Evaluation includes following activities:
*Verifying compliance with the security policy and implementation of security plans
*Performing security audits on IT systems
*Undertaking the security aspects of other IT audits
The overall security systematic is monitored by evaluation of efficiency and documented in reports including notes and, in
particular, recommendations.
There are four forms of evaluation:
* Self-assessments: primarily implemented by the line organization of the processes
* Security Checks System
* Internal audits: undertaken by internal IT auditors
* External audits: undertaken by external IT auditors
(It is preferable that security auditors and auditors of security management processes work separately).