The item is defined including its functions and boundaries. Relevant assets, threats and damage scenarios are identified and regularly updated. Cybersecurity risks are analyzed based on impact rating and attack feasibility rating in order to support prioritization for the treatment of risks. The status of risk and the progress of the risk treatment activities is determined. Appropriate treatment is taken to mitigate the impact of risk based on its priority, likelihood, and consequence or other defined risk threshold.
