Controls are your cybersecurity & data privacy program ---- A control is the power to influence or direct behaviors and the course of events.

Too Long; Didn’t Read (TL;DR) – There is an alternative to a point-in-time assessment that reflects the realities of continuous change within organizations. This approach utilizes an incremental assessment methodology, similar in concept to how incremental backups augment a full backup to provide an efficient way to ensure data is protected. This enables an organization to adopt a monthly, quarterly or annual assessment cadence that focuses on change. This model helps demonstrate an organization’s commitment to managing its ongoing compliance requirements. 

Continuous Compliance = Continuous Incremental Conformity Assessment (CICA)

The concept of “continuous compliance” is a misnomer - it is disingenuous and falsely based on the assumption that automation without human oversight provides assurance of conformity. While it is possible to automatically pull and compare configurations against defined baselines, monitor system performance, and/or demonstrate adherence to certain technical requirements, those instances generate evidence artifacts and do not demonstrate conformity on a broader scale. Based on the cadence of these automated checks, this is more of an “incremental” approach than a “continuous” approach.

Just as not every control is weighed the same from a risk perspective, not every control changes in real-time, so organizations need to understand which controls are dynamic (e.g., near real-time, daily, weekly or month) and which controls are relatively static (e.g., quarterly, semi-annual or annual changes). This understanding can help an organization develop an optimal approach to governing its Governance, Risk & Compliance (GRC) efforts.

It is possible to implement a Continuous Incremental Conformity Assessment (CICA) process demonstrate compliance with an organization’s applicable statutory, regulatory and contractual requirements that follows an ongoing, incremental approach:

Continuous Incremental Conformity Assessment (CICA)

Traditional Assessments Are “Full Backups”

Traditional conformity assessments are akin to performing a “full backup” because creating a full backup is a time-consuming process that goes through everything and is only valid for protection up until that single point-in-time. A traditional assessment follows a similar approach, where:

  • Each control is reviewed in its entirety, regardless of whether anything has changed since the last assessment;
  • The process is comprehensive, time-consuming and resource-intensive; and
  • It produces assurance for a single point-in-time.

Incremental Assessments Are “Incremental Backups”

CICA is akin to performing “incremental backups” where incremental backups utilize an efficient process to focus on only what has changed (e.g., deltas). An incremental assessment follows a similar approach where:

  • Instead of reassessing each control, CICA focuses on the parts of the environment or control set that have changed since the last full or incremental assessment;
  • The process is efficient, where it is neither time nor resource intensive; and
  • It produces assurance across a timeframe (e.g., monthly, quarterly or annual increments).

CICA is designed to be tailored to a specific organization to meet its unique People, Processes, Technologies, Data and Facilities (PPTDF), where a Third-Party Assessment Organization (3PAO) and Organization Seeking Assessment (OSA) define the specific:

  • Controls to be assessed as part of incremental reviews; and
  • Cadence of incremental assessments (e.g., monthly, quarterly or annual).

Incremental assessments may focus on reassessing controls that have had:

  • People. Personnel changes that affect the execution of controls;
  • Processes. New/updated procedures that affect how work is control activities are performed;
  • Technologies. Changes in the technology stack or baseline security configurations;
  • Data. New/updated compliance obligations, including changes in compliance boundaries; and
  • Facilities. New/updated facilities that affect compliance boundaries.

Given how each organization’s budget varies, the frequency of the incremental reviews can be performed at different intervals. For organizations with larger budgets that value assurance, they could perform monthly incremental reviews to identify changes. On the other hand, for organizations that may not have as great of budgets, they may only be able to perform quarterly or annual incremental reviews.

How CICA Fits Into The Secure Controls Framework Conformity Assessment Program (SCF CAP)

The SCF CAP was designed to enable CICA, since the SCF CAP supports three (3) assessment methods:

  1. Manual Point In Time (MPIT);
  2. Automated Point In Time (APIT); and
  3. Automated Evidence with Human Review (AEHR).

