Business requirements documentation for new systems or enhancements to existing systems must
contain the requirements for security controls. Security vulnerabilities must be recognised from the outset
through undertaking a risk assessment and the security requirements must be developed alongside the
functional requirements.