Mature regulated organisations have a tell. Ask them when their next audit is, and they shrug. Ask them what would happen if the auditor showed up tomorrow, and they shrug again. The conversation moves on. Their operational rhythm has absorbed the audit. They cannot tell you when the next one is because they cannot tell you when the last one ended; the controls run on Wednesdays the same way they run any other day, and the evidence has been produced continuously enough that pulling it for an examination is a query, not a project.
This is the operational destination behind every "continuous compliance" pitch and every "audit-as-a-byproduct" framing of the last five years. The companion article on audit-grade evidence as a continuous output covered why the architectural foundation matters: the platform has to emit the evidence. This piece is the other half. The platform's emission only pays off when the operating organisation consumes it on the cadence the frameworks now expect, and the cadence is no longer annual. It is daily for log review, weekly for change-and-tamper detection on critical surfaces, monthly for privileged-access reconciliation, quarterly for vulnerability scans and access recertifications, and annually only for the strategic pieces (risk assessment, full BCP exercise, board operational-resilience review).
This article walks through what each major framework now expects by cadence, what daily through annual rituals a mature regulated organisation actually runs, where most operational rhythms break in practice, and why the real 2024 and 2025 breaches were operational-rhythm failures more often than they were technical failures.
From scramble to rhythm
The dominant compliance posture for two decades was project-based. The organisation maintained controls, the framework defined an audit cadence (annual for SOC 2 Type II, three-yearly for ISO 27001 certification with annual surveillance, annual for PCI DSS, varying for sectoral), and the operational rhythm of the company was decoupled from the audit rhythm. When fieldwork was announced, the compliance team would book the window, alert engineering, and start the rolling exercise of pulling screenshots, exporting access lists, drafting policy attestations, and collecting signed approvals.
That model is being retired. Three forces converged. First, the architectural shift covered in the continuous evidence article means platforms now emit evidence by default, and auditors are correlating it across artefacts. Second, breach-notification windows compressed to twenty-four and seventy-two hours under NIS2 and GDPR, and the companion article on breach reporting covers why operational scoping at sub-day speed is now mandatory. Third, the frameworks themselves added explicit daily, weekly, and monthly cadence requirements that no annual project can satisfy.
The destination is operational, not procedural. Big-4 audit advisory has been describing this shift for several years; Gartner formalised it as "Continuous Controls Monitoring" (CCM) and forecasts that by 2028 sixty-five percent of organisations will have integrated compliance automation into DevOps workflows, with seventy-five percent of those processes AI-assisted. The framing is: compliance moves from reactive audit exercise to continuous operational process embedded in delivery. The audit becomes verification rather than collection.
What the major frameworks now require by cadence
The pattern is consistent across jurisdictions. The vocabulary differs. The direction does not.
SOC 2 Type II (United States, AICPA). The Type II report is, by definition, a test of operating effectiveness throughout a specified period (typically six to twelve months). The 2022 revised points of focus for CC4 Monitoring Activities expanded guidance on combining "ongoing evaluations" (continuous) with "separate evaluations" (point-in-time) such as penetration tests, ISO certifications, and internal audits. CC4.2 requires deficiencies to be communicated "in a timely manner". The framework does not prescribe fixed frequencies, but auditors looking at a Type II in 2026 expect the de-facto rhythm of daily SIEM triage, weekly vulnerability triage, monthly privileged-access reviews, quarterly full user-access recertifications, quarterly internal audit sub-areas, semi-annual phishing simulations, and an annual full risk assessment refresh.
ISO 27001:2022 (international). Clause 9.1 Performance Evaluation requires the organisation to determine what is monitored, the method, the timing, the responsible roles, when results are analysed, and by whom; documented information must be retained as evidence. Clause 9.2 requires a planned internal audit programme at planned intervals. Clause 9.3 requires top management to conduct management review at planned intervals with explicit inputs (status of risks, audit results, nonconformities, opportunities for improvement). Control A.5.36 Compliance with Policies, Rules and Standards adds an expectation of regular operational compliance checks by managers, not just annual audit findings. Industry norm: full ISMS internal audit annually, rolling sub-area audits quarterly, management review quarterly minimum for volatile sectors, with continuous technical compliance through vulnerability scans and log reviews.
