---
layout: handbook-page-toc
title: "RM.1.02 - Continuous Monitoring Control Guidance"
---

## On this page
{:.no_toc .hidden-md .hidden-lg}

- TOC
{:toc .hidden-md .hidden-lg}

# RM.1.02 - Continuous Monitoring

## Control Statement

The design and operating effectiveness of internal controls are continuously evaluated against the established controls framework by GitLab. Corrective actions related to identified deficiencies are tracked to resolution.

## Context

GitLab's controls aim to protect the confidentiality, integrity, and availability of customer, GitLab team-member, and partner data and the service provided to them. To ensure the controls remain current and relevant, and they're both being used in the way they were intended and have the expected impact, they should be regularly evaluated and improved when necessary.

## Scope

This control applies to all controls in the GitLab Control Framework (GCF).

## Ownership

* Control Owner: `Security Compliance`
* Process owner(s):
    * Security Compliance: `100%` 

## Guidance

The design and operating effectiveness of GCF controls can be evaluated as part of a gap analysis. A gap analysis can identify areas where the design of a control is insufficient to satisfy the control objectives and any findings can be preliminarily validated through control testing. [Further control testing](/handbook/engineering/security/guidance/RM.2.01_internal_audits.html) may then be performed by the Internal Audit team. This control can be tested by verifying the documented gap analysis process is used and that a gap analysis was performed.

## Additional control information and project tracking

Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Continuous Monitoring control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/867).

Examples of evidence an auditor might request to satisfy this control:

* A documented process to test the design and operating effectiveness of internal controls through a gap analysis
* The gap analysis project description or formal project charter
* Sample issue boards used in the gap analysis project
* Sample gap analysis issues

### Policy Reference

* [Security Compliance Gap Analysis](https://about.gitlab.com/handbook/engineering/security/compliance.html#gap-analysis)

## Framework Mapping

* ISO
  * A.12.7.1
  * A.18.2.2
  * A.18.2.3
* SOC2 CC
  * CC1.2
  * CC3.2
  * CC3.4
  * CC4.1
  * CC4.2
  * CC5.1
  * CC5.2