When should information security controls be considered?

A. After the risk assessment

B. As part of the scoping meeting

C. At the kick-off meeting

D. During the risk assessment work