ABSTRACT
The monitoring and verification provided correct functioning of defined controls,
which is done by the check phase of Act-Plan-Do-CheckDeming cycle introduced in
the ISO/IEC 27001 standard. Using one of several available models can satisfy the
check phase. Formal description of the processes controlling proper functioning of
defined controls can be made using these models. An example of formal description
of the measurement development is the detailed model presented in ISO/IEC 27004.
The U.S. NIST 800 series [21, 22] presents other standards applied in this area. They
respond to the requirements for the systematics techniques to obtain quantitative ev-
idence of the system security performance. Security evidence for security engineer-
ing, security management as well as external and internal evaluation can be achieved
using security metrics which have become a standard term for IT with regard to met-
rics depicting security level, security performance, security indicators, or security
strength of the IT systems [78, 79].