Understand Your Enterprise Requirements
Have a clear vision on the context of the enterprise and the various internal and external factors that can influence your normal operations.
Based on the understanding of your business, but more important, the surrounding context, a management decision should be taken against your risk appetite and a clear definition of what risk levels you are prepared to accept.
Sufficient information should be available to understand what your organization does and who in your organization is responsible for what. Don’t forget that external partners, like subcontractors, can have an influence on your cyber security.