ELI5: What is Compliance Monitoring?
It’s like a hall monitor who walks around all day making sure kids are following the rules — not just checking once a year. Compliance monitoring keeps an ongoing watch to make sure security controls stay in place between big inspections.
Definition
Compliance monitoring is the ongoing process of checking that security controls remain effective, policies are being followed, and the organization continues to meet regulatory requirements between formal audits. It encompasses log review, configuration scanning, access reviews, and policy exception tracking. Effective compliance monitoring provides early warning of control failures before they become compliance violations or security incidents.
Key Details
- Includes both technical monitoring (SIEM, vulnerability scanners, DLP tools) and administrative monitoring (policy exception tracking, training completion rates)
- User access reviews (recertification campaigns) are a key compliance monitoring activity for access control requirements
- NIST SP 800-137 establishes the Information Security Continuous Monitoring (ISCM) framework for federal systems
- Monitoring results feed into compliance reporting and governance dashboards
- Exam tip: compliance monitoring is ongoing; it bridges the gap between periodic audits and maintains real-time assurance
Connections
- Parent: compliance — ongoing monitoring is essential for sustained compliance
- See also: compliance-automation
- See also: compliance-reporting