An ISMS is only as good as its maintenance. "We have an information security policy" is not enough in an audit – the auditor wants to see that it is reviewed regularly (typically annually), adapted if necessary, and confirmed by top management. The same goes for ~20 additional asset classes: controls, procedures, risks, suppliers, BCDR plans.
The Unsolved Problem in Many Organizations
Reviews lapse because:
- There is no central calendar for "what needs to be reviewed when".
- Reminders via Excel + Outlook appointment work half-heartedly – and get ignored.
- Owners change, reviews become orphaned.
- Escalation on omission is not defined.
The auditor notices this at the latest when they ask for the "last review date" of all 80 policies as CSV – and 30 % of them are > 12 months.
What Integrated Review Cycle Management Delivers
- Frequency-based scheduling: configurable per asset/control/policy (monthly / quarterly / annually / by frequency X).
- Multi-channel reminders: mail, Slack webhook, Teams webhook, optional push notification to the web app. Reminder schedule customizable (e.g. 30-14-7-1 days before due date).
- Smart escalation: on missed review, the system escalates by defined schema – first deputy owner, then ISMS manager, then top management. No "asked nicely" loop until the audit.
- Approval workflow: optional four-eyes approval on review completion. Important for high-risk assets (e.g. crypto key lifecycle, supplier security assessments).
- Dashboard and reporting: live metric "% on-time reviews", trend, workload distribution per owner. Auditor export button.
Which Entities Are Covered
By default: assets, controls, policies, risks, suppliers/vendors, BCDR plans, procedures, documents, findings, audits. Customizable per tenant – anyone wanting to maintain an additional class (e.g. "key material") gets their own review type with their own frequency and own owner pool.
Compliance Mapping
ISO 27001 explicitly demands regular reviews (Cl. 9.1, A.5.36, A.8.34, etc.). NIS-2 requires continuous evaluation of measures (Art. 21(3)). GDPR Art. 32 demands regular review of the effectiveness of TOMs. A proper review cycle management covers all three in a single workflow.
Realistic Setup Effort
Three hours for the initial configuration of frequencies, one hour to define escalation rules, two hours for owner assignment. From then on: no more manual reminders, the ISMS maintenance effort shifts from "administratively remind" to "substantively review".
Conclusion
Review cycle management is the link between "ISMS built" and "ISMS alive". A platform-based solution with frequency scheduling, multi-channel reminders, escalation, and reporting completely replaces Excel trackers and Outlook reminders – and turns the unpleasant "reviews are due again" quarterly feeling into a continuous, plannable process.