GOV-012 Continuous Monitoring Strategy
Description
The organization has a defined continuous monitoring strategy that establishes metrics, frequencies, and responsibilities for monitoring control effectiveness. Monitoring outputs are correlated, reviewed, and used to update the risk posture and security program.
Rationale
Point-in-time audits cannot detect changes that occur between assessments. A continuous monitoring strategy ensures that the security posture remains known and actionable on an ongoing basis.
Framework Mappings (3)
| A&A-03 | Risk Based Planning Assessment | partial |
| CA-7 | Continuous Monitoring | partial |
| PM-31 | Continuous Monitoring Strategy | full |
Evidence (2)
Continuous monitoring strategy document defining metrics, monitoring frequencies, tool coverage, and responsibilities.
Example: Continuous Monitoring Strategy (Confluence / ISMS document), listing: each monitored control domain, the metric or indicator used, the monitoring frequency, the tool or process performing the check, and the named role responsible for review.
Test: Request the continuous monitoring strategy document. Verify: (1) monitoring frequencies are defined per control domain or metric, (2) responsible roles are named, (3) the strategy has been approved by management and is dated within the last 12 months, (4) the strategy references how monitoring outputs feed into risk register updates.
Continuous monitoring output reports (dashboard, automated scan reports, or metric summaries) generated at the frequencies defined in the strategy.
Example: Security metrics dashboard export (Vanta / Drata / SIEM dashboard PDF) or weekly/monthly monitoring report, showing control health indicators and trend data — timestamped within the defined monitoring interval.
Test: Request monitoring output reports for the last two reporting cycles. Verify: (1) reports are timestamped within the defined frequency, (2) each metric or control indicator in the strategy has a corresponding data point, (3) anomalies or threshold breaches are flagged with a review or response record.
Questions (2)
Does your organization have a defined continuous monitoring strategy that specifies metrics, frequencies, and responsibilities for monitoring control effectiveness?
The strategy should be documented, management-approved, and reference how monitoring outputs feed into risk register updates — not rely solely on annual audits.
Which of the following continuous monitoring activities are currently operational in your organization?
Evidence should show monitoring outputs (dashboards, scan reports, alert logs) generated at the frequencies defined in the strategy.