Has a clear capability mission been formally agreed by the customer?
Has the customer defined and agreed the key user requirements?
Have cyber risks been developed to include business impacts?
Is the capability managing development risks together with operational use risks (consistently through CADMID)
Has the capability identified the accountable risk owners?
Has the leadership team of the capability defined their individual roles with respect to cyber security?
Have stakeholders (including legal, regulatory, risk, commercial etc) agreed their responsibilities for delivering the capability securely?
Has the customer been involved in conversations on cyber risks and their impact on cost, capability and delivery?
Have cyber risk treatments been funded?