Apply security concepts that mitigate organization-specific risk and explain their effectiveness.
Examples: business impact analysis, risk identification process, risk calculation, communication of risk factors, risk prioritization, systems assessment, documented compensating controls, training and exercises, supply chain assessment