PCI DSS 4.0.1 (international, payments). This is the most cadence-explicit framework. Effective from 31 March 2025, the cadences are mandatory. Requirement 10.4.1.1 mandates daily audit-log review via automated mechanisms (manual daily review is no longer acceptable). Requirement 11.6.1 requires change-and-tamper detection on payment pages every seven days, or at a frequency justified by a Targeted Risk Analysis. Requirement 8.2.6 requires inactive user accounts to be removed or disabled within ninety days. Requirement 8.3.10.1 requires service-provider password rotation every ninety days where passwords are the only authentication factor. Requirements 11.3.1 and 11.3.2 require quarterly internal authenticated vulnerability scans and external ASV scans, plus after any significant change. Requirement 11.4.6 requires service-provider segmentation testing every six months (annually for merchants). Requirement 12.3.1 requires Targeted Risk Analyses reviewed every twelve months. Requirement 12.4.2 requires quarterly service-provider personnel-adherence reviews. Requirement 12.5.2 requires annual scope confirmation (every six months for service providers). Requirement 12.10.2 requires the incident response plan tested at least annually.
NIST CSF 2.0 and SP 800-53 (United States). CSF 2.0 Implementation Tier 3 (Repeatable) requires consistent, documented, traceable processes; Tier 4 (Adaptive) expects the organisation to use real-time or near-real-time information to manage cyber risk and continuously adjust. NIST SP 800-137 Information Security Continuous Monitoring requires the organisation to define metrics, status monitoring frequencies, and control assessment frequencies, all revisited as risk tolerance, threats, and the environment change. NIST SP 800-53 Rev 5 CA-7 Continuous Monitoring expects ongoing assessment at frequencies sufficient to support risk-based decisions; AU-6 expects audit-record review at organisation-defined frequency; PM-14 expects testing, training, and monitoring plans consistent with risk strategy. The FedRAMP Moderate baseline operationalises this as monthly vulnerability scans, monthly POA&M updates, annual penetration test, annual contingency plan test, and continuous CSO monitoring.
NIS2 directive (European Union). Article 21(2)(f) requires "policies and procedures to assess the effectiveness of cybersecurity risk-management measures", which is the legal hook for continuous rather than point-in-time assessment. Article 21(2)(g) covers basic cyber hygiene and training; ENISA guidance pushes toward at least an annual exercise programme with quarterly tabletops on critical-function components. Article 23 sets the 24-hour early warning, 72-hour incident notification, and 1-month final report cadence. A 24-hour window does not survive a weekly SIEM review rhythm; daily detection rhythm is the only operational shape that supports it. Member State enforcement through 2025 has flagged static annual risk registers and pre-audit gap analyses as insufficient under Article 21(2)(f).
FINMA Circular 2023/1 (Switzerland). In force from 1 January 2024, the circular requires the board of directors to approve critical functions and tolerances for disruption at least annually and to receive reports on operational resilience at least annually plus after every incident. Business continuity and disaster recovery plans must be reviewed and updated at least annually. The ability to continue critical functions under "severe but plausible scenarios" must be tested and practised on a regular basis; industry interpretation is at least one annual full-scenario exercise plus quarterly component-level testing. Continuous monitoring of resources supporting critical functions (people, processes, technology, data, third parties, infrastructure) is the underlying expectation. FINMA Guidance 05/2025, effective 1 January 2026, tightened these expectations after a 267-institution survey found most firms had policy artefacts but lacked the operational telemetry to evidence they were within tolerance day to day.
ADHICS V2 (United Arab Emirates). The Abu Dhabi healthcare standard is one of the few regimes that bakes an explicit quarterly cadence into the framework itself. Mandatory annual independent compliance audit plus quarterly self-assessment by the entity against the ADHICS controls, plus breach notification to the Department of Health within 24 to 72 hours, plus continuous monitoring of protected health information access. The quarterly self-assessment is the distinguishing operational feature; entities filing one cannot reconstruct a quarter's worth of evidence in a week, so the underlying daily and weekly rhythm has to exist.
SAMA Cyber Security Framework (Saudi Arabia). Domain 4 Operations and Technology mandates 24/7 Security Operations Centre operations with SIEM and real-time alerting. Continuous vulnerability management with quarterly assessments at minimum. Annual perimeter penetration testing, more frequent for critical applications. SAMA examinations include annual onsite inspection plus ad-hoc supervisory inspections that can land at any time; the operational rhythm has to keep the institution in an inspection-ready state continuously, because supervisory notice can be hours, not weeks.
Eight frameworks, six jurisdictions. The cadence requirements compose into a shared operational rhythm that any regulated organisation now has to run.
The daily, weekly, monthly, quarterly, annual rhythm
A mature regulated organisation in 2026 runs approximately this cadence.
