Sprint lifecycle
Sprints are fixed-duration working periods. Each sprint contains a set of compliance actions you commit to completing. When the sprint ends, audit-ready items stay in Done and unfinished work rolls into the next sprint.
Creating a sprint
Click + New sprint at the top right of the Roadmap board. Give the sprint a name (e.g. "Sprint 2"), a start date, and an end date. The new sprint column appears immediately to the right of the active sprint. You can now assign backlog items to it using the Assign → sprint button on any backlog card.
Only one sprint can be Active at a time. Future sprints show their start date but are not active until you explicitly start them (or the current sprint ends).
Evidence and sign-off
The four item statuses are:
| Status | Meaning |
|---|---|
| To Do | Planned but not started |
| In Progress | Actively being worked on |
| Evidence | Work complete — collecting sign-off evidence |
| Audit-Ready | All evidence checked — counts toward your score |
To reach Audit-Ready:
- Open the item detail panel and set status to Evidence
- Click Add evidence item and describe each thing that needs to be verified (e.g. "Policy signed by CEO", "Document uploaded to wiki")
- Check each box as the evidence is collected
- When all boxes are checked, click Mark audit-ready
Marking an item audit-ready automatically closes the linked compliance gaps — the platform updates the assessment answers and recalculates the compliance score. You do not need to manually update the Intake tab.
Attaching a file to evidence
Each evidence item has a 📎 paperclip button next to it. Click it to upload any file (screenshot, PDF, certificate). The filename appears as a link once uploaded. Click × to remove and replace it.
Per-group verification
If your organisation has multiple sites or departments (groups), click the 👥 group scope icon on an evidence item to expand per-group chips. Each group can be independently checked off — useful when "Patch policy signed" needs separate sign-off from HQ, Warehouse, and Remote workers.
The item's overall verification badge updates only when all groups are checked.
Evidence expiry
Each evidence item can have a Valid until date. When that date passes, the evidence is flagged as expired. The item card shows an ↳ EXPIRED badge in red, and a notification appears at the top of the board.
To resolve expired evidence: open the detail panel, re-upload or re-collect the evidence, update the Valid until date, and re-check the box. Once all evidence is current again, the expiry warning clears.
Common expiry scenarios
- Annual security policy review — expires every 12 months
- Penetration test report — typically valid for 12–24 months
- Supplier security questionnaire — valid for 12 months
- Backup test result — valid for 3 months
Recurring items
Some compliance tasks repeat on a schedule — backup tests, access reviews, phishing simulations. Set Recurs every N days in the detail panel (e.g. 90 for quarterly). When the item is marked done, the platform automatically sets a Next due date and shows it on the card.
When the renewal date approaches, click Schedule renewal on the done card. This creates a new copy of the item in the Backlog with the same controls, so you can assign it to the next sprint when you're ready.
Tip
Framework items like Patch Management and Backup testing come pre-configured with recurrence intervals. The value copies automatically when you assign them to a sprint.
Ending a sprint and rolling over
Click End sprint on the active sprint header when the sprint period is over. A modal shows all open items and lets you decide what to do with each:
- Move to Sprint N — carry unfinished work into the next sprint
- Discard — remove the item from the sprint (it returns to the Backlog if it has a framework item ID)
Items already marked Audit-Ready are automatically kept in Done and not shown in the rollover modal.
How evidence connects to your compliance score
The platform distinguishes two levels of compliance:
| Signal | How controls are counted |
|---|---|
| Document filled in | Control proven — counts fully toward score |
| Sprint action + all evidence checked | Control proven — counts fully toward score |
| Assessment answer = "Yes" only | Control asserted — gap priority reduced but not audit-ready |
To be fully audit-ready for a CyFun assessment, controls need to be proven — either through filled documents or verified sprint evidence. Answering "Yes" in the Intake tab alone is not sufficient for the auditor.