I didn't see ransomware mentioned anywhere in there.
At best being ignorant of that risk is going to result in fiscal losses and dubious legalities wrt sanctions, at worst existential risk to the company.
It makes sense (to me) that ransomware isn't mentioned, as this is a checklist of controls - not of threats. Many of these controls do help in preventing ransomware: 2FA, "Backup, test your backups, then backup again", "Isolate assets at the network level", etc.
At best being ignorant of that risk is going to result in fiscal losses and dubious legalities wrt sanctions, at worst existential risk to the company.