The adequacy of the processes will depend on the security controls identified by the company as necessary, based on the risk assessment results and the identification of applicable legal requirements (e.g., laws, regulations, or contracts).
For example, if the results of the risk assessment indicate the need for backup copies, the organization's processes must be adjusted to consider the time required to carry out the backup copies, as well as the places where to store these copies.
Another example would involve the need to manipulate information according to its classification. Certain processes must be suitable so that no information is left apparent if the user is not in their work area.
For further information, see: