PDCA in 2005 and 2013 edition for ISO 27001

Answer: First it is important to note that "incorporated" is a more proper word than "diluted" when speaking about PDCA on ISO 27001. The point is that now the cycle is not expressly displayed in the introduction of the standard as was the case in older revisions.

Since ISO 27001 adopted the same High Level Structure and Annex XL as ISO 9001, ISO 14001 and many other management system standards, the same principle is applied regarding the PDCA. First you need to plan your system, which includes determining the context, the policy, addressing risks and opportunities, determining information security risks, setting the objectives and providing resources, basically you need to cover clauses from 4 to 7.

Do phase is defined by the clause 8, where you need to establish and apply operational controls in order to treat information security risks.

Check phase is located in clause 9, and it requires organization to monitoring and measurements, conduct internal audits, compliance evaluation and management review in order to determine conformity of the ISMS to requirements of th e standard, legal requirements and overall effectiveness of the ISMS, as well as effectiveness of the operational control and actions to address risks and opportunities.

Finally the act phase is defined in the clause 10, which defines requirements for continual improvement, corrective actions and nonconformists.

This article will provide you further explanation about ISO 27001 and PDCA:
- Has the PDCA Cycle been removed from the new ISO standards? https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/