Stakeholders will be given the opportunity to voice their needs and have it formally documented. A clear recorded security requirement is more effective because:

• Unambiguous.
• Eliminating false interpretation of the requirement.
• The priority level is practically set.
• Favouring urgent requirements.
• Linked to a business objective.
• Validating value to the organisation.
• Assigned Owner.
• Associate requirements with sponsors.
• Linked to other requirements.
• Eliminate duplication.
• Formal acceptance based on a predefined acceptance criterion.
• Avoid unexpected surprises.

When utilizing the above features, an informed decision can be reached on whether a security requirement is necessary to implement. Selected security requirement can be formally accepted based on a predefined acceptance criterion and can be traced to a business objective.

Without a formal process governing requirements, organisation risk is unlikely to be mitigated.