You monitor controls on an ongoing basis, not just at assessment time.
What it actually means
Continuous monitoring — keeping an eye on whether controls stay effective between formal assessments. It's the operational habit that keeps your score from drifting (and keeps your annual affirmation honest). Often realized through your SIEM, EDR, compliance dashboards, and periodic checks.
Pass or fail — an assessor needs a "yes" to each
- Controls are monitored on an ongoing basis.
- Drift/failures are detected between assessments.
- Monitoring feeds remediation and the affirmation.
What to have ready
- Continuous-monitoring approach/tooling
- Compliance dashboards / periodic check records
- Link to remediation
Where teams trip up
- Only checking controls at assessment time
- No detection of drift between assessments
- Affirming compliance without ongoing monitoring
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →