1. **Identify and assess** the organizations security and privacy objectives, risks, and obligations. 2. **Select and implement** the security and privacy controls that meet organizational needs. Think about the controls that can be taken from frameworks such as ISO/IEC 27001 and [[NIST SP 800-53]] 3. **Test, monitor, and evaluate** the performance and effectiveness of the security and privacy controls. 4. **Review and update** the security and privacy controls as needed. 5. ISO/IEC 27001 details the requirements for establishing, implementing, and maintaining information security management systems (ISMS). Risk Register A document listing the risks identified in a system or organization and the controls or actions that have been implemented or planned to mitigate them. The purpose of **configuration status accounting** is to report the current and historical information about the configuration items and their changes.