The Deming cycle: PDCA behind every ISO management system

Behind every ISO management system sits one simple idea: Plan-Do-Check-Act. Deming's cycle is why ISO standards demand not a one-time fix but continual improvement — and understanding it is the difference between holding a certificate and living the standard. It also tells an auditor exactly where the audit fits: auditing lives in Check.

Why PDCA matters for an audit

Every ISO management-system standard — quality (9001), information security (27001), environment (14001), occupational health & safety (45001), AI (42001), business continuity (22301), compliance (37301) — is built on the same Plan-Do-Check-Act loop. If you understand the loop, you understand what each standard is asking for and where your audit sits within it.

Plan — decide what good looks like

Understand your context, interested parties, risks, and obligations (ISO clauses 4–6).
Set policy, objectives, and the processes needed to meet them.
Define how you will measure success before you start.

Do — put the plan into operation

Implement the processes, controls, and resources you planned (ISO clauses 7–8).
Train people so they understand their role in the system.
Operate consistently and keep the records that prove it.

Check — find out whether it's working

Monitor, measure, and evaluate performance against your objectives (ISO clause 9).
Run internal audits — the structured check that surfaces gaps before a regulator does.
Review results with management to confirm the system is effective.

Act — close the gaps and raise the bar

Correct nonconformities and tackle their root causes (ISO clause 10).
Feed lessons back into the next Plan — the loop never stops.
Continually improve, so each cycle leaves the system stronger.

PDCA mapped to the ISO clauses

Every ISO management-system standard shares the same high-level structure (Annex SL), so this mapping holds across all of them:

PDCA stage	ISO clauses
Plan	Context (4), Leadership (5), Planning (6)
Do	Support (7), Operation (8)
Check	Performance evaluation (9) — including internal audit
Act	Improvement (10)

PDCA is why ISO certification is earned continuously, not once. Plan with intent, do it consistently, check it honestly, and act on what you learn — then go round again. The Check phase is where auditing lives, and a thorough, requirement-by-requirement checklist is what makes it rigorous.

Related guides

This guide explains the method. To apply it across a whole regulation — every obligation scored and traceable — see the audit checklists, each with a free Regulatory Compliance Matrix you can review before buying.