 Manual Point In Time (MPIT)

 MPIT is a traditional assessment methodology that:

  • Is relevant to a specific point in time (time at which the controls were evaluated); and
  • Relies on the manual review of artifacts to derive a finding.

Automated Point In Time (APIT)

APIT utilizes automation to augment a traditional assessment methodology, where Artificial Intelligence and Autonomous Technologies (AAT) are used to compare the desired state of conformity versus the current state via machine-readable configurations and/or assessment evidence:

  • Is relevant to a specific point in time (time at which the controls were evaluated);
  • In situations where technology cannot evaluate evidence, evidence is manually reviewed; and
  • The combined output of automated and manual reviews of artifacts is used to derive a finding.

Automated Evidence with Human Review (AEHR)

AEHR is used for ongoing, continuous control assessments:

  • AAT continuously evaluates controls by comparing the desired state of conformity versus the current state through machine-readable configurations and/or assessment evidence; and
  • Recurring human reviews:
    • Evaluate the legitimacy of the results from automated control assessments; and
    • Validate the automated evidence review process to derive a finding.

The AEHR assessment methodology utilizes a CICA approach to a SCF assessment:

  • A point-in-time assessment is performed to establish the baseline conformity with selected controls; and
  • Designated controls that are capable of generating automated evidence of conformity can be evaluated on an ongoing basis (e.g., monthly or quarterly) to demonstrate continuous conformity until the next full assessment (once every 3 years).

The assumption is that upon the tri-annual assessment, those automated controls will require minimal scrutiny, based on the historical evidence of conformity during the certification period. This is intended to reduce the associated financial and labor burden of the tri-annual assessment to re-establish the conformity baseline.

Specific to the SCF CAP:

  • A full assessment (e.g., MPIT or APIT) is conducted to establish the baseline;
  • The Statement of Work (SOW) between the 3PAO and OSA establishes:
    • Controls to be assessed as part of incremental reviews; and
    • Cadence of incremental assessments (e.g., monthly, quarterly or annual).
  • Automated feeds are configured to generate evidence deltas (e.g., vulnerability scans, SIEM reports, GRC tool metrics); and
  • Evidence is collected to “layer” onto prior assessments, with older “unchanged” evidence remaining valid until expiration (e.g., tri-annual certification period).

Benefits of The CICA Approach

The CICA approach has these potential benefits:

  • Efficiency. Reduces wasted effort by avoiding re-review of unchanged controls.
  • Agility. Provides near real-time assurance that the environment remains conformant.
  • Audit Readiness. Maintains an always-current body of evidence, so organizations are prepared for audits at any moment.
  • Risk Responsiveness. Rapidly highlights conformity gaps introduced by changes, preventing risks from lingering undetected until the next full assessment cycle.

Downside of The CICA Approach

The one downside to the CICA approach is the potential cost. The recurring nature of incremental assessments means there is increased labor costs associated with 3PAOs. However, the cost is offset by assurance, so it is up to the OSA to perform a cost/benefit analysis and decide if the additional assurance is worth the cost.

Example of CICA In Practice

Imagine a company underwent a major Identity & Access Management (IAM) upgrade:

  • Under a traditional, full-assessment model, assessors would re-review all controls within the assessment boundary, even those unrelated to IAM.
  • Under the CICA model, only controls directly and indirectly affected by the IAM upgrade would be flagged for re-assessment. Existing, still-valid conformity evidence for controls unaffected by the IAM upgrade would not require 3PAO review until the next tri-annual assessment.

Over a period of time, CICA can create a rolling, incremental conformity picture for the organization that is more applicable to real-world operations rather than a singular point-in-time, tri-annual assessment.

Leveraging CICA, the SCF CAP transforms conformity assessment from a static, point-in-time snapshot into a living, continuously updated process. much like how incremental backups keep data protection current without reprocessing everything each time.

© 2025 Secure Controls Framework All rights reserved. | Sitemap