PDCA: The Engine of Every ISO Management System
Plan–Do–Check–Act. These four words describe one of the most enduring and practical frameworks in organizational management — a recursive cycle of planning, execution, evaluation, and improvement that sits at the heart of every ISO management system standard. Originally articulated by Walter Shewhart in the 1930s and popularized by W. Edwards Deming in post-war Japanese manufacturing, the PDCA cycle has since been adopted by ISO as the structural logic underlying all Annex SL management systems, including ISO 20000:2018.
Understanding how PDCA maps to the ISO 20000 clause structure is not merely an academic exercise. It reveals the operating rhythm of the SMS — the cadence of activities that must run continuously for the management system to function as a living system rather than a static documentation archive. Organizations that grasp this rhythm implement more effectively, manage their SMS more efficiently, and present far better evidence at certification audits than those who treat the standard as a checklist to be completed once.
This article explains each PDCA phase in the ISO 20000 context, maps each phase to the relevant clauses of the standard, and describes the specific activities, outputs, and evidence that each phase requires. It closes with practical guidance on establishing the PDCA rhythm in your organization.
The PDCA Cycle and ISO 20000 Clause Mapping
ISO 20000-1:2018 does not use the words Plan, Do, Check, and Act as section headings, but its clause structure maps directly to the four phases. Clause 6 (Planning) is Plan. Clause 8 (Operation) is Do. Clause 9 (Performance Evaluation) is Check. Clause 10 (Improvement) is Act. Clauses 4, 5, and 7 provide the organizational context, leadership commitment, and enabling resources that make the cycle possible at all.
| PDCA Phase | ISO 20000 Clauses | Core Activities |
|---|---|---|
| Plan | Clause 4, 5, 6 | Define context and scope, set policy and objectives, assess risks, produce service management plan |
| Do | Clause 7, 8 | Allocate resources, build competence, implement service management practices and processes |
| Check | Clause 9 | Monitor and measure service performance, conduct internal audits, hold management reviews |
| Act | Clause 10 | Address nonconformities, implement corrective actions, drive continual improvement |
Plan: Establishing the Foundation
The Plan phase is where the SMS is designed and its direction is set. It begins with Clause 4 — understanding the organization’s internal and external context, identifying the interested parties whose needs shape the SMS, and defining the scope of the SMS. These activities produce the boundary conditions within which the SMS will operate: which services are included, which customers are covered, which regulatory requirements apply, and which organizational units are within scope.
With the scope established, Clause 5 places the responsibility for the next step squarely on top management. Leadership must commit to the SMS actively — not merely endorse it — by establishing the service management policy, assigning accountabilities, and allocating resources. The service management policy is the authoritative statement of organizational intent: it declares the organization’s commitment to meeting service requirements, to continual improvement, and to achieving the service management objectives that will be set in Clause 6.
Clause 6 completes the Plan phase with three requirements. First, identifying the risks and opportunities that could affect the SMS — risks of failing to deliver services at required levels, risks of non-compliance with regulatory requirements, opportunities to improve service quality or efficiency. Second, establishing measurable service management objectives aligned to organizational strategy: specific, time-bound targets that give the SMS a direction and a definition of success. Third, producing the service management plan: the documented plan that describes how objectives will be achieved, who is responsible, what resources are required, and what the timeline looks like.
| KEY CONCEPT | The service management plan is the most important output of the Plan phase. It is not a static document created once during implementation — it is a living plan that evolves as the SMS matures, objectives are updated, and the service portfolio changes. Auditors check that it is current, governed, and genuinely used as a management instrument, not filed away after implementation. |
Do: Implementing and Operating the SMS
The Do phase is where the SMS comes to life in practice. It encompasses Clause 7 (Support) and Clause 8 (Operation) — the resources, competence, and awareness infrastructure of Clause 7, and the full service management practice requirements of Clause 8.
Clause 7 is the enabling layer of the Do phase. Resources must be determined and provided: people with the right skills, tools that support service delivery and management, infrastructure that the SMS depends on. Competence requirements must be identified and met: service management staff need demonstrable knowledge and skills, and training records and competence evidence must be maintained. Awareness must be built across the organization so that everyone contributing to the SMS understands the service management policy, their role in SMS effectiveness, and the consequences of not conforming to requirements. And the documented information required to support the SMS must be created, controlled, and maintained.
