Without regular reviews, your security monitoring becomes outdated and misses real attacks. A Delhi-based e-commerce startup discovered a data breach 6 months after it happened because their monitoring system was never updated after adding new servers—they lost customer trust and faced RBI questions about compliance. Attackers change tactics constantly, and systems evolve; if you're not reviewing what you're monitoring, blind spots grow. Auditors and customers increasingly ask for proof of this review during vendor assessments, and you may fail compliance checks if you can't show documentation.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no documented security monitoring in place or no record of ever reviewing it. Your IT person (if you have one) watches systems ad-hoc without any formal process or documented findings.
Initial
You have basic monitoring tools running (antivirus, firewall logs), but you've never formally documented a review of whether they're adequate or working correctly. No one has written down what was checked or what needs improvement.
Developing
You performed one informal review of monitoring tools (checking logs, antivirus status) sometime in the past 12 months, but there's no documented checklist of what was evaluated or what was decided for improvement. The review was reactive, not planned.
Defined
You have a documented annual review schedule for monitoring systems, and you completed one review in the past 12 months with a written report covering what tools are in place, what they monitor, and what gaps were found. Some gaps have action items assigned.
Managed
You perform quarterly or semi-annual documented reviews of monitoring tools and detection rules, with formal sign-off by management. You track metrics (alerts, response times, coverage), identify gaps against current threat landscape, and update tools and rules based on findings.
Optimised
You conduct quarterly reviews with documented evidence of testing detection rules, tuning false positives, benchmarking against industry threats, and demonstrating that monitoring covers all critical assets. Reviews are integrated into your overall risk management cycle with C-level visibility and continuous improvement.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Document what monitoring tools and processes you currently have (firewall logs, antivirus, email filters, etc.). List them in a simple spreadsheet with what each one watches for. | IT manager or IT-knowledgeable business owner | 1 day |
| 1 → 2 | Conduct an informal walk-through of monitoring tools (check if logs are being stored, if antivirus is running, if any alerts exist). Note down what is working and what is not. Write a brief summary (2-3 pages) of findings. | IT manager | 3-5 days |
| 2 → 3 | Create a formal 'Monitoring Review Checklist' covering: coverage (what systems are monitored), tool functionality, log retention, alert response time, and gaps. Schedule a quarterly review date. Document the review with the checklist, findings, and action items assigned to owners with deadlines. | IT manager with sign-off from business owner or operations head | 2-3 weeks |
| 3 → 4 | Implement quarterly reviews with metrics tracking: number of alerts per tool, response times, false positive rates, and coverage of critical assets. Use a simple dashboard or tracking sheet. Test one detection rule per quarter to ensure it's working. Document all findings with management sign-off. | IT manager, with input from security consultant if available | 1-2 months (to set up) then 1 day per quarter |
| 4 → 5 | Integrate monitoring reviews into a formal risk management cycle. Review monitoring effectiveness against recent threat intelligence, update detection rules based on new attack patterns, conduct tabletop exercises quarterly to test response, and present findings to board/senior management. Document improvement initiatives and track closure. | IT manager or Chief Information Officer, with input from external security advisor | Ongoing (1-2 days per quarter plus continuous monitoring) |
Documents and records that prove your maturity level.
- Documented Monitoring Review Checklist or template, signed and dated within the past 12 months
- Written review report or summary (even 1-2 pages) dated within the past 12 months, listing what was checked, what was found, and what needs improvement
- List of monitoring tools and systems in place (e.g., antivirus, firewall, email filter, intrusion detection), with dates they were last verified
- Action items log showing gaps identified in the review and their status (open, in progress, closed) with owner names and target dates
- Evidence of at least one review meeting (email, meeting minutes, or sign-off sheet) showing that monitoring was discussed with management or IT team in the past 12 months
Prepare for these questions from customers or third-party reviewers.
- "When was your most recent review of monitoring and detection systems, and do you have documented evidence of that review?"
- "What specific gaps or issues were identified in your last review, and what actions are being taken to address them?"
- "How do you ensure that your monitoring tools remain relevant as your business and threats evolve? Walk me through your review process."
