Has your organization established and documented criteria for prioritizing different classes of assets based on their criticality and value?
Explanation
Asset prioritization is the focus here: whether documented criteria let you rank classes of assets by their criticality and value to the business.
Effective asset prioritization helps allocate security resources appropriately and ensures that the most critical assets receive proportionate protection measures.As evidence, you could provide a documented asset classification framework that defines criteria for prioritization (e.g., business impact, regulatory requirements, replacement cost, data sensitivity), along with a sample asset inventory showing how these criteria have been applied to categorize existing assets.
Implementation Example
Define criteria for prioritizing each class of assets
ID: ID.AM-05.131
Context
- Function
- ID: IDENTIFY
- Category
- ID.AM: Asset Management
- Sub-Category
- Assets are prioritized based on classification, criticality, resources, and impact on the mission
Related questions
- Does your organization maintain comprehensive inventories of all hardware assets, including IT equipment, IoT devices, operational technology (OT), and mobile devices?
- Does your organization implement automated network monitoring to detect new hardware and update inventory records in real-time?
- Does your organization maintain a comprehensive inventory of all software and services, including commercial, open-source, custom, API, and cloud-based applications?
- Does your organization implement continuous monitoring for software and service inventory changes across all platforms, including containers and virtual machines?
- Does your organization maintain a comprehensive inventory of all systems within your environment?
- Does your organization maintain documented baselines of expected network communication patterns and data flows for both wired and wireless networks?

