MOD: The project/programme/capability can demonstrate that it is capturing risks, even when no solution has yet been determined.

MOD: The business case (refer to glossary) options for delivering the capability include a documented consideration of the cyber threats.

MOD: The project/programme/capability can demonstrate it has considered secure engineering principles (refer to glossary) to deliver appropriate cyber resiliency.

MOD: The enterprise architecture (see glossary) has been captured diagramatically, reflects the dependencies, and has been used to inform the security aspects of the design.

MOD:-

MOD: If required, the project/programme/capability has identified and documented a transition plan between current and future cyber security architecture (answer Yes, if not required)

MOD: The user requirements contain cyber security objectives that have been derived from unacceptable losses (refer to glossary).

MOD: The project/programme/capability has change management processes in place, and can demonstrate that they incorporate cyber security.

MOD: The project/programme/capability has identified the parties responsible for achieving the cyber security requirements (see glossary).