Setting review periods

In Kertos, you can assign a review period to your risks, assets, vendors, policies, and BIA entries. Once set, Kertos tracks when each one was last reviewed and notifies the responsible owner when the next review is due.

Why review periods exist

The frameworks Kertos supports - including GDPR, ISO 27001, SOC 2, NIS2, and DORA - treat your governance documentation as living content, not one-time deliverables. They require policies, risk assessments, asset inventories, vendor assessments, and related records to be reviewed at planned intervals or whenever significant changes occur.

The reason is practical. Your environment changes constantly: new threats emerge, vendors update their practices, assets are added and retired, business processes evolve. Documentation that isn't regularly revisited drifts from reality, and auditors consistently flag stale risk registers, outdated vendor reviews, and forgotten policies as findings - even when the original documentation was strong.

Why cadences differ

Not everything needs to be reviewed on the same schedule. A high-level policy may only require occasional confirmation, while a risk register often needs more frequent updates to stay relevant. Critical vendors may warrant tighter oversight than low-impact ones.

For this reason, Kertos lets you set review periods independently for risks, assets, vendors, policies, and BIA entries, so you can align the cadence with:

• How critical the item is and your internal risk appetite

• Specific framework or auditor expectations

• How quickly the underlying information tends to change

What happens when a review is due

When a review period elapses, the assigned owner is prompted to review the item. Reviewing it - whether to confirm it's still accurate or to make updates - creates an audit trail that demonstrates your documentation is actively maintained. That audit trail is what auditors look for when they ask "how do you keep this current?"