Back to Basics… PDCA:

The Foundational Cycle

of IT Best Practices

Written by:

Huang Yi Jen

Senior Consultant
Sapience Consulting

A split image featuring a professional Asian man in an IT setting on the left and the same man laughing while playing foosball on the right. In the center, a circular PDCA (Plan, Do, Check, Act) diagram with a glowing orb acts as a bridge between the two scenes. The text overlay reads "Back to Basics: Plan-Do-Check-Act," and the Sapience logo is in the bottom right corner.

Do you appear to be not bad at some hobby that you truly enjoy? Whatever it is, badminton, bridge, painting, baking … etc. Have you ever wondered what would happen if you could take it seriously? A friend from uni-time is doing just that! He decided to take a 1-year mid-career break from an IT managerial role (he is in his 40s) and dedicated to … foosball! (aka table football, table soccer)

I met up with him recently. It has been nearly a year since his sabbatical began. To recount his achievements, he is in the Canadian National Team, he has competed over 20 tournaments across North America and Europe (according to him, Germany is the hot spot) and his world rankings are about 100 across singles, doubles and combined (honestly, I had no idea the scale and degree of seriousness of the foosball prior to our meet-up). 

I casually asked him, What strikes you the most about the past year? He replied with a sombre expression, Back to basics! I practice every single day for an hour or 2 to bring the ball as SLOWLY as possible with a figure across the table. I only appreciate the basic movement after 20/30-year of highly-intensed fast plays. 

This reminds me of martial arts masters starting the day with squatting and Olympic swimmers starting with kicking drills. 

Back to Information Technology, I reflect on the topics that I cover – Cybersecurity, Risk Management, Service Management, SDLC (software development lifecycle), Project Management, Governance… etc. I often share with customers, if you see a cyclic diagram, you see PDCA (plan-do-check-act) in it. I’d say PDCA is indeed the ‘basic’ of a lot of best practices.

A simple, circular diagram illustrating the four stages of the PDCA (Plan, Do, Check, Act) cycle with arrows showing the continuous flow. The text overlay reads "PDCA: PLAN, DO, CHECK, ACT."
PDCA: PLAN, DO, CHECK, ACT

( Wikipedia PDCA )

Take a GenAI adoption initiative as an example, organisations go through :

  1. Plan – Establish objectives and processes required to deliver the desired results.
    What is the problem we try to solve? Who is going to what? When are we going to do everything? How are we putting things together? The degree of planning depth and formality definitely varies according to the scale of initiative.

  2. Do – Carry out the objectives from the previous step.
    Mobilise people, process, products and partner to follow the plan.

  3. Check – The data and results gathered from the do phase are evaluated. Data is compared to the expected outcomes to see any similarities and differences. Possibly, weekly, biweekly or monthly, we gather updates about the initiative. In the meantime, we also consider macro-factors around it, e.g. organisational priorities, stakeholder input, any changes that impact us …etc.

  4. Act – Records from the “do” and “check” phases help identify issues, problems, non-conformities, opportunities for improvement, inefficiencies, etc. Adjust accordingly.
    Adjust the course of action, carry on, or, wrap it up, if we meet the conditions (including early termination scenarios).

The PDCA cycle may repeat itself as needed – 

(Please note, I took the liberty of mapping the frameworks loosely. Definitely, there are areas of overlap.) 

A horizontal infographic showing a series of three circular PDCA (Plan, Do, Check, Act) cycles, with an arrow indicating a repetitive flow. The first cycle is labeled "1," the second is labeled with an ellipsis, and the final one is labeled "n," with a green banner indicating "Solved!". This visual represents the iterative nature of the PDCA cycle until a desired outcome is achieved.
The PDCA cycle is an iterative process.
As seen in a GenAI adoption initiative, it repeats itself as needed until the objectives are met and a solution is implemented.

