The concept of continuous monitoring comes from the idea that an information system that is not checked often will begin to develop exploitable weaknesses. The IT and information security team can do an amazing job in developing, securing, and testing a new information system. However, this work is a point-in-time activity and becomes stale very rapidly. As new patches come out or new exploit techniques are developed, the information system must be updated to reflect these new threats.

Continuous monitoring lives in the operations and management phase of the system development life cycle. A well-developed continuous monitoring program should be established within your organization to ensure that security controls around people, processes, and technologies are effectively monitored and continue to be well defending against the ever-changing information security threat landscape. Key concepts to consider as you begin to plan and implement a continuous monitoring program in your organization are discussed in the following sections.