Clause 8 is the operational heart of the Do phase. It is where service management practices are actually executed: incidents are classified, escalated, and resolved; problems are investigated and root causes eliminated; changes are assessed, approved, and implemented; configurations are tracked and verified; releases are tested and deployed; customers are engaged through formal service reviews; suppliers are managed through contractual and performance mechanisms; and new services are designed, built, and transitioned into operation. Every activity in Clause 8 generates records — the operational evidence that demonstrates the SMS is running, not merely documented.
The Operational Rhythm of the Do Phase
Effective SMS operation is not a continuous undifferentiated flow of activity. It has a rhythm — different activities occurring at different cadences, generating different types of evidence. Understanding this rhythm helps organizations structure their SMS operations efficiently and ensures that the evidence base builds naturally rather than requiring frantic reconstruction before audits.
Daily activities include incident logging, classification, and resolution; service request handling; monitoring of service availability and performance indicators; and change implementation against the approved schedule. Weekly activities typically include incident trend review, open problem review, change advisory board meetings (or equivalent change approval activity), and SLA performance tracking. Monthly activities include formal service level reporting to customers, supplier performance review, problem management trend analysis, and update of the improvement register. Quarterly activities commonly include customer satisfaction measurement, SMS objective progress review, and update of the service management plan.
| Cadence | Typical SMS Activities | Evidence Generated |
|---|---|---|
| Daily | Incident management, service request fulfillment, availability monitoring, change implementation | Incident records, service request records, availability data, change records |
| Weekly | Incident trend review, problem review, change advisory board, SLA tracking | CAB minutes, problem review notes, weekly SLA dashboard |
| Monthly | SLA performance reporting, supplier review, improvement register update | Monthly service report, supplier scorecards, improvement log |
| Quarterly | Customer satisfaction survey, objective progress review, service management plan update | Satisfaction results, objective dashboard, updated SMP |
| Annually | Full service portfolio review, SLA renegotiation, competence assessment | Service portfolio document, revised SLAs, competence matrix |
Check: Monitoring, Auditing, and Reviewing
The Check phase is where the organization steps back from day-to-day operations and evaluates systematically whether the SMS is performing as required. Clause 9 contains three distinct Check mechanisms, each providing a different lens on SMS performance: ongoing monitoring and measurement (Clause 9.1), internal audit (Clause 9.2), and management review (Clause 9.3).
Clause 9.1 (Monitoring, Measurement, Analysis, and Evaluation) requires the organization to determine what needs to be monitored and measured, how it will be measured, when it will be done, and when the results will be evaluated. In service management practice, this translates to service performance dashboards, SLA compliance tracking, availability reports, incident volume and resolution time trends, customer satisfaction scores, and supplier performance metrics. The key requirement is that the organization has defined in advance what it will measure and why — measurement should be purposeful, not reactive.
Clause 9.2 (Internal Audit) requires a planned program of internal audits covering all requirements of ISO 20000-1:2018 over the audit cycle. Internal audits are conducted by competent auditors who are independent of the activities being audited — they are not operational management reviewing their own work. They examine documented information, interview staff, and observe processes to determine whether the SMS conforms to the standard’s requirements and is effectively implemented and maintained. Audit findings — nonconformities and observations — feed directly into the Act phase.
Clause 9.3 (Management Review) requires top management to review the SMS at planned intervals — typically annually, though more frequent reviews are common in the early years of an SMS. The management review has a defined set of inputs specified by the standard: internal and external issues relevant to the SMS, feedback from customers and interested parties, service performance data, audit results, nonconformity and corrective action status, improvement actions, and changes that could affect the SMS. The outputs — decisions and actions taken in response to these inputs — must be documented and followed up.
| IMPORTANT | Management review is a frequently underestimated requirement. It is not a service performance meeting, a project status update, or an executive briefing. It is a formal governance review of the SMS itself — its continuing suitability, adequacy, and effectiveness — by the people who own it: top management. Auditors test both that it happened and that it covered all the required inputs and produced documented outputs with follow-up evidence. |
Act: Improving the SMS
The Act phase closes the PDCA loop by translating Check phase findings into improvements. Clause 10 contains two requirements: nonconformity and corrective action management (Clause 10.1) and continual improvement (Clause 10.2).