- "Can you show me a list of all systems and assets you are currently monitoring, and confirm that this list was reviewed and updated in the past 12 months?"
- "What monitoring metrics or KPIs do you track (e.g., alert response time, false positive rate, coverage), and how do you use these to assess the effectiveness of your monitoring?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Centralized log collection and monitoring (especially for servers, firewalls, and network devices) | Splunk Free (500 MB/day indexing limit, suitable for small businesses); ELK Stack (Elasticsearch, Logstash, Kibana—open-source, requires technical setup) | Splunk Enterprise (~INR 5,00,000/year for small deployment); Datadog (~INR 1,50,000+/year); Wazuh Cloud (~INR 50,000-2,00,000/year depending on agents) |
| Security Information and Event Management (SIEM) to correlate events and alert on suspicious activity | OSSIM (Open Source Security Information Management); Wazuh open-source (self-hosted) | Microsoft Sentinel (~INR 2,000-5,000/month for small deployment); Splunk (Enterprise); IBM QRadar (~INR 20,00,000+/year, enterprise-scale) |
| Network and endpoint monitoring (detecting intrusions, malware, suspicious connections) | Zeek (formerly Bro)—network monitoring; Osquery—endpoint visibility (open-source, requires setup) | CrowdStrike Falcon (~INR 3,00,000-5,00,000/year for 50 endpoints); Fortinet FortiEDR (~INR 2,00,000+/year); Palo Alto Networks Cortex XDR (~INR 2,50,000-4,00,000/year) |
| Firewall and network activity logs (basic network monitoring for smaller businesses) | PfSense (open-source firewall with built-in logging); Suricata (open-source intrusion detection) | Fortinet FortiGate (~INR 1,00,000-3,00,000 one-time + yearly maintenance); Cisco ASA or Meraki (varies, typically INR 3,00,000+/year) |
| Simple security event log review and alert generation (suitable for MSMEs with limited IT staff) | Windows Event Log (built-in to Windows Server); syslog (built-in to Linux servers); Google Alerts for threat intelligence | Qualys VMDR (~INR 2,00,000-5,00,000/year); Rapid7 InsightIDR (~INR 3,00,000+/year) |
- Only reviewing when something breaks: Indian MSMEs often skip formal reviews and only look at monitoring after a breach or IT crisis. This is too late—you've already lost visibility and control. Plan quarterly reviews regardless of incidents.
- Buying fancy tools and not actually using them: Many small businesses purchase SIEM or monitoring software but don't integrate it into daily operations or review its outputs regularly. A tool collecting data but not being analyzed is useless. Focus on reviewing what you already have before buying new tools.
- Confusing 'monitoring running' with 'monitoring reviewed': Just because your antivirus is on or your firewall is logging does not mean your monitoring is adequate. You must actively evaluate whether it's catching the right things, whether it's properly tuned, and whether coverage matches your critical assets.
- No documentation of reviews: Verbal discussions or ad-hoc checks don't count as formal reviews for compliance. Always document what was reviewed, findings, and actions—even if it's a simple one-page summary dated and signed. Auditors and customers will ask to see this.
- Review without action: Identifying gaps in your monitoring review is pointless if you don't assign owners and deadlines to fix them. Link review findings to actual improvements in tools, rules, or staffing within a defined timeframe.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8(2) and Schedule 2—Organizations must implement and maintain security measures including monitoring and periodic review; Section 6(2)(b) requires reasonable security practices and grievance redressal. |
| CERT-In 2022 | Indian Computer Emergency Response Team advisory on vulnerability disclosure and incident reporting; regular monitoring is a prerequisite for timely incident detection and mandatory reporting to CERT-In within 6 hours for critical incidents. |
| ISO 27001:2022 | Annex A.8.16 (Monitoring, measurement, analysis and evaluation); A.8.15 (Access control and authentication); A.8.23 (Information security incident management). Clause 9.1 requires monitoring and measurement of information security performance. |
| NIST CSF 2.0 | Detect (DE) function—specifically DE.AE (Anomalies and Events), DE.CM (Monitoring Activities), and DE.DP (Detection Processes). Core practice DE.AE-1 requires establishing and maintaining network and physical monitoring. |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →