A review is the moment when you look again at a risk or control to decide: still relevant, up-to-date, effective? Without periodic reviews, your register becomes a museum — and NIS2 / ISO 27001 will hold that against you.
Security is not a steady state. Threats evolve, your business changes, your controls drift (turnover, configuration drift...). Without reviews, you fall behind without noticing.
For high cyber risks (score ≥ 12) — they move fast. Recommended for critical technical controls (MFA, EDR, backup).
For mid-tier operational and compliance risks.
Minimum required by NIS2 and ISO 27001 for any risk/control in the register. Bundle this with audit prep.
After an incident, a major change (move, new supplier, M&A), or new regulation.
Still valid as-is. Document the review anyway (date, performed by X).
Probability, impact, linked controls or free text changed. The audit log keeps track of what changed.
The reviewer feels the call is beyond their level (extra budget needed, business decision...).
Risk/control no longer applies (activity stopped, technology decommissioned). History kept for traceability.
When you set a review frequency on a risk (or control), NIS2YOU computes the next review date and sends:
- A notification 7 days before due date
- A notification on the day
- A overdue notification until the review is done
Find all items pending review in the Reviews page.