6.4.2. Compliance Monitoring

💡 First Principle: Monitoring compliance continuously is more effective than periodic audits alone. Continuous compliance reduces the time between a control failure and its detection, minimizing the window of non-compliance. Think of it as the difference between annual health checkups and continuous vital signs monitoring.

Due diligence — ongoing investigation to ensure the organization understands and meets its obligations. Includes regular reviews of applicable regulations, contractual requirements, industry standards, and emerging compliance requirements. Due diligence answers the question: "what are we supposed to be doing?"

Due care — implementing reasonable security measures based on known risks and requirements. Due diligence is about knowing what's needed; due care is about doing what's needed. Both are legally important — failure in either can establish negligence in legal proceedings. An organization that performs risk assessments (due diligence) but doesn't implement the recommended controls (fails due care) has documentation of its own negligence.

Attestation — formal statements from authorized individuals or organizations that controls exist and function as described. Attestation can be internal (management asserting controls are in place) or external (auditor attesting to control effectiveness). SOC 2 Type II reports are a common form of external attestation.

Acknowledgment — documented confirmation that individuals understand and accept their compliance responsibilities (e.g., employees signing acceptable use policies, managers acknowledging data handling requirements). Acknowledgment creates individual accountability and provides evidence in case of violations.

Internal and external monitoring — internal monitoring uses security tools, configuration scans, access reviews, and policy compliance checks. External monitoring uses third-party assessments, vulnerability scans, security rating services, and regulatory examinations.

Automation in compliance — tools that continuously assess compliance against regulatory frameworks, automatically generating reports and flagging deviations. Automated compliance reduces manual effort and catches drift faster than periodic manual reviews.

⚠️ Exam Trap: Due diligence = knowing what should be done (research, assessment). Due care = actually doing it (implementing controls). An organization that knows about a vulnerability (due diligence) but doesn't patch it (fails due care) is negligent.