Vector man creating checklist of requirements to set up Continuous Controls Monitoring (CCM).

Line managers in organizations need to assure senior executives that they are actively managing the risks their organization wants to mitigate. To achieve this goal, organizations can put appropriate controls in place and verify that they operate effectively. 

Compliance and internal audit teams often have trouble keeping pace with an uptick in new regulations, increased regulatory scrutiny, and dependency on third-party technology and seek out ways to become more productive in their control performance evaluation efforts and increase control testing coverage. 

What is Continuous Controls Monitoring? 

Continuous Controls Monitoring (CCM) is defined as applying technology to allow continuous (or at least high-frequency), automated monitoring of controls to validate the effectiveness of controls designed to mitigate risk, including maintaining an active cyber defense posture and ensuring business continuity and regulatory compliance. 

CCM has many use cases across industries. It exists in Financial Services as fraud monitoring and financial transaction monitoring. It’s utilized in Manufacturing for quality and process control monitoring. Across industries, organizations are starting to deploy CCM over key control processes around network and data security.

There are a couple of different approaches to CCM implementation. It can be as simple as turning on certain settings in the source operating system and using its built-in dashboards and reports. 

To have a more comprehensive CCM system in place that monitors a wide range of controls across business domains, an organization needs a single repository that documents and manages its controls and gathers evidence of their effectiveness. This type of system, commonly known as a compliance operations platform, is built to test and monitor controls at scale. A compliance operations platform has connectors to common business applications across IT, Development, Security, HR, Sales, and Finance – and can pull relevant data about many types of controls into its platform for streamlined controls assessment/validation.   

All in all, CCM is a key aspect of Governance, Risk and Compliance that helps an enterprise improve its overall risk management. 

The Benefits of Implementing Continuous Controls Monitoring 

Organizations that deploy CCM enjoy numerous benefits, such as:

  • Increased productivity of compliance/internal audit teams: 
    • These highly skilled employees are able to test more controls within a given timeframe so they’re more likely to catch issues before they develop into problems. 
    • These teams can do more impactful work and focus their time on strategic efforts such as including evaluating controls that require manual testing.
  • Confidence that line managers and employees who operate the technologies that run key business processes are actively managing the risks that come with these processes. Examples include: 
    • A senior engineer should always review new code before it gets deployed into the production environment.  
    • The admin for the company’s single sign-on system should remove any terminated employee from access within seven days of termination. 
    • A network security engineer needs to know that the application firewall is always on; if it isn’t, they need to fix it right away. 
    • A Chief Security Officer needs to know that the security team consistently patches “critical” vulnerabilities within seven days in accordance with its vulnerability management program policy. 
  • Reduced remediation costs as control deficiencies are identified and fixed before they escalate. 
  • Increased visibility into the organization’s risk, security, and compliance posture for senior leaders. 
  • Improved ability to prioritize risk management decisions.
  • Improved standing in the eyes of regulators, customers, and auditors with readily available evidence of risk mitigation, protection of valuable assets, and the organization’s ability to meet its legal obligations.

How to Set Up a Continuous Controls Monitoring System 

Before setting up a CCM system, a few prerequisites need to be met:

  1. Have a set of controls in place. Before you implement CCM, it’s important to identify the processes or controls that your organization already has in place. Oversight authorities may define some controls in your industry and you might borrow others from applicable industry control frameworks, such as COSO, COBIT 5 (for SOX compliance), NIST Cybersecurity Framework, ISO 27001, etc. You should know who (or which team) is responsible for each control process. 
  1. Have a single source of truth for all controls. To have a monitoring system implies that you have a single place where you can see and manage all controls. Thus, you’ll need to have a technology platform that allows you to document all controls and categorize them based on key characteristics (for example, criticality, control type, and the risk it’s meant to address) – so a compliance or internal audit professional can easily select the set of controls they want to automatically test and monitor.  
  1. Understand what evidence you need to validate control processes and how to generate that evidence. You may not realize that certain controls can be automatically tested and monitored until you see a visual report of the aggregated evidence about that control process. Through research, you can surface controls that are good candidates for CCM that weren’t on your radar at first.   

To set up CCM, complete the following steps: 

  1. Select and prioritize key controls for continuous controls monitoring. Controls that make suitable candidates for CCM have the following traits: 
    • They run at a high frequency (in near real-time, hourly, or daily)
    • The system that the control runs in generates structured, reasonably clean data about the control process (for example, a table with rows and cells) so an algorithm can scan the data and evaluate whether or not certain user-defined conditions are met
    • The evidence (data generated about the control process) can be automatically pulled into third-party software (for example, a compliance operations or GRC platform) and tested 
  1. Define control validation objectives or goals. Specify and build automated tests with pass/fail criteria. Determine the process frequency to run the test. 
  2. Set up processes to manage alarms, communicate, investigate, and correct the control weaknesses.

To learn more about how to set up a Continuous Controls Monitoring System and the controls you can automate, check out this article: Common Use Cases For Continuous Controls Monitoring.

Monthly Newsletter

Get the Latest on Compliance Operations.
Subscribe to Hyperproof Newsletter