Provides guidelines intended to assist organizations in evaluating the information security performance and the effectiveness of an information security management system in order to fulfil the requirements of ISO/IEC 27001:2013 (published in South Africa as an identical adoption under the designation SANS 27001:2015), 9.1.