What is PDCA (Plan, Do, Check, Act) cycle and how is it important for information security?
The PDCA cycle, which stands for Plan-Do-Check-Act, is a process of continually improving an organization’s activities in a more methodical way. PDCA cycle also known as Deming cycle is an improvement cycle that makes its base on scientific techniques of proposing changes in processes, implementing those changes, evaluating the results and taking appropriate corrective actions in the course of time. Furthermore, information security programs are based on the effective, efficient management of security controls that are designed and implemented to mitigate vulnerabilities, threats, risks and the associated impact or consequence to the assets of the organization. And this will depend on total quality management (TQM) systems to evaluate the effectiveness and efficiency measures within the organization. The TQM provides the organization with tools and techniques that may be used to implement and maintain effective and efficient information security programs aligned with organization goals and objectives.
The four phases of the PDCA cycle include the following:
- Plan: focuses on designing and planning information security programs in an organization. These activities may include creating a strategy, policies, goals, objectives and best practices required to manage organizational risk to an acceptable level.
- Do: concerns with maintaining and improving information security programs in an organization. And it is further applied in executing and controlling the information security strategy and programs including their integration into the organizational activities.
- Check: focuses on monitoring, auditing, evaluating and reviewing information security programs in an organization. It further facilitates period auditing processes to determine compliance to the statements of capabilities and identifying areas of improvement. Organizations should develop and integrate performance measurements, which could support information security programs goals and objectives of the organization. Because, if something cannot measured, it cannot managed.
- Act: concerned with implementing corrective, preventative and continuous improvement action plans in the organization. Upon finding out the areas of improvement in the organizational practices, it will require establishing and taking corrective, preventative and continuous improvement endeavors to meet organizational goals.