( Wikipedia PDCA )

A circular diagram of the NIST Cybersecurity Framework. The inner ring is labeled "GOVERN," while the outer ring has five segments labeled "IDENTIFY," "PROTECT," "DETECT," "RESPOND," and "RECOVER." This represents the core functions of the framework.
Applying the PDCA cycle to the NIST Cybersecurity Framework 2.0 helps organisations continuously manage and improve their cybersecurity posture.

(NIST Cybersecurity Framework 2.0)

Here is the PDCA application onto the NIST Cybersecurity framework

PDCA

NIST Cybersecurity Framework 2.0

PlanGOVERN – Provide outcomes to inform what an organisation may do to achieve and prioritise the outcomes.
DoIDENTIFY – Understanding the organisation’s assets (e.g., data, hardware, software, systems, facilities, services, people), suppliers, and related cybersecurity risks enables an organisation to prioritise its efforts.
PROTECT – support the ability to secure those assets to prevent or lower the likelihood and impact of adverse cybersecurity events.
CheckDETECT – enable the timely discovery and analysis of anomalies, indicators of compromise, and other potentially adverse events.
ActRESPOND – support the ability to contain the effects of cybersecurity incidents.
RECOVER – support the timely restoration of normal operations.
A circular diagram of the NIST Risk Management Framework (RMF). The central orange ring is labeled "NIST RMF," while the outer black ring lists the seven steps: "PREPARE," "CATEGORIZE," "SELECT," "IMPLEMENT," "ASSESS," "AUTHORIZE," and "MONITOR." This represents the cyclical process of the framework.
See how the NIST Risk Management Framework's steps align with the PDCA cycle for effective security and privacy risk management.

(NIST Risk Management Framework)

Let’s see how PDCA plays out with the NIST Risk Management Framework

PDCA

NIST Cybersecurity Framework 2.0

PlanPREPARE – Establishing a context and priorities for managing security and privacy risk.
CATEGORISE the system and the information processed, stored, and transmitted by the system  based on an analysis of the impact of loss.
DoIMPLEMENT the controls and describe how the controls are employed within the system and its environment of operation.
CheckASSESS the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes.
ActAUTHORISE the system or common controls based on a determination that the risk to organisational operations and assets, individuals, other organisations, and the Nation is acceptable.
MONITOR the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.
A flowchart diagram of the ITIL Continual Improvement Model. It lists seven steps in a cycle: "What is the vision?", "Where are we now?", "Where do we want to be?", "How do we get there?", "Take action", "Did we get there?", and "How do we keep the momentum going?". Arrows show the cyclical flow of the model.
The ITIL Continual Improvement Model’s seven steps map directly to the PDCA cycle for continuous improvement.

(Axelos Continual improvement Model)

Time to visit the ITIL continual improvement model –

PDCA

ITIL Continual Service Improvement Model

PlanWhat is the vision? Figure out business vision, mission, goals and objectives.
Where are we now? Perform baseline assessments.
Where do we want to be? Define measurable targets.
How do we get there? Define the improvement plan.
DoTake action – Execute improvement actions.
CheckDid we get there? Evaluate metrics and KPI’s.
ActHow do we keep the momentum going? Determine next course of action.
A circular diagram of the Software Development Life Cycle (SDLC). It lists six stages in a cycle: "Requirements gathering and analysis," "Planning and design," "Development," "Testing and quality assurance," "Deployment and implementation," and "Maintenance and support." This represents the cyclical process of software development.
The SDLC applies the PDCA cycle for a structured, high-quality approach to software development.

