Some valuable requirements are more sophisticated or require more effort to implement so they cannot be recommended for all applications. These requirements are instead only advised for applications with a higher risk profile which is defined by its exposure and its (business) criticality as follows:

Criticality Internal Application Internet-Eposed Application
High High Very High
Medium Standard High
Low Standard Standard