Daily. Automated audit-log review (PCI DSS 10.4.1.1, SOC 2 CC7.2, ISO A.8.16). Security Operations Centre alert triage with sub-day mean-time-to-detect. Privileged-session activity review for accounts that touched production. Change-ticket scan to confirm every production change matches an approval. Daily backup completion verification with restore-test sampling. For PCI in scope: payment-page tamper alert review. For high-risk operations: device-compliance check on workforce endpoints.
Weekly. PCI DSS 11.6.1 change-and-tamper detection on payment surfaces (e-skimmer detection). Vulnerability-finding summary triage. Change Advisory Board meeting with documented decision log. Segmentation alert review. Third-party SLA dashboard review. Phishing-attempt summary for the security team.
Monthly. Risk register update with delta from prior month. Vendor assessment cycle progression (one slice of the vendor population per month rather than all at year-end). Key Risk Indicator and Key Performance Indicator review at the executive committee. Patch cycle close-out with exceptions documented. Privileged-access certification at the individual-account level. IAM joiners-movers-leavers reconciliation with HR. FedRAMP-baseline POA&M monthly delivery. For FINMA-supervised institutions: monthly aggregated operational risk reporting to senior management.
Quarterly. Comprehensive user-access recertification with role-owner sign-off (the SOC 2 baseline; PCI DSS 7.2.4 requires every six months but quarterly is the industry default to avoid edge-case misses). PCI DSS 11.3 quarterly internal and external vulnerability scans, evenly spaced (not three Q4 scans). Internal audit sub-area covering one slice of the ISMS or control set. Risk-committee review of Key Risk Indicators. Tabletop incident-response exercise focused on a specific scenario. Quarterly business-continuity component test. PCI DSS 12.4.2 service-provider personnel-adherence reviews. ADHICS V2 quarterly self-assessment for entities in scope. For board-relevant organisations: quarterly operational-risk report to the board.
Semi-annual. Phishing simulation campaign with role-based targeting. PCI DSS 11.4.6 segmentation penetration test for service providers. Supplier deep-dive review for the highest-risk third parties. PCI DSS 12.5.2 service-provider scope-confirmation update.
Annual. Full ISMS internal audit covering every Annex A control area. Policy review cycle with documented approval. Risk assessment refresh with explicit consideration of changes in threat environment, scope, technology, and regulatory landscape (PCI DSS 12.3.1, ISO 27001 Clause 8.2). Full-scale business continuity and disaster recovery exercise involving the actual decision-making layer, not just the technical restore. PCI DSS 11.4.2 internal and 11.4.3 external penetration tests. PCI DSS 12.10.2 incident-response plan test. ISO 27001 Clause 9.3 management review. FINMA board approval of critical functions and tolerances. SAMA cybersecurity board report. SOC 2 Type II audit fieldwork. ISO 27001 surveillance or recertification audit.
This is the rhythm that makes audit a query rather than a project. Each cadence above produces an artefact that the platform's audit stream captures, and the audit stream becomes the evidence the auditor reads. The companion piece on tamper-proof audit trails covers the integrity layer that makes those artefacts trustworthy when the auditor reads them.
Where operational rhythms break in practice
The 2024 and 2025 audit cycles produced a recurring set of operational-rhythm failure patterns, and they map cleanly onto specific cadence requirements.
The most common is unevenly spaced quarterly activity. PCI DSS 11.3 requires quarterly scans, and a quarter means roughly ninety days. Three scans done in Q4 because the team forgot to schedule Q1, Q2, and Q3 does not satisfy the requirement; the auditor records it as a deviation. Quarterly access recertifications stuffed into December create the same finding. The mitigation is calendar-driven: a fixed date each quarter (e.g. the first Tuesday of February, May, August, November) with the activity owned by a named role.
The second is missing evidence during routine business interruptions. Vacation months, leadership transitions, and major-incident windows produce gaps in the evidence record. SOC 2 auditors compare the stated cadence in the control description to the evidence and record deviations when they do not match. ISO 27001 surveillance auditors do the same against the planned intervals defined under Clause 9.1. The mitigation is automation: a system that produces the evidence regardless of who is on holiday is the only operational shape that survives.
The third is reviews that happen but do not drive decisions. ISO 27001 Clause 9.3 requires management review with documented decisions on opportunities for improvement; reviews where minutes record attendance but no decisions are a Clause 9.3 nonconformity. PCI DSS 12.4.2 service-provider personnel-adherence reviews need documented outcomes, not just check-the-box attestations. ADHICS V2 quarterly self-assessments that surface no findings or corrective actions are flagged as performative.
