top of page

Using the Deming wheel for ISO 27001 certification: Do and Check phases

Updated: Mar 15

Certification ISO 27001 et construction SMSI
Photo by Caspar Camille Rubin on Unsplash

As we explained in our recent blog article on the subject, the Deming wheel (also known as the PDCA method for Plan, Do, Check and Act) is a performance improvement methodology based on 4 complementary stages:

  • The Plan phase, which consists of planning actions (a phase we have already discussed in a previous article).

  • The Do phase, which involves implementing these actions.

  • The Check phase, which involves evaluating the results of the actions.

  • And finally the Act phase, which consists of developing and optimising the actions.

For more details on the Deming wheel and how to use this tool to plan an ISO 27001 certification, please see our previous blog post.

Once all the elements of ISMS planning have been properly studied and thought through, the next step is to implement the action plan that has been drawn up. However, in a continuous improvement approach, implementation is not enough. It is necessary to monitor and evaluate their implementation and, finally, to optimise and improve the elements that need to be improved.

So, in this new blog post, we're going to look in detail at the next two phases of the Deming wheel, applied to the construction of your ISMS and in the context of ISO 27001 certification: the Do and Check phases.

The Deming wheel: the Do phase for building your ISMS

The Plan phase enabled us to plan the actions to be implemented, determine the resources required and identify the actions to be taken to deal with the relevant risks. The Do phase now consists of implementing each of the actions defined above.

During the DO phase it is necessary to proceed with :

  • Implementation of the operational controls initially planned;

  • Application of the information security risk management plan;

  • Assess any new risks that may emerge or be induced by the implementation of controls;

  • Documentation of the entire implementation process.

Implementing operational controls

The organisation must therefore implement and control the process needed to achieve the information security objectives and carry out the actions determined in the previous stage, the Plan phase.

Each of the plans devised to achieve the defined security objectives is implemented.

In addition, this phase must also monitor planned changes, analyse the consequences of unforeseen changes, and if necessary, take action to limit any negative effects.

Dealing with information security risks

Finally, the organisation must implement the information security risk treatment plan, while once again retaining all the documented information on the results of the information security risk assessment processes.

Information security risk assessment

The organisation must also carry out information security risk assessments at set intervals (or when significant changes are planned or take place), taking into account the risk criteria and requirements established, again, in the planning stage.

Monitoring and documenting the implementation process

In order to ensure that the processes have been correctly followed as planned and to monitor the implementation of the ISMS, it is necessary to document and keep all the information on the implementation of the actions.

The Check phase to assess the success of this implementation

Now that the ISMS construction actions are in place, the next step is to analyse and evaluate the success of these implementations. This involves measuring the extent to which information security objectives have been achieved, and assessing any necessary corrections.

To achieve this, the third stage of the Deming wheel, Check, applied to the construction of an ISMS in the context of ISO 27001 certification, requires three stages of equal importance:

  • The monitoring, measurement, analysis and evaluation stage of the actions implemented.

  • The internal audit stage.

  • And finally, the management review stage.

Monitoring, measuring, evaluating and analysing the actions implemented

The organisation must assess its information security performance and the effectiveness of its information security management system. The organisation must determine :

  • The processes that must be subject to continuous monitoring and for which a new risk assessment is required

  • The monitoring, analysis, measurement and assessment methods used.

  • The frequency of monitoring and measurement.

  • The person responsible for these monitoring and measurement activities.

  • The frequency with which monitoring and measurement results are analysed.

  • The person responsible for analysing the monitoring and measurement results.

Once again, all this information must be documented and kept as evidence of the results of the monitoring and measurements.

Internal audit

In order to ensure that the implemented ISMS complies with the organisation's requirements for its ISMS as well as the requirements of the International Standard, the organisation shall:

  • Plan, establish, implement and maintain one or more audit programmes, including audit frequency, audit methods, responsibilities, planning requirements and reporting.

  • Define the audit criteria and the scope of each audit.

  • Select auditors and carry out audits that ensure the objectivity and impartiality of the audit process.

  • Ensure that the results of audits are reported to the relevant management.

  • Maintain documented information as evidence of the implementation of the audit programme(s) and audit results.

These audits will highlight the vulnerabilities still present in the organisation's information system and produce recommendations for corrective measures which, once implemented, will ensure that the security objectives are met and that the ISMS is operating optimally.

Management review

This management review must be carried out at regular intervals, to ensure that the ISMS implemented by the organisation is still appropriate, adapted and effective.

This management review must therefore take into account :

  • The progress of actions decided at the end of previous management reviews.

  • Changes in external and internal issues relevant to the ISMS.

  • Feedback on information security performance (non-conformities, corrective actions, results of surveillance assessments and measurements, etc.).

  • Feedback from interested parties.

  • The results of the risk assessment and the progress of the risk treatment plan.

  • Opportunities for continuous improvement of the ISMS.

Once again, each piece of information must be documented and retained as evidence of the conclusions of the management reviews.

For a more comprehensive overview of the key stages involved in implementing an ISMS and achieving ISO 27001 certification, please refer to our blog post "ISO 27001 certification: requirements and certification process".


Related blog posts:


Did you enjoy this blog post?

Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!


Find out more about our ISO 27001 certification support service!


We need your answers!

By completing this survey, you are helping us to better understand your interactions with our site and your potential needs.

Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information is requested!

Thank you for your responses!


Would you like to be informed of our news and receive our latest blog articles directly in your mailbox? Subscribe to our monthly newsletter!

Certification ISO 27001 et construction SMSI

Would you like to discuss your difficulties, your needs, our offers? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts!




Commenting has been turned off.
bottom of page