The purpose of this control is to prioritize security resources and efforts to the services that benefit the most from them. By prioritizing services based on risk rating, we can allocate time and resource to the places that would most benefit from them.