Has the lifecycle for each information type been identified throughout the life of the capability?
Has the capability used information journeys to identify risks?
Has the capability set up the management of cyber risks by using a formal framework?
Has the capability developed a risk appetite tailored for its intended use?
Has the capability used its risk appetite to make informed risk decsions, in line with NCSC guidance?
Has the capability done a comprehensive risk assessment?
Has the capability used its risk assessment to prioritise its most significant risks?
Has the capability evidenced that risks outside of appetite have been escalated?
Has the capability developed overall risks that include cyber security risks?
Has the capability received formal acceptance for any transferred risks?