The 'Plan' phase of the Plan-Do-Check-Act (PDCA) cycle is where the Information Security Management System (ISMS) is established. This phase involves defining the scope, policy, conducting risk assessments, and selecting control objectives and controls to address identified risks. The key documentation describing these controls, such as the risk treatment plan and the Statement of Applicability (SoA), is created during this planning stage. This phase sets the foundation by detailing what controls will be implemented before the actual implementation occurs in the 'Do' phase.

B. Do: This phase is for the implementation and operation of the controls that were selected and described during the 'Plan' phase.

C. Check: This phase involves monitoring and reviewing the effectiveness of the implemented controls, not their initial description.

D. Act: This phase focuses on maintaining and improving the ISMS by taking corrective actions based on the review from the 'Check' phase.

1. ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection — Information security management systems — Requirements.

Section 6, "Planning," specifically clause 6.1.3, "Information security risk treatment," mandates the process of selecting appropriate information security controls. The output of this process is the Statement of Applicability, which documents the necessary controls. This entire activity is part of the 'Plan' phase.

2. Humphreys, E. (2016). Implementing the ISO/IEC 27001:2013 ISMS Standard. Artech House.

Chapter 4, "The Plan Phase," details the activities required for planning the ISMS. It explicitly states that risk assessment and the selection and documentation of controls (in the risk treatment plan and Statement of Applicability) are core components of this phase.

3. Susanto, H., Almunawar, M. N., & Tuan, Y. C. (2011). Information Security Management System–A Case Study of the Government of Brunei Darussalam. International Journal of Computing and IT, 1(1), 23-40.

Section 3.1, "Plan Phase," maps the ISO 27001 clauses to the PDCA cycle. It identifies "selecting control objectives and controls" as a key activity within the 'Plan' phase, confirming that the description of controls happens at this stage. (p. 27).