The PDCA cycle (Plan-Do-Check-Act) is a four-stage model for continual improvement. Plan: set objectives and plan actions. Do: implement the actions. Check: measure and evaluate results. Act: turn findings into improvements and restart the cycle. ISO 27001 is built on the PDCA principle, even though the standard no longer names it explicitly. In practice, PDCA shows up when you analyze the cause of a security incident (Check), derive corrective actions (Act), and integrate them into the next planning period (Plan). The cycle ensures your ISMS continuously evolves and matures over time.