In v10, requirements focused on a single control maturity level should be avoided
Because we have a control maturity model that considers a written policy for each requirement, requirements focused on a single control maturity level should be avoided in v10. For example, the CSF currently contains some requirements about having a written policy, program, standard, guideline, etc. In those requirements, testing of both the "policy" and "implemented" control maturity levels are both test of a written policy (often the same one). Instead, requirements should be action-oriented (e.g. the org. does X) instead of policy oriented (e.g. the org. has a policy about X). Because of the control maturity model, the existence of a written policy is still considered on the action-oriented requirements (making the stand-alone policy-focused requirements duplicative).