Start with scope and ownership, then build a defensible TARA approach and a traceability structure from risk → goals → requirements → verification. Work products should be prioritised based on programme scrutiny, not created as a generic document pack.