Control: The organisation develops, monitors, and reports on the results of information security measures of performance.
Information Security Measures of Performance Supplemental Guidance:
Measures of performance are outcome-based metrics used by an organisation to measure the effectiveness or efficiency of the information security program and the security controls employed in support of the program.