(Wikipedia SDLC)

When it comes to software development –

PDCA

ITIL Continual Service Improvement Model

PlanRequirements gathering and analysis – understand the client’s requirements and objectives.
Planning and design – outline the development roadmap, including timelines, resource allocation, and deliverables.
DoDevelopment – code.
CheckTesting and quality assurance – ensure the software’s reliability, performance, and security, rigorous testing and quality assurance (QA) processes are carried out.
ActDeployment and implementation – go live Maintenance and support – address any issues, enhance performance, and incorporate future enhancements.
A diagram showing the Scrum workflow as a continuous cycle. The cycle has four phases: Sprint Planning, Daily Scrum, Sprint Review, and Sprint Retrospective. Text boxes describe the key activities of each phase, with arrows indicating the circular, iterative nature of the process. An additional box highlights "Backlog refinement."
The Scrum framework is a simple but powerful process for complex projects. This diagram outlines the core events and how they form a continuous loop to deliver value incrementally.

(Wikipedia SCRUM)

A diagram of the COBIT 2019 framework's core governance and management objectives. The model shows five distinct phases in a vertical stack: Evaluate, Direct and Monitor; Align, Plan and Organise; Build, Acquire and Implement; Deliver, Service and Support; and Monitor, Evaluate and Assess.
The COBIT 2019 Core model outlines the five key domains for governance and management objectives in a framework designed to help enterprises govern and manage their information and technology.

(The COBIT 2019 framework)

The PDCA concept is definitely applicable to the world of Agile and Governance as well. I often repeat ‘Agile is a series of mini lightweight SDLC, in principle.’ (I cannot recall where I heard this from.)  

Highlighting the common fundamental elements (PDCA) across various frameworks is to emphasize the cyclical nature of the best practice adoption (continual improvement ! see another mention here) and not to dismiss the variation and uniqueness each framework presents itself. 

The world is changing at a lightspeed pace. Often, we feel as soon as a plan is drawn up, the next moment something would come up to invalidate it. However, spearing ahead without a plan (at least high-level or rough order) is not wise, either. Adjusting the Plan-Do-Check-Act cycle to cope with changes and realign with the goals has remained the true north. 

Epilogue

As the foosball friend is approaching the end of his 1-year break (at the moment of writing this piece), he has not yet decided if he’d return to work. He is actively participating in the federation level to bring up the viewership and commerciality, coaching the uprising players, (potentially) working on a e-foosball (virtual reality) game, and practicing the basics everyday.

RELATED COURSES for you to Explore

Cybersecurity, AI & Big Data

Certified in Risk and Information System Controls (CRISC)
Certified Information Systems Auditor® (CISA)
CISM Certification - Certified Information Security Manager®
Certified Information Systems Security Professional (CISSP)
Certified Cloud Security Professional (CCSP)
ISO/IEC27001 Foundation
ISO/IEC27001 Practitioner – Information Security Officer
Artificial Intelligence Foundation
Enterprise Big Data Analyst
Enterprise Big Data Professional
Certified Cybersecurity Operations Analyst™ (CCOA)
Previous
Next

Project Management and Agile

Certified Associate in Project Management (CAPM)®
Project Management Professional (PMP)®
AgilePM® Foundation
AgilePM® Practitioner
AgileBA® Foundation
AgileBA® Practitioner
ABC Scrum Master
ABC Scrum Product Owner
PRINCE2® 7 Foundation
PRINCE2® 7 Practitioner
Previous
Next

Governance & Service Management

Certified in Governance of Enterprise IT (CGEIT)
Certified Data Privacy Solutions Engineer (CDPSE)
ITIL®4 Foundation
ITIL®4 Specialist: Sustainability in Digital and IT
ITIL®4 Specialist: Plan, Implement and Control
ITIL®4 Specialist: Monitor, Support and Fulfil
ITIL®4 Specialist: IT Asset Management
ITIL®4 Specialist: High Velocity IT
ITIL®4 Specialist: Drive Stakeholder Value
ITIL®4 Strategist: Direct Plan and Improve
ITIL®4 Leader: Digital and IT Strategy
ITIL®4 Specialist: Create, Deliver and Support
ITIL®4 Specialist: Collaborate, Assure and Improve
ITIL®4 Specialist: Business Relationship Management
ITIL®4 Specialist: Acquiring and Managing Cloud Services
Certified in Governance, Risk and Compliance (CGRC)
ISO20000 Foundation
ISO20000 Practitioner
ISO20000 Auditor
COBIT 2019 Foundation
COBIT5 Foundation
COBIT5 Implementation
COBIT5 Assessor
Advanced in AI Audit™ (AAIA)
Previous
Next

Check out our IBF and SSG funded courses! There is no better time to upskill than now!

