The scope of overall IT control assurance is usually determined from critical business and IT processes, which are prioritised based on risk and prior experience in reviewing the controls through audits, self-assessments and control breakdowns. For the purposes of example, one can assume the organisation has determined a scope of annual control assurance based on the controls in figure 2. below:
Of these controls, the priorities for implementation of CCM should be based on risk ratings/return on investment (ROI) (such as value to the organisation) and ease of implementation (such as having readily available data from systems and controls that already have an aspect of monitoring and reporting).
In the figure 2 example, the high-profile controls highlighted by the internal audit function have been assessed against data availability and existing monitoring or metrics. Controls highlighted in green are candidates for continuous control monitoring (red indicates a roadblock that may preclude a control from being considered). The priority or suitability of controls for continuous monitoring also needs to consider the relationships among controls. For example, configuration and vulnerability management rely on asset management, which may be deficient and not suitable for inclusion in the scope of assurance. In such a case, the controls that depend on it may not be suitable for continuous monitoring.