Which activity periodically verifies the implementation and operation of security controls?

The activity that periodically verifies the implementation and operation of security controls is best described as an audit. An audit is a systematic examination of an organization's security controls, policies, and procedures to determine their effectiveness and compliance with established standards or regulations. Audits can be internal or external and typically involve a review of documentation, interviews with personnel, and testing of controls to ensure they are functioning as intended.

While assessment and validation are related concepts, they do not capture the periodic and formal nature of verification that audits embody. Assessments may focus on evaluating the overall security posture or identifying vulnerabilities, but they don’t necessarily provide the structured framework of verification that audits do. Validation, on the other hand, often refers to the process of confirming that specific requirements or conditions have been met but does not inherently include the periodic review aspect associated with audits. Monitoring involves ongoing observation of security controls but does not always include the detailed and structured evaluation that audits provide.