The organization must operate, maintain, and continuously develop a security management system.
The boundaries and scope, contents, role, cumulative implementation information and other necessary descriptive information related to the management system must be clearly documented.
The organization conducts internal audits in accordance with its internal audit procedure. The aim is to check:
Documented information on the execution and results of audits must be kept.
The organisation regularly evaluates the level of cyber security and the effectiveness of the information security management system.
Organisation has defined:
Effective metrics should be usable for identifying weaknesses, targeting resources better and assessing organisation's success / failure related to cyber security.