MOD: The project/programme/capability has identified and described all stages of the information life cycle (refer to glossary) for each information type that is created, transmitted, stored, processed and destroyed by the capability.

MOD: The cyber security requirements to protect data created, transmitted, stored, processed and destroyed have been considered throughout the life of the capability.

MOD: The project/programme/capability is managing cyber risks, through-life, using a formal framework.

MOD: There is a stated risk appetite that sets well-defined boundaries for risk decisions.

MOD: The project/programme/capability risk assessment is suitable to enable risk-based decisions.

MOD: The project/programme/capability has generated and maintain a basic threat assessment for the type of capability to be provided. The Capability Owner maintains this threat assessment.

MOD: The project/programme/capability can demonstrate that it has used its agreed risk appetite to prioritise risks.

MOD: Any risks outside Senior Responsible Owner's (SRO) risk appetite have been escalated.

MOD: Cyber risks are included with all other project risks and prioritised accordingly.

MOD: Any risks impacting on other projects/programmes/capabilities have been communicated to the affected Senior Responsible Owner/Responsible Senior Owner/Capability Owner.