
- However, the whole effort does not stop here – you want to make sure you have achieved what you have planned for, so you need to monitor your system and measure if you achieved your objectives – this is the Check phase.
- Finally, if and when you realize that what you achieved is not what you have planned for, you have to fill the gap – this is called the Act phase.
Or, using an example – when I purchase a car I have an idea on how much it should cost, what color it should be, maximum fuel consumption, etc. (Plan phase); then I start driving it (Do phase), and realize that the fuel consumption is much higher than expected (Check phase) – then, basically, I have 2 options: to drive more easily in order to consume less fuel, or change the targeted consumption (Act phase).
And, although this concept was developed for quality management, very soon it was realized that it can be applied to any type of management, including information security management or business continuity management.
So, today this concept is so dominating in the management thought that it is virtually everywhere – in every ISO management standard, in every management framework, in every theory. It has become so important that it is impossible to avoid it.
So, did the PDCA cycle really disappear from ISO standards?
No it didn’t. It is still very much incorporated into ISO 27001, ISO 22301 and all other standards, only now the cycle is not expressly displayed in the introduction of the standard as was the case in older revisions.
Here is how you can recognize the PDCA cycle in the structure of ISO standards:
- Clauses 4 Context of the organization, 5 Leadership, 6 Planning, and 7 Support are nothing but the Plan phase
- Clause 8 Operations speaks about the Do phase
- Clause 9 Performance evaluation is, of course, the Check phase, and
- Clause 10 Improvement is the Act phase
As you can see, the PDCA cycle was not deleted from new ISO standards; on the contrary, it is so important that the Annex SL requires all ISO standards to structure its main clauses around the PDCA cycle.
So, don’t worry, the PDCA cycle is going to stay around for a long time.