The organisation regularly evaluates the level of cyber security and the effectiveness of the information security management system.
Organisation has defined:
Effective metrics should be usable for identifying weaknesses, targeting resources better and assessing organisation's success / failure related to cyber security.