Where the criteria mentions security manual, this is taken to be the Security Policy (which was originally written as a manual until being split out). Security Policy delegates practices and procedures to the Security Manual. SM is now an open document on wiki, controlled by systems administration team leader.