Audit Cycles
An audit cycle is a time-bound period within an audit program that organizes when audit activities happen. Cycles are typically quarterly, semi-annual, or annual, and each cycle can contain one or more audit instances.
Audit Program (3-Year ISO 27001 Program)
├── Audit Cycle (Q1 2026 Internal Audit)
│ ├── Audit Instance (IT Access Controls Audit)
│ └── Audit Instance (Network Security Audit)
├── Audit Cycle (Q2 2026 Internal Audit)
│ └── Audit Instance (Data Protection Audit)
└── Audit Cycle (Q3 2026 Internal Audit)
└── Audit Instance (Incident Management Audit)Creating a cycle
Open a program
Navigate to Assurance Reviews → Audit Programs, select a program, and click Create Cycle.
Configure cycle details
Enter a descriptive name (e.g., “Q1 2026 Internal Audit”), a description of what the cycle will cover, and start and end dates.
Set the timeline
Choose dates that align with your cycle pattern. Common durations are quarterly (3 months), semi-annual (6 months), and annual (12 months).
Save the cycle
Review all information and click Save. The cycle is created and ready for audit instances.
Cycle patterns
| Pattern | Frequency | Best for |
|---|---|---|
| Quarterly | 4 per year | Regular focused audits with different areas each quarter |
| Semi-Annual | 2 per year | Comprehensive audits requiring more time for execution |
| Annual | 1 per year | Full certification cycles or comprehensive annual audits |
Cycle lifecycle
Cycles follow the same progression as programs: Planning → In Progress → Review → Completed (or Cancelled). All instances within a cycle should complete before the cycle’s end date.
Best practices
Use consistent naming conventions (e.g., “Q1 2026”, “Annual 2026”) so cycles are easy to identify and track. Set realistic dates that allow sufficient time for all planned instances to complete, including review and reporting. Plan which audit instances will run in each cycle to ensure comprehensive coverage and avoid scheduling conflicts. Monitor cycle progress regularly to identify delays early.
Next steps
Within each cycle, create audit instances to execute specific audits.