Monitoring and measurement

IT Impact Zone
IT Impact Zone


This is a top level control.

This Control has the following implementation support Control(s):
  • Monitor the usage and capacity of critical assets., CC ID: 14825
  • Establish, implement, and maintain Security Control System monitoring and reporting procedures., CC ID: 12506
  • Establish, implement, and maintain Responding to Failures in Security Controls procedures., CC ID: 12514
  • Establish, implement, and maintain logging and monitoring operations., CC ID: 00637
  • Establish, implement, and maintain a risk monitoring program., CC ID: 00658
  • Establish, implement, and maintain a testing program., CC ID: 00654
  • Establish, implement, and maintain a service management monitoring and metrics program., CC ID: 13916
  • Establish, implement, and maintain a compliance monitoring policy., CC ID: 00671
  • Monitor the performance of the governance, risk, and compliance capability., CC ID: 12857
  • Monitor the organizational culture., CC ID: 12782
  • Establish, implement, and maintain a corrective action plan., CC ID: 00675
  • Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary., CC ID: 00676
  • Report actions taken on known security issues to the Board of Directors or Senior Executive Committee on a regular basis., CC ID: 12330
  • Report known security issues to the Board of Directors or Senior Executive Committee on a regular basis., CC ID: 12329
  • Protect against misusing automated audit tools., CC ID: 04547
  • Provide intelligence support to the organization, as necessary., CC ID: 14020


  • § 7.6: The organization shall determine what measuring and monitoring devices are needed to monitor and measure the product to provide evidence that it conforms to the requirements. The organization shall establish procedures to execute monitoring and measurement in such a way to be consistent with… (§ 7.6, § 8.1, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • The organization should measure risk management performance; periodically measure risk management progress; periodically review the risk management framework, policy, and plan; report on risk, the risk management plan progress, and the degree to which the risk management policy is being followed; an… (§ 4.5, ISO 31000 Risk management -- Principles and guidelines, 2009)
  • The organization must include the following in the information system continuous monitoring activities: information system component controls; configuration management; on-going security control assessment; security impact analyses of system changes; and status reporting. (CSR 1.9.7, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)