IBF Funding

IBF Funding

Terms and conditions apply. Please visit our IBF STS programme page for full details.
LEARN MORE

SSG Funding

SSG Funding

Terms and conditions apply. Please visit our SkillsFuture Singapore (SSG) Funding page for full details.
LEARN MORE

Share This Piece:

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Share on email
RELATED STORIES
A nighttime panoramic view of the Singapore skyline, featuring Marina Bay Sands and the Merlion statue. Digital network lines and a prominent glowing orange circular icon with "ESG" and gear symbols are overlaid. The text overlay reads "ITIL 4 & ESG: Building a Responsible Future." The Sapience Consulting logo is in the bottom right corner.
vamtam-theme-circle-post

Continual Improvement and ESG: A Perfect Match in ITIL 4

21/07/2025
Written by : Feisal Ismail
Read More
Two wooden blocks spelling "AI" (Artificial Intelligence) are positioned next to a large magnifying glass on a dark, textured surface, symbolizing the audit and scrutiny of AI systems. The text overlay reads "AI AUDIT: THE FUTURE IS NOW" in bold orange letters, and the Sapience logo is in the bottom right corner.
vamtam-theme-circle-post

Auditing the AI Future: Why IT Auditors Need the ISACA AAIA Credential

01/07/2025
Written by : Lionel Seaw
Read More
vamtam-theme-circle-post

You’ve Got Your CISA, Now What? Your Roadmap to Advanced IT Security Certifications

17/06/2025
Written by : Luqman Haniff
Read More
vamtam-theme-circle-post

Breaking Into Cybersecurity: Your 2025 Guide to Roles, Skills, Challenges, and Expectations

03/06/2025
Written by : Lionel Seaw
Read More
Illustration showing three interconnected circles labeled Statement of Applicability, Risk Management, and Continual Improvement, representing their collaborative role in ISO 27001.
vamtam-theme-circle-post

Understanding ISO 27001: How the Statement of Applicability, Risk Management, and Continual Improvement Work Together

22/05/2025
Written by : Lionel Seaw
Read More
vamtam-theme-circle-post

Smile! You Might Be on Camera: The PDPA and Public Photography in Singapore

30/04/2025
Written by : Hoon Wee Tan
Read More
vamtam-theme-circle-post

An In-Depth Analysis of ISO Standards: ISO 27001, ISO 9001, ISO 20000, ISO 31000, and ISO 22301 in Relation to Annex SL

08/04/2025
Written by : Lionel Seaw
Read More
vamtam-theme-circle-post

Why Onsite Training at Sapience Consulting is the Game-Changer You Need

03/03/2025
Written by : Kris Teng
Read More
vamtam-theme-circle-post

Drawing parallels between Information Technology and Sport

03/03/2025
Written by : Huang Yi Jen
Read More
vamtam-theme-circle-post

The X-Factor in a DevOps Engineer: Insights from the State of DevOps Report 2023/4

03/02/2025
Written by : Feisal Ismail
Read More

243 Beach Rd, #02-01
Singapore 189754
Talk To Us

About Us

Upcoming Events

  1. Certified in Risk and Information Systems Control (CRISC)

    August 4 - August 8

  2. Certified Information Systems Security Professional (CISSP)

    August 4 - August 8

  3. PMI – Project Management Professional (PMP)®

    August 4 - August 8

View All Events

© 2025 Sapience Consulting  ∙  UEN/Foreign Entity Number: 200821195D   ∙   Contact Us   ∙   Copyright   ∙   Privacy Notice    Refund Policy