Does the capability have a formal process for escalating risks it cannot treat?
Has the capability assessed supply chain risks at every stage in the lifecycle?
Has the capability created and maintained a comprehensive asset list ?
Do assets include conceptual as well as physical?
Has the capability been given a clear scope for decision making set by the risk owner?
Is the capability scope agreed with other capabilities in your environment (i.e. dependent capabilities and those that work alongside)?
Has the capability identified the classifications that will be stored, processed or transmitted?
Has the capability identified information types that will be stored, processed or transmitted?
Has the capability agreed the information types with the risk owners?