When the control targets are outlined, organizations will need to determine criteria for each objective. These criteria define the specific requirements that must be satisfied to attain the Command goals. The RSI security blog site breaks down the ways in some depth, but the process in essence goes like this: https://newswiresinsider.com/nathan-labs-advisory-empowering-cyber-security-with-aramco-certification-in-saudi-arabia/