The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:
The task owner regularly checks that the procedure is clear and produces consistent results.
The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:
Organisation must maintain a listing of controlled data stores and their owners. Owner is responsible for completing the documentation and other possible security actions directly related to the data store.
Data store documentation must include at least: