What is Continuous Controls Assurance?
Through a process of defining key information security Objectives and Key Results, Key Risk Indicators and Key Performance Indicators in a normalised, machine readable format, we can map these to security controls catalogues and standards and implement continuous controls effectiveness testing and reporting with retention of evidence to substantiate test conclusions.
Continuous controls effectiveness testing and reporting helps organisations maintain visibility of their risk position despite the rate of technology and threat landscape change prevalent in modern enterprises.
Leading and lagging indicators provide insights into current and future risk posture by measuring the performance of operational security capabilities and security improvement programs and predicting changes that can guide prioritisation and investment decisions.
By normalising and mapping data from multiple controls frameworks, baselines and higher level standards, guidelines and best practices, objective, consistent and actionable data is made available to business stakeholders ranging from board risk committees, executive leadership teams, security governance forums (service owners and control owners) and business unit executives.