A Recognised Body should have a comprehensive physical and information security policy, standards, practices and controls to identify, assess and manage security threats and vulnerabilities and to protect data from loss and leakage, unauthorised access and other processing risks.