Is annual cycle just a buzzword? No, it's a key to progress

As an information security officer, it can be challenging to make daily efforts visible to management. How do you show everything that happens behind the scenes? The answer might be surprisingly simple: The annual cycle. A clear and effective tool to create structure, visibility, and overview.

Published: 
June 3, 2025
Gry Josefine Løvgren
Content Specialist

Gry Josefine Løvgren is a content specialist at Wired Relations, where she writes about all things GRC, data protection, and cybersecurity for our blog and social media channels. She holds a journalism degree from Roskilde University and uses her professional expertise to communicate complex topics in an engaging and easy-to-understand way.

Read more from the author

An annual cycle is far from just another buzzword. It’s a structured way to plan, communicate, and prioritise security tasks – and a powerful framework for discussing the daily operational work with leadership. That’s the opinion of Jacob Høedt Larsen and Marie Bjerre Simonsen from Wired Relations, who recently discussed the value and application of the annual cycle in a webinar.

“Sometimes it’s a challenge in our role as information security professionals to make all the daily tasks visible. We know we need to comply with regulations or meet an ISO standard – and we have to both implement and document that. But there are a lot of operational tasks involved in maintaining and running a compliance setup,” says Marie Bjerre Simonsen.

Multiple cycles – multiple perspectives

When creating an annual cycle (which doesn’t have to be round, by the way), it’s important to remember that there isn’t just one cycle – but many. You might have one for risk management, one for data protection, and one for audits. And that makes sense – because security work is cross-functional, and annual cycles help break down silos between operations and projects.

Some activities take place quarterly, others once a year. What they all have in common is that they require visibility and structure – both to ensure quality and to assess whether the resources are sufficient.

Read more: How to create a flexible annual cycle with Wired Relations

How do you get started?

A good annual cycle is created in close collaboration between the compliance team and leadership. It should reflect both strategic goals and day-to-day realities. So in the end, it is not just about presenting the team’s work to leadership.

“There’s also a perspective from the other side. Management has certain expectations for information security and the broader GRC and compliance area. So when we look at the cycle from above, we also need to ensure we’re using our resources in line with management’s priorities and expectations,” says Jacob Høedt Larsen.

Another important point is to make sure, that the cycle doesn’t become static. Many factors can affect the plans, so regular evaluation is essential. At a minimum, the cycle should be reviewed and adjusted once a year.

At the core of information security is the desire to continuously improve. And that’s exactly what the annual cycle supports – helping us do things a little better than we did last year.

Want to see a concrete example of an annual cycle for information security?

Subscribe to our newsletter and get it sent straight to your inbox.

Subscribe here

You might also like

5 reasons why infosec and privacy teams should work in the same system

The hackers are coming: How to create an actionable disaster recovery plan

8 questions and answers about the AI Act