The fourth is automated alerts going to mailboxes nobody reads. PCI DSS 11.6.1 change-and-tamper detection emits alerts; if the destination is a shared inbox checked occasionally, the operational rhythm has gaps that the deployment cannot close. The cadence requirement is met technically and missed operationally. Auditors increasingly ask to see the named human or rotation responsible for each alert class.
The fifth is incident-detection rhythm too slow to support notification windows. NIS2's 24-hour early warning and GDPR's 72-hour notification windows compress quickly when the organisation only reviews SIEM weekly. The companion article on breach-reporting windows covers this in detail: the architectural answer (per-record audit logs queryable in seconds) is necessary but not sufficient; the operational answer (daily detection rhythm with sub-hour analyst response) is the other half.
The real incidents where operational rhythm was the controlling factor
Three incidents from 2024 illustrate the pattern.
The Change Healthcare breach of February 2024 began with attacker access to a Citrix portal on 12 February and was not detected until 21 February, a nine-day gap. Root cause analysis cited a failure to refresh internal security procedures after the UnitedHealth acquisition in October 2022 plus absent MFA on the access portal. The MFA failure is well-documented; the nine-day detection delay is the operational-rhythm failure. Continuous credential-anomaly monitoring with daily review would have closed that window to hours.
The Snowflake-customer compromises through 2024 followed the same pattern. Attacker activity began in December 2023 and only surfaced in February 2024 via unusual access patterns. Post-mortems flagged inadequate customer-side logging slowing detection and incident response. The architecture existed in most cases (Snowflake emits audit events); the operational rhythm to consume them daily did not. This is the canonical case for evidence emitted continuously but never reviewed.
The Bank of Ireland fine of 24 March 2024 (EUR 463,000 from the Irish Data Protection Commission) is the clearest operational-rhythm-failure example. The bank's internal systems detected a breach, but escalation to the Data Protection Officer took nine days. GDPR's seventy-two-hour notification window was missed by an order of magnitude. The notification-window failure was not technical; the audit log existed, the breach was visible, the only thing missing was the operating rhythm that moved the signal from the detection system to the DPO inside the notification window. Several other 2024 European DPA decisions cited similar operational-escalation failures, contributing to over EUR 40 million in fines where late or missing breach notification was a cited violation.
In every case, the architecture to produce evidence existed. The operational rhythm to act on it did not. The shift the architecture covered in audit-grade evidence as a continuous output only pays off when the operating organisation consumes the evidence on the cadence the frameworks now expect.
The architectural answer
A platform that handles audit-readiness as an operational property rather than a project deliverable has several specific commitments that make the daily-through-annual rhythm achievable rather than aspirational.
Novantra's continuous evidence stream is the substrate: every control-relevant action emits an event the moment it engages, hash-chained and tamper-evident, exportable on demand. The daily, weekly, monthly, and quarterly cadences become queries against the same store, not collection projects.
Novantra's scheduled control attestations let teams define each cadence-driven activity (daily log-review attestation, weekly tamper-detection review, quarterly access recertification, annual risk assessment refresh) as a first-class operational object with an owner, a frequency, an evidence type, and an audit trail of every execution. Missed cadences surface as deviations on the operational dashboard before they surface as audit findings.
Novantra's role-driven workflow assigns each cadence-driven activity to a named role on the operating organisation's side; the platform routes the work, captures the response, and records the timing. The "automated alert into a shared mailbox" failure mode is replaced by a tracked assignment with an SLA the operations team can manage.
Novantra's exception register captures every gap (a postponed review, an unscheduled vacation cover, a deferred quarterly activity) with a justification and a documented exit condition. Auditors reading the exception register see the operating organisation managing its own deviations rather than discovering them under fieldwork.
Novantra's board-and-committee report templates feed directly from the operational data, so quarterly risk-committee and annual board reports do not require a separate evidence-collection project. The board reads the same numbers the operations team manages day to day.
For customers whose threat model or jurisdiction requires it, Novantra's Sovereign deployment runs the entire operational-rhythm stack inside the customer's own infrastructure.
None of this is a feature. Each is the architectural answer to a question every major framework is now asking in cadence language: not whether the control was designed, and not whether the evidence was produced, but whether the operating organisation consumed the evidence on the rhythm the framework requires. A platform built so the daily, weekly, monthly, quarterly, and annual cadences are first-class operational objects makes "audit is a Wednesday meeting" the literal description rather than the aspirational one. The frameworks have moved decisively toward continuous rhythm. The operating model has to follow.