PDCA, or Plan Do Check Act – also known as the Deming cycle or PDSA (S=study). Probably the simplest and most logical of ideas and fundamental to all things ISO, in my opinion.

The PDCA cycle is an iterative, 4 step approach that emphasizes the continual improvement of processes through effective change management. ISO standards often refer to the “PDCA” cycle, but in itself, is not mandated. Any method that leads to continual improvement can be used, but the PDCA cycle is probably the most commonly thought of.

At a high-level, management system standards, such as ISO 9001, ISO 22301, and ISO/IEC 27001, outline requirements that mirror this approach. You can see this reflection initially where standards require an organization to: establish, implement, operate, monitor, review, and continually improve the management system.

Looking more closely at the major clauses, we can see that clause 4 – Context of the Organization, 5 – Leadership, 6 – Planning, and 7 – Support represent the PLAN phase. Clause 8 – Operation, reflects the DO phase. Clause 9 – Performance, reflects the CHECK phase. And clause 10 – Improve, reflects the ACT phase.

By keeping this simple idea in mind, we have most of the answers to questions that are often asked about management systems and their ongoing operation.

So let’s describe these steps, in the context of a management system, with a little more color.


Plan the change. Determine what it is that you want to achieve and how you intend to achieve it.

The organization must understand its issues and challenges, its legal and regulatory obligations, the requirements, expectations and needs of interested parties. With this understanding in mind, leaders can make better decisions about the intended outcomes and purpose of the management system. The organization must also determine the scope and boundaries in which the management system will operate, i.e. the processes that are covered and their linkages inside and outside of the organization.

The organization’s leadership must drive the change, show commitment and ensure that changes are integrated into business processes. They must establish policy, and determine the roles, responsibilities, and authorities of people who play a role in the achievement of policy goals and objectives.

The organization must consider risks and opportunities in relation to its context, and determine the actions that will be taken to achieve the policy goals and objectives and achieve the intended outcomes of the management system.

Management must set objectives that support the policy and will provide a means to be able to measure the effectiveness of planned actions.

In order to implement planned actions and changes, and to be able to achieve objectives, management must provide the necessary resources, ensure the competency of persons doing work for or on behalf of the company, and ensure a culture, attitude, and understanding by staff that will allow the change to be successful.

Communications must be effective and processes established, along with processes for the management of documents and records.


Implement the plan.

Doing is simply carrying out the actions that have been planned.  The better the plan, the easier this should be.

If we are implementing an information security management system, this would entail the assessing and treating of risks, as well as operating our security controls. In a quality management system, we would, for example, be evaluating our suppliers and manufacturing our product.

At this stage, the organization must also be maintaining records of actions taken and the results.


Check if the plan has been successfully implemented and evaluate the effectiveness of actions taken.

At this stage, we should have the results of having operated our change, and we need to look at the data.

At the operational level, managers should be checking to ensure that staff are adhering to policy, following procedures, and keeping accurate records. The organization should also be analyzing and evaluating the results to determine potential process improvement opportunities.

The organization must also be carrying out independent assessments, through internal audit, of its own processes to be able to report objective and factual information to management about the extent to which the organization is conforming to its own processes and whether those processes are effective in achieving the intended outcomes.

And at the top of the food chain, we have the people who have established the policy and objectives, i.e. those who are accountable – top management. This individual, or group, must want to know whether or not the management system is achieving its objectives or requires any adjustment, as well as determining the ongoing suitability and adequacy of the management system. They’ll want to know what the issues are (such as not achieving objectives due to a lack of resources or competency) so that they can take action. This is our management review.

The bottom line here is, if you don’t check, how do you know that it’s working? Gut feeling? Unacceptable my friend!


Take action based on what we have learned from the check phase.

Based on what we have learned through the check phase, we are in a great position to make informed decisions about what can be or needs to be done to improve.

If we have found that we are nonconforming with a procedure, we will want to correct the problem that has been identified, investigate the root cause, and take action to prevent the recurrence of the nonconformity in future.

Where we have identified process weakness or improvement opportunities, we’ll want to prioritize and plan their implementation (as appropriate).

And this is where we link neatly back to the Plan phase. You gotta plan these changes, then implement them (do), check that the plan was implemented and that the change has achieved the objective (check), and so the journey continues.


The PDCA cycle can be used to improve any process, at a high or low level, or anywhere in-between. We refer to it a lot when talking about management systems, whether implementing or auditing, but don’t try to over-analyze it as it’s a sure way to go insane.

Instead, use it as a compass for navigating your way through the management system jungle. This is why I say its the answer to all questions ISO – If you know it’s broke, then you must act! If you did it and you don’t know whether it worked or not, then you must check! If you gotta do something, then you gotta plan!

It doesn’t matter where you jump in as this is a continual cycle. The effective management of business processes is ongoing, and its the reason why we have continual improvement as a result.

Leave a Reply

%d bloggers like this: