Which document identifies Continuous Monitoring in relation to information security?

NIST Special Publication 800-137, titled "Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations," is dedicated specifically to the concept of continuous monitoring in the realm of information security. This document outlines a structured approach for organizations to monitor their security controls and overall information security posture on an ongoing basis. Continuous monitoring is essential for maintaining the security of information systems, as it helps organizations to identify and respond to security incidents swiftly, ensure compliance with relevant standards, and provide visibility into the security status of their systems.

By describing the necessary elements for establishing an effective continuous monitoring strategy, including the selection of security metrics, assessment processes, and the integration of monitoring into the organization’s risk management framework, NIST 800-137 provides the foundational guidelines that organizations rely on to implement and manage continuous monitoring effectively. This focus on ongoing assessment helps organizations stay ahead of emerging threats and vulnerabilities in a rapidly changing technological landscape.

In contrast, the other documents mentioned address different aspects of information security and risk management. For instance, NIST 800-39 emphasizes the risk management framework, OMB Circular A-123 relates to internal controls for federal agencies, and NIST 800-60 focuses on the categorization of information and information systems