Article 2: Campaigns vs. One-Off Reviews
Two ways to run an access review in Ploy
Ploy gives you two modes for running access reviews: campaigns (recurring) and one-off reviews. Both use the same underlying review process — the difference is whether the review repeats automatically or runs once.
Campaigns (recurring reviews)
A campaign is a standing review programme. You define it once — scope, schedule, reviewers, outcome options — and Ploy automatically generates a new review cycle on your chosen cadence.
Use a campaign when:
You need periodic certification for compliance (e.g. quarterly admin access reviews for ISO 27001)
The same set of resources should be reviewed on a regular schedule
You want reviews to start automatically without manual intervention each time
You're building a continuous access governance programme
How it works:
You create the campaign with a frequency: weekly, biweekly, monthly, bimonthly, quarterly, semi-annual, or annual
When the next review date arrives, Ploy automatically generates a new cycle from the campaign template
Ploy applies the current filters at cycle generation time — so if employees have joined, left, or changed roles since the last cycle, the new cycle reflects the current state
Each cycle is numbered (Cycle 1, Cycle 2, etc.) and tracks its own progress independently
Previous cycles remain in Ploy as a historical record
You can pause a campaign by setting it to inactive — Ploy won't generate new cycles until you reactivate it.
Campaign cadence options:
Frequency | When to use |
|---|---|
Weekly | High-risk or high-turnover environments |
Biweekly | Fast-moving access environments (e.g. contractor-heavy teams) |
Monthly | Frequent leavers reviews, or active SaaS estates |
Quarterly | Standard compliance cadence for most frameworks |
Semi-annual | Lower-risk applications, or supplementary to quarterly reviews |
Annual | Legacy systems or stable, low-risk tools |
One-off reviews
A one-off review is a campaign without a recurrence schedule. You create it, run it once, and it's done. There's no automatic follow-up cycle.
Use a one-off review when:
You need to investigate a specific access concern right now (e.g. after a security incident)
You're running a targeted review outside your normal schedule (e.g. reviewing all access for a team that's being restructured)
You're piloting access reviews before committing to a recurring programme
An auditor or regulator has requested a point-in-time certification
How it works:
You create the campaign without setting a frequency
A single cycle is generated (either manually triggered or immediately on creation)
The cycle runs to completion like any other review
No further cycles are generated automatically — the campaign sits as a completed record
How they look the same
Despite the scheduling difference, campaigns and one-off reviews work identically once a cycle is running:
Same filter options for defining scope
Same reviewer assignment methods
Same reviewer experience in the employee portal
Same approval and attestation workflow
Same certificate and audit trail output
The campaign template is just a blueprint. The cycle is the real review.
Can I convert a one-off into a recurring campaign?
Yes. You can edit a campaign after creation to add a frequency, which will enable automatic cycle generation going forward. The completed one-off cycle is preserved as part of the campaign's history.
Practical guidance
Most organisations that use Ploy for compliance run a combination of both:
Recurring campaigns for their standard certification programme (e.g. quarterly admin reviews, monthly leavers reviews)
One-off reviews for ad-hoc investigations, incident response, or pre-audit spot checks
Start with one well-scoped recurring campaign for your highest-risk access. Once that's running smoothly, expand to additional campaigns for other resource categories.