1. Compliance
1.1. Create Compliance Project
1.1.1. Inventory
1.1.1.1. Assign Project Leader
1.1.1.2. Select Authoritative Documents
1.1.1.3. Select Assets
1.1.1.3.1. Select Surveys
1.1.1.3.2. Select Response Set
1.1.2. Analysis
1.1.2.1. Send Surveys
1.1.2.2. Verify results
1.1.3. Evaluation
1.1.3.1. Treat or accept compliance gap
1.1.4. Treatment
1.1.4.1. Manage treatment workflow
2. Organization
2.1. Business Components
2.1.1. Business Processes
2.1.1.1. Create Strategic Component
2.1.1.1.1. Identify person responsible
2.1.1.1.2. Determine relevance
2.1.1.1.3. Associate Tactical Component
2.1.2. Information Systems
2.1.2.1. Create Tactical Component
2.1.2.1.1. Identify person responsible
2.1.2.1.2. Determine relevance
2.1.2.1.3. Associate Strategic Component
2.2. Assets
2.2.1. Select Unit Perimeter
2.2.1.1. Create Asset
2.2.1.1.1. Add Component
2.2.1.1.2. Identify Person Responsible
2.2.1.1.3. Associate Rules
2.2.1.1.4. Determine relevance
3. Risk Management
3.1. Create a Risk Project
3.1.1. Inventory
3.1.1.1. Assign Project Leader
3.1.1.2. Select Assets
3.1.1.3. Select Surveys
3.1.2. Analysis
3.1.2.1. Send Surveys
3.1.2.2. Run Scans (optional)
3.1.2.3. Run Collectors (optional)
3.1.2.4. Verify results
3.1.3. Evaluation
3.1.3.1. Treat or accept vulnerability or missing control
3.1.4. Treatment
3.1.4.1. Manage treatment workflow