I think the numerals beside each element makes more sense because it is difficult to pick out what the elements are especially in Illustrative procedures like the one below. Putting a number out front still requires us to determine which {3} or which {6} that Hitrust considers to be elements.
Examine policies and/or standards related to user roles and responsibilities and determine if the organization has developed, disseminated, and annually reviewed/updated a formal, documented personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. Further, document procedures to facilitate the implementation of the personnel security policy and associated personnel security controls. Validate the existence of a written policy or standard.
I think the numerals beside each element makes more sense because it is difficult to pick out what the elements are especially in Illustrative procedures like the one below. Putting a number out front still requires us to determine which {3} or which {6} that Hitrust considers to be elements.
Examine policies and/or standards related to user roles and responsibilities and determine if the organization has developed, disseminated, and annually reviewed/updated a formal, documented personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. Further, document procedures to facilitate the implementation of the personnel security policy and associated personnel security controls. Validate the existence of a written policy or standard.