Reasoning for metrics requirements is often justified by data integrity protection. Faults can not be detected, if an attacker can hide it's existense.
The metrics requirements in this subclause support security monitoring, operational visibility, fault detection, and verification of system behaviour.
Fulfilment of these metrics is essential for all products in all use cases and all risk levels.
Breaches can not be detected, if an attacker can hide it's existense.
These requirements are generally binding, and there is no low-medium-high tiering available.
