year at least the policy and indicated the concerned risks, arrangement the importance of information and computer system, specify the acceptable level of risk and specify measure or practice for risk