Maintain Your Information Security with the Plan-Do-Check-Act (PDCA) Cycle

Agnes Norrman
By: Agnes Norrman Cyber Security,GDPR | 30 November

It has become common knowledge that organisations need to have good information and cyber security; otherwise, there could be a line of consequences ie. lost trust from their customers. But what is normally not considered is, if organisations have established an effective process for the ongoing development and maintenance of their information security. Since cyber security is a dynamic process, and the threats from cybercriminals are always changing, this blogpost will provide you with the Plan-Do-Check-Act (PDCA) cycle for information security and help you to establish a more effective information security.

What is the Plan-Do-Check-Act (PDCA) model?

The Plan-Do-Check-Act cycle is a model that your organisation can use for improving a continuous process. When following the cycle, the idea is to avoid doing repetitive mistakes. The process is iterative, a common approach within the agile management and something that is also known in fields such as Design Thinking. While the model is simple, the best result is obtained when working with the model with a long-term perspective, which will require commitment from the management.

At CyberPilot, we do believe that having a continual awareness program for teams is one of the strongest defences in your organisation’s information security. To provide an example of how the 4-step cycle can be used, imagine that your organisation has just decided to implement a training program.



In this stage, you will be identifying a problem to solve or a goal to achieve. To track the goals and targets, you must identify all the relevant Key Performance Indicators (KPI).

Before moving on to the next stage, make sure that everybody in your team can answer the following questions:

  • What is the main problem we will be solving?

  • What resources are needed?

  • What will make the plan successful?

In our example, the overall goal could be to create awareness among the team about information security. One target can be, that majority of the team completes all courses. A KPI can therefore be the number of courses completed. It could also be that the team enjoys the training which would probably need a more qualitative method to check.


Now it is time to execute the plan. However, you should also be alert and anticipate some unpredictable problems that could occur. If the plan consists of big organisational changes, it can be wise to first test the plan in small scale to avoid disruption. It is also important that you remember to track your KPI’s.

Here are the awareness courses rolled out to the employees, in the order and pace that you had determined in the earlier stage. Make sure to retain the relevant data of how many employees are completing the courses.


By collecting and analysing the KPI’s and the data, it will be clear if the initiatives have had the desired effect or if there are adjustments that need to be made. This is done by comparing the result to the expected outcome that was decided in the Plan. This is a vital part of the cycle.

In the example, the management in your organisation can analyse the result of the KPI on how many courses have been completed, per employee. They can also consider looking at the number of security breaches in the organisation after the courses were rolled out and compare to how many you had before the initiative started. You could also talk with colleagues to cover what they actually think of the training. All these checking methods help you reflect and evaluate the plan.


With the takeaways from the Do and Check, the processes will now be improved. In this stage, you will respond to the results and optimise the processes. You will then have to adjust the KPI’s accordingly and go back to the Plan stage after. By repeating the cycle, your organisation will experience constant improvement.

Returning to the example, if the data shows that the nobody on the team is completing the courses and the overall attitude has not changed, the management should find the underlying reason for this. Do the employees not have time? Do they think it is unnecessary to do the training? What is the root cause? When you figure this out, you should go to the Plan stage and see how you can make the training better and more relevant to their employees. If they e.g., think the training is unnecessary and stupid, then maybe what is needed is communication about the importance of information security.

Information security is an ongoing process 

The Plan-Do-Check-Act cycle can be used at all organisational levels, and for all types of processes. However, we believe that the model is especially useful when it comes to cyber security. An organisation will never be 100% secure or un-hackable. Cyber security is about reducing the likelihood of being hacked. The measures to improve cyber security is under constant development but so do the cybercriminals’ efforts. Hackers have always tried to find new methods to get what they want. For this reason, every organisation should use the Plan-Do-Check-Act mindset when it comes to maintaining information security.

Furthermore, the cycle is a part of the ISO 27001 standard, which is an international standard on how to manage information security. The standard has a requirement that your organisation use a method for continuous improvement in your information security policy. This blogpost will not go in depth with the ISO standards, but achieving the ISO 27001 comes with multiple benefits, such as the signals you are sending to the clients, and the general public that you are committed to managing the information security in your company.

What gets measured gets managed

Many organisations have done a good job when it comes to buying the technical parts of maintaining information security, such as antiviruses, firewall, and spam filters. However, before you purchased the antivirus program, do you actually know why you bought it and what purpose the program should fulfil? Were the answers based on a risk assessment? Did the management in your organisation agree on how to measure the success of the antivirus program?

If your organisation was struggling when trying to answer these types of questions, it will also be difficult to assess the value of the initiative. This means that you will not know if it is worth pursuing or not.

Your organisation needs to have measures in place to be able to assess the effectiveness of the cyber security programs that have been invested in, measures such as KPI’s. However, a KPI will only be efficient if you act when you notice that something is not reaching up to the intended plan. As shown with the example the cycle Plan-Do-Check-Act is a helpful tool to periodically check up on your KPI’s.

Additionally, there is no ‘one-size-fits-all’ solutions in information security. A large airport has different needs compared to a small retail store. When determining which practices, controls and programs that should be invested in, the decisions should always be based on the organisation’s own situation.