1. Customization
   1. Organizations might also apply specific configuration standards to high value assets. This may mean requiring more stringent controls on certain systems and data elements, based upon the sensitivity of the data, or the criticality of the system to business operations.
   2. Any customization that organizations make to security standards should refer to clear security and/or business requirements. These deviations should include descriptions of the impact the change will have on:
      1. the confidentiality, integrity and/or availability of systems and information
      2. compliance with other security requirements.
2. Documentation
   1. Organizations often modify industry baselines to develop their own security standards, to tailor the standard to meet the organization's specific needs.
   2. Referencing
      1. To document these changes, write a security standard that references the original (source) standard,