Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Continuous compliance requires continuous monitoring and validation of controls in the environment, as well as integration with governance, risk management and compliance (GRC) tools and platforms. A variety of stakeholders will need to be involved in
these projects, and most enterprise organizations prefer to “buy” versus “build” a central platform to help in accomplishing this goal. This piece explains the processes, tools, stakeholders and focus required for a best practice
continuous compliance program.
In addition to a traditional best practices list of controls to meet compliance initiatives in the categories of network security, identity management, data security, vulnerability management and so on, continuous compliance requires an overlay of continuous
controls monitoring to ensure any changes/drift to controls are detected and remediated so compliance posture is maintained.
Continuous controls monitoring (CCM) is an integrated set of processes and techniques, enabled by technology, which is designed to help an organization:
A continuous compliance program is desirable, but it requires a significant investment to build automated processes, develop dashboards and key performance indicators (KPIs), and ensure stakeholders are committed to controls and security posture in diverse
areas across the organization. In most cases, in addition to the existing controls mentioned earlier, continuous compliance is achieved with:
Examples of dedicated continuous compliance tools include:
A continuous controls monitoring program requires investment from stakeholders, but not necessarily equal investment across the organization. Figure 1 highlights some of the stakeholders that should be involved in this type of program, and their overall
alignment in terms of risk and value.
<Figure 1: Continuous Controls Monitoring Requires Focus from Key Stakeholders
Chief Risk Officer/Chief Compliance Officer
Chief Financial Officer/Controller
Internal Audit Director
Business Process Owners
Enterprise risk management
Business process risk
Compliance with IT standards
Sarbanes-Oxley (SOX)/ financial statement
Impact on my business process
Efficiency and effectiveness
External audit/ External auditor reliance
Compliance and controls dashboard
Process and control effectiveness
Risk management controls
Financial statement controls
Overall controls effectiveness
Business process controls
Cost of compliance (e.g., SOX 404)
Manual vs. automated controls
Assurance and coverage levels
Business case/return on investment (ROI)
Overall investment/ redeploying resources
Business performance monitoring/
Source: IANS, 2021
Functional design of a continuous compliance and controls monitoring program requires that organizations put some work up front into the governance of controls analysis tools. This means they must:
READ: How to Set Up a Strong GRC Program
Organizations face a number of known challenges when implementing continuous compliance controls and solutions. Two of the most common are:
A continuous controls monitoring model will greatly facilitate a continuous compliance program that works in alignment with existing regulation mapping and GRC tools. While some organizations choose to build this themselves, depending on your organization’s
needs and available resources, acquiring an on-premises or cloud-based solution that includes data ingestion, monitoring and reporting/metrics may be a viable option.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 21, 2023
By IANS Faculty
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.
September 14, 2023
Learn how to use a three-step approach to defending and managing public and private APIs while avoiding common mistakes.