According to the CRISC Review Manual (Digital Version), the main reason to continuously monitor IT-related risk is to ensure risk levels are within acceptable limits of the organization’srisk appetite and risk tolerance. The risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives, while the risk tolerance is the acceptable variation in outcomes related to specific performance measures linked to objectives. Continuous monitoring is a process that tracks the security state of an information system on an ongoing basis and maintains the security authorization for the system over time. Continuous monitoring helps to:
Provide ongoing assurance that the implemented security controls are operating effectively and efficiently
Detect changes in the risk profile of the information system and the environment of operation
Identify new or emerging threats and vulnerabilities that may affect the information system
Support risk-based decisions by providing timely and relevant risk information to stakeholders
Facilitate the implementation of corrective actions and risk mitigation strategies
Promote accountability and transparency in the risk management process
Enhance the security awareness and culture within the organization
References = CRISC Review Manual (Digital Version), Chapter 4: IT Risk Monitoring and Reporting, Section 4.1: IT Risk Monitoring, pp. 213-2141