The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:
The task owner regularly checks that the procedure is clear and produces consistent results.
The organization must determine an acceptable level for risks. The level is calculated based on the likelihood, impact and control of the risks.