Skip to main content

4.4 Monitoring Controls

4.4 Monitoring Controls



  • Implemented controls must be aligned with IT security and policies and should be reviewed at frequent intervals to determine its effectiveness, efficiency and adequacy.


  • For monitoring the controls, relevant data should be gathered from various sources in a timely and accurate manner.


  • Once the data is validated, analysis can be performed against specific control objectives.


  • If results of the monitoring indicate an area of noncompliance or unacceptable performance, the risk practitioner should discuss with the risk owner (mostly business process owner) and recommend review of existing controls in terms of effectiveness and if require, implementation of additional controls.


  • Control monitoring can be done either through independent reviewer or self- assessment by process owners.


  • Following are some of the control monitoring sources:


  • Security operation centre (SOC) and network operations centre (NOC)

  • Tools and software for continuous control monitoring

  • Periodic control testing

  • Control self-assessment


  • It is important to monitor the KRIs at periodic intervals as the risk profile changes over the time. Periodic monitoring helps to address the new risk and control the existing risks. For example, a product defect upto 10% is acceptable and KRI is set accordingly. However, over a period of time this 10% is considered too high owning to change in market scenario and KRI needs to be revised to set defect ratio upto only 2%.


  • Risk profile provides overall risk status that the organization is exposed to. Risk profile is to be kept updated with new and emerging risk so as to ascertain organization’s current risk status.


  • Whenever a monitoring process identifies a security exception, the first step for a risk practitioner is to validate the exception to rule out any false positives.


  • Role of a risk practitioner in the control monitoring process is to assist in planning, reporting and scheduling tests.






Continuous Monitoring System


Continuous monitoring is the process and technology used to monitor critical areas on an ongoing basis. There are various tools and techniques available for continuous monitoring. It must be noted that continuous monitoring involves cost and hence organization generally uses continuous monitoring technique for high risk areas whether impact and frequency of occurrence is high.



KRI Thresholds


  • Thresholds identified for monitoring and reporting of KRI is a key aspect in the monitoring process. It indicates whether controls are providing their intended value. Without appropriate thresholds, the organization may not be able to determine the effectiveness of the control.


  • KRI should have capability to identify the effectiveness of the controls. KRI should be able to identify when controls are no longer providing their intended value. This helps to take appropriate action on a timely basis. Without this information, an organization may be under the impression that ineffective controls are still effective and do not need to be reworked.


Key aspects from CRISC exam perspective


CRISC Questions 

Possible Answer 

What is the first step of developing a risk monitoring program?

To conduct a capability assessment


What is the next best step once risk is accepted?

To implement monitoring technique

Risk monitoring is closely associated with

Risk reporting

What is the primary reason for monitoring key risk indicators at periodic intervals?

Risk profile changes with time


Overall risk status of the organization can be ascertained by

Risk profile of the organization

What is the first step when a security exception is noted?

To validate the exception to rule out the false positive

Continuous monitoring is more preferable for

Incidents that have high impact and high frequency

What is the most important aspect while developing a metric to monitor the control effectiveness?

Various thresholds


What is the role of a risk practitioner in the control monitoring process?

To assist in planning, reporting and scheduling tests.



Flashcards - 4.4 Monitoring Controls

Practice Questions - 4.4 Monitoring Controls

Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: A...
Read more

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical backgrou...
Read more