The purpose of this memo is to document the assumptions and decision criteria used in scoping the documentation efforts around network security.

In this sample, management classified network security as a medium-risk process. As a medium-risk process, organizations must create a narrative describing at a task level each step performed in the process. They must also identify the project-related risks within the process and document the controls that mitigate the identified risks. An assessment of the mitigating controls must be performed to determine if the control environment as a whole, in relation to the relevant assertions, is designed effectively.