Clause 10.1 requires the organization to respond to nonconformities — instances where SMS requirements are not met — with a structured corrective action process. When a nonconformity is identified (in an internal audit, a customer complaint, a management review, or operational monitoring), the organization must react to control and correct it, determine whether similar nonconformities exist or could occur elsewhere, implement actions to address the root cause, verify that the corrective action was effective, and update the SMS if necessary. Records of nonconformities and corrective actions must be retained as documented information.
Clause 10.2 requires the organization to continually improve the SMS — to make it progressively more suitable, adequate, and effective over time. Continual improvement is broader than corrective action: it includes proactive identification of improvement opportunities from any source (not just nonconformities), prioritization of those opportunities, implementation of improvement actions, and measurement of whether improvements achieved their intended effect. The improvement register is the standard vehicle: a living document that captures all improvement opportunities, their status, owners, and outcomes.
The PDCA Cycle in Practice: Establishing the Rhythm
The PDCA cycle is not a one-time event — it is a continuous operating rhythm that runs at multiple timescales simultaneously. At the macro level, the full cycle runs annually: the organization plans its SMS objectives and service management plan for the year (Plan), operates the SMS through the year (Do), evaluates performance through monitoring, internal audit, and management review (Check), and makes improvements based on what it learned (Act). At the micro level, the cycle runs on every individual service management practice: an incident management process is planned, executed, evaluated against targets, and improved based on performance data.
Organizations that understand this multi-timescale rhythm manage their SMS efficiently because they build the Check and Act activities into their normal operating calendar — not as bolt-on compliance activities performed before audits, but as genuine management disciplines that generate continuous performance insight. The internal audit program is planned at the start of each year and executed throughout. The improvement register is updated continuously. Management review is scheduled and prepared for in advance. SLA performance is reported and reviewed monthly.
| BITLION INSIGHT | Bitlion GRC Platform operationalizes the PDCA rhythm for ISO 20000 through automated service performance dashboards, a pre-built internal audit program with ISO 20000 clause coverage, an integrated improvement register with owner assignment and outcome tracking, and management review agenda templates with all Clause 9.3 required inputs pre-populated. Organizations using Bitlion report that management reviews become genuinely useful governance forums rather than compliance formalities. |
PDCA and the Multi-Standard Environment
For organizations implementing ISO 20000 alongside ISO 27001 or ISO 22301, the PDCA cycle provides additional integration value. Because all three standards use the same HLS clause structure and therefore the same PDCA logic, a single integrated management system can run a unified PDCA cycle covering all three standards simultaneously. A combined internal audit program covers ISO 20000, ISO 27001, and ISO 22301 in a single planned schedule. A combined management review covers all three systems in a single top management forum, with inputs from all three standards’ monitoring and measurement requirements. A single improvement register captures improvements relevant to any or all of the three systems.
This integration reduces the administrative overhead of managing multiple certifications significantly. Rather than running three separate PDCA cycles with three separate audit programs, three separate management reviews, and three separate improvement registers, the organization runs one integrated cycle that covers all three. Article 3.8 covers integrated management system design in depth for organizations pursuing this approach.
What Breaks the Cycle — And How to Fix It
The PDCA cycle breaks in predictable ways that experienced auditors recognize immediately. The most common failure is a gap between Plan and Do: service management processes are planned and documented but not consistently executed. Staff do not follow documented procedures, records are not maintained, and the documented SMS diverges progressively from how the organization actually operates. The fix is governance: management must create accountability for following SMS procedures and must routinely check through monitoring and internal audit that procedures are being followed.
A second common failure is a gap between Do and Check: the organization operates its service management practices but does not measure performance systematically or honestly. SLA performance is not tracked against targets, incident trends are not analyzed, and internal audits are not conducted. The SMS runs on autopilot without feedback. The fix is building the Check activities into the operating calendar with assigned owners and defining in advance what will be measured and how.
The third common failure is a gap between Check and Act: performance issues and audit findings are identified but not acted upon. Corrective action processes exist on paper but are not followed through to verified closure. Improvement opportunities are logged but not prioritized or resourced. The management review produces decisions that are never implemented. The fix is closing the loop: every finding must have an owner, a deadline, and a verification mechanism. The improvement register must be reviewed at every management review meeting and its status must be tracked.