WEBNIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, describes three key organization-wide ISCM activities: monitoring for effectiveness, monitoring for changes to systems and environments of operation, and monitoring for compliance.