You cannot tell because it lacks of reference – time of day taken or more precisely which planet but generally assumed on Earth.
Similarly, is the infrastructure/system cyber secure? It needs reference points. The corporate cybersecurity policies, the corporate risk matrix are the reference points to prioritize protection measures for reducing likelihood.
Furthermore, a scoping statement is required especially if we are talking about cybersecurity assessment or accreditation. An ISO standard compliance is meaningless without statement of applicability. Whether it’s just (a) the in/out tray of document handling or (b) the information processing system/infrastructure handling electronic document will make a great difference in terms of operational controls as well as ongoing effort to sustain the accreditation.