Definition: Any need, stated in a standardized language, that an information system must satisfy through IT Security that contributes to achieving a business need for security. (ITSG-33/HTRA) Note: This is part of SA&A process. (ITSG-33)