Defining and updating IT security requirements (policies, standards, baselines), Measuring, monitoring, and reporting on IT compliance with security requirements, Identification and assessment of IT risks as well as monitoring of IT risks treatment,...