Continuous controls are systematic or design functions that once implemented, continuously apply in practice.
Continuous controls are the least prone to failure. They include the system settings, configurations, policy documents and system functionalities and design features. Once they are designed effectively and put into practice, they manage themselves. There's usually a residual element of monitoring, periodic review or ad-hoc updates that go with these controls but they are assessed "as is" for audits.
Continuous controls are one of the three types of controls to manage in your InfoSec compliance program:
1. Continuous: system settings, policies, user guides, and other documentation that continuously apply and we audit “as is”.
2. Periodic: annual, quarterly or monthly board meetings, risk assessments, and other reviews that occur at regular intervals. We audit to see they were performed within those defined frequencies.
3. Event-based: controls applied to new joiners, terminations, incidents, change releases, and other events that the controls should be performed in conjunction with. We audit to see there were performed for each related event or occurrence.
How to implement effective continuous controls
There's a few tips that help ensure these continuous controls are effective:
Many of these continuous controls are based on software automation. It's important to recognise software is only as good as the way it's used. It's important to ensure the configurations, settings, functionalities and design features really fit their intended purpose and goals in practice. This may require considering a broad range of past and future circumstances and whether these systematic solutions account for any nuances or anomalies that may arise.
Integrate the controls in the broader processes
These continuous controls may manage themselves, but they usually require some form of monitoring, periodic review or ad-hoc updates to ensure they are meeting their purpose and objectives. These objectives will evolve as your environment changes, security threats and related requirements increase, newer approaches become available, or you may even identify your continuous controls fell short of expectations. The way to solve this is to integrate continuous controls as part of your broader operational processes so they are considered and monitored on an ongoing basis. For example, you may "set and forget" your firewall settings, but combine them with automated alerts if settings change, and monitoring practices to identify any suspicious activity that may require further investigation.
All control practices should be assigned ownership. This is often a single control owner but may be combined with a second level accountable owner, or assigned to a team. The purpose of assigned ownership is to ensure the control practice is not forgotten and gets the appropriate focus as needed, including for any audit and compliance objectives that may require certain documentation and maintenance beyond what would otherwise be performed.
A holistic review of all of your controls on a periodic basis is a good practice for identifying any changes or other need to review or adjust your control practices. As described above these continuous controls typically manage themselves but require some form of monitoring, periodic review or ad-hoc updates. This periodic check of the controls serves as a catch all to identify any individual areas that may require further attention.
Across all control types; the greater the awareness across the organisation, the more likely they are to succeed. This is particularly important in control areas where there's dispersed responsibilities. Continuous controls like system settings and configurations typically have multiple system administrators, so it's important to have awareness across the team to ensure these control practices aren't undermined by changes that don't consider the original purpose and objectives. Policies are another continuous control where awareness is important; they ultimately rely on the broader organisation following those policies to achieve their respective objectives.
What are your continuous controls?
If you've completed our Readiness Assessment - these are listed in the Controls Matrix section of the report. You can filter on the Frequency/Population column to "N/A - Point in time test". These are all the continuous controls.
If you haven't completed our Readiness Assessment - try it out now! It's a free resource that maps your controls and identifies any gaps with recommendations. It's the best first step for any business pursuing InfoSec compliance with standards like SOC 1, SOC 2, ISO 27001, HIPAA, GDPR, and the Consumer Data Right (all of which can be assessed in this free software).