12.2.1 Specify risk-based informati

12.2.1 Specify risk-based information security requirements and a security concept of operations.
12.2.2 Develop policies, processes, and procedures for identifying, assessing, and mitigating risks to information assets, personnel, facilities, and equipment.
12.2.3 Develop processes and procedures for determining the costs and benefits of risk mitigation strategies.