Define risks and assign them to critical assets

Define controls and assign them to risks or to regulatory requirements

Track completion of controls, risk exposure, and degree of compliance