MON-007 Continuous Monitoring Programme
Description
A documented continuous monitoring strategy defines the metrics, frequencies, and automated controls that are monitored across production systems. The programme includes configuration compliance checks, vulnerability scan scheduling, and review of security control effectiveness. Results are reported to accountable owners at defined intervals.
Rationale
Point-in-time audits miss drift between assessments. A structured continuous monitoring programme closes this gap and provides ongoing assurance of control effectiveness.
Framework Mappings (4)
| LOG-01 | Logging and Monitoring Policy and Procedures | partial |
| CA-7 | Continuous Monitoring | full |
| CC4.1 | COSO Principle 16: Conducts Ongoing or Separate Evaluations | partial |
| CC4.2 | COSO Principle 17: Evaluates and Communicates Deficiencies | partial |
Evidence (2)
Documented continuous monitoring strategy defining metrics, monitoring frequencies, automated checks, and reporting cadence for production security controls.
Example: Continuous Monitoring Strategy or Security Monitoring Plan document (version-controlled, approved within the last 12 months) listing monitored metrics, check frequencies, responsible teams, and reporting schedule
Test: Request the continuous monitoring strategy document. Verify: (1) in-scope metrics are enumerated, including configuration compliance, vulnerability scan schedules, and alert volumes; (2) monitoring frequencies are defined for each metric category; (3) reporting requirements and recipients are specified; (4) the document has been approved and reviewed within the last 12 months.
Continuous monitoring programme reports or dashboards showing periodic reporting of control effectiveness metrics to accountable owners.
Example: Monthly or quarterly security posture report or dashboard export (e.g., from AWS Security Hub, GCP Security Command Center, or a SIEM executive dashboard) showing compliance score trends, open findings, and metrics for the last review cycle
Test: Request the last three continuous monitoring reports. Verify: (1) reports are generated at the defined frequency; (2) reports cover configuration compliance, vulnerability findings, and alert metrics; (3) reports are distributed to or reviewed by named accountable owners; (4) findings or trend degradations in reports triggered documented follow-up actions.
Questions (2)
Is a documented continuous monitoring strategy in place that defines the metrics, frequencies, and automated checks monitored across production systems, with results reported to accountable owners at defined intervals?
The strategy should enumerate in-scope metrics, monitoring frequencies, and the reporting cadence. It should be formally approved and reviewed at least annually.
Which elements are included in your continuous monitoring programme?
A mature programme includes all six elements. Configuration compliance and vulnerability scan scheduling are the minimum expected components.