The N²SF includes a stage where agencies evaluate the adequacy of the security measures they have implemented themselves, providing an opportunity to identify issues and deficiencies in the major activities of each N²SF stage and address them before requesting a security review.

This is the fifth and final stage of the N²SF, known as 'Adequacy Evaluation and Adjustment,' where the agency forms its own review committee (comprising security officers, consulting experts, and specialists) to engage in activities.

According to the guidelines, the process of evaluation and adjustment is repeated until no further adjustments are deemed necessary.

If adjustments are needed but remain unrecognized, and the agency approves the evaluation result and requests a security review, there is a high likelihood of encountering issues during the security review that will necessitate a more complicated adjustment process.

Therefore, the agency should independently assess whether: ➊ the classification of business information and information systems by C/S/O levels is correct, ➋ the threat modeling methodology is properly applied, ➌ potential threats are accurately identified, ➍ security measures to Mitigate/Remove/Avoid/Transfer each identified threat are properly applied, ➎ the selection of security control items is appropriate, and ➏ the implementation plan for security control items is adequate.

 To develop the capability to do this independently, it is advisable for the agency to involve consulting experts with technical expertise in N²SF in all stages of the N²SF process, working jointly with the agency's security personnel to carry out key activities.