The objective of this last step is to (1) assess the efficacy of implemented controls and the general management of information security against the organization’s target profile, which as mentioned earlier, defines the organization’s risk target and (2) provide internal and external stakeholders with the assurances they need about the due care84 provided by the organization’s information protection program.
84 Due care is defined here as the care that an ordinarily reasonable and prudent person would use under the same or similar circumstances. See definition in Appendix C. Also called ordinary care or reasonable care.