...
- likelihood - how likely is it that a flaw introduced by ignoring the rule can could lead to an exploitable vulnerability
1 = unlikely
2 = probable
3 = likely
...
The three values are then multiplied together for each rule. This product provides a measure that can be used in prioritizing the application of the rules. These products range from 1 to 27. Rules and recommendations with a priority in the range of 1-4 are level 3 rules, 6-9 are level 2, and 12-27 are level 1. As a result, it is possible to claim level 1, level 2, or complete compliance (level 3) with a standard by implementing all rules in a level, as shown in the following illustration:
Recommendations are not compulsory and are provided for information purposes only.
...