Which statement best describes ISCM?

ISCM is about establishing a plan for ongoing oversight of security controls and then continuously monitoring those controls to manage risk. It begins by defining an ISCM strategy—deciding which systems to cover, which controls to monitor, what data to collect, how often to assess, and how results will be measured and acted upon. With that plan, you implement continuous monitoring—gathering evidence from logs, scans, configurations, and test results, using dashboards and reports to spot changes, weaknesses, or new threats so you can adjust controls or authorization status as needed. That makes sense here because the essence of ISCM is the combination of a defined monitoring strategy and the ongoing assessment of security controls. It isn’t about monitoring being unrelated, and it isn’t limited to physical security. It also doesn’t ignore training and awareness, since those elements can be part of the security controls being monitored and improved within the ISCM program.