Based on organizational policies, mission or business function requirements, and an assessment of risk, organizations may choose to develop and implement additional (organization-specific) security or privacy controls or control enhancements for their information systems that are beyond the scope of Special Publication 800-53. Such controls are documented in the security plan or privacy plan as controls not found in Special Publication 800-53. To assess the security or privacy controls in this situation, assessors use the guidelines in Chapter Two to develop assessment procedures for those controls and control enhancements. The assessment procedures developed are subsequently integrated into the security assessment plan or privacy assessment plan, as appropriate.