The CISO decides to document all critical risk assumptions and boundaries before analysis. What step is this aligned with in ISO 27005?