The Framework sets out a comprehensive set of security requirements for aspects of the organisation and product. A response to each requirement needs to be entered into a Compliance Checklist , with supporting statements or evidence. For requirements deemed “not applicable”, an explanation must be provided as to why. Any alternative countermeasures to reduce any security risk should also be listed. The compliance process breaks down into a number of steps.