The Plan-Do-Check-Act (PDCA) cycle is a model for continual improvement. The 'Do' phase is specifically concerned with the implementation and operation of the plan. This includes executing the information security policy, controls, processes, and procedures that were established during the 'Plan' phase. Implementing the plan, whether on a full-scale or a test basis (pilot), is the primary activity of the 'Do' stage. It is the practical application of the designed information security management system (ISMS).

A. Plan: This phase involves risk assessment and the creation of the ISMS plan and objectives; it precedes implementation.

C. Act: This phase focuses on taking corrective and preventive actions based on the results of the 'Check' phase to continually improve the ISMS.

D. Check: This phase involves monitoring, measuring, and reviewing the performance and effectiveness of the implemented plan against the established objectives.

1. ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements.

Section 0.2, "Plan-Do-Check-Act model": This section maps the clauses of the standard to the PDCA cycle. Clause 8, "Operation," is aligned with the 'Do' phase.

Clause 8.1, "Operational planning and control": This clause explicitly states, "The organization shall plan, implement and control the processes needed to meet information security requirements..." This confirms that implementation is the core of the 'Do' phase.

2. Calder, A., & Watkins, S. G. (2015). IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002 (6th ed.). Kogan Page Publishers.

Chapter 9, "The PDCA cycle," p. 108: The text describes the 'Do' phase as where "you implement your ISMS plan." It includes implementing controls, processes, and policies defined in the planning stage.

3. Humphreys, E. (2016). Implementing the ISO/IEC 27001:2013 ISMS Standard. Artech House.

Chapter 4, "The PDCA Process," Section 4.3, "Do": This section details that the 'Do' phase involves the implementation of the risk treatment plan and the controls selected during the 'Plan' phase. It is the execution stage of the ISMS project.