How does the Information System Continuous Monitoring (ISCM) strategy support the mission/business processes approach to risk management?

The Information System Continuous Monitoring (ISCM) strategy supports the mission/business processes approach to risk management primarily by emphasizing the importance of regular and systematic assessments of controls. This approach ensures that organizations remain vigilant regarding security risks and the effectiveness of controls over time.

Focusing on the minimum frequency of control assessments allows organizations to adjust their security posture based on the evolving threat landscape, operational changes, and emerging vulnerabilities. This continuous assessment helps identify weaknesses promptly, enabling timely remediation and fostering a proactive rather than reactive approach to risk management. As a result, the ISCM strategy aligns closely with the mission/business processes by ensuring that the measures in place to protect sensitive information and assets are current, relevant, and effective.

The other choices do not directly relate to the continuous monitoring aspect of risk management in the context of ISCM. Employee training protocols, physical security measures, and annual external audits contribute to an overall security strategy but do not encapsulate the critical ongoing aspect of ISCM, which is centered on the continuous assessment and adjustment of controls.