ID.AM-05.131

Has your organization established and documented criteria for prioritizing different classes of assets based on their criticality and value?

Explanation

This question assesses whether your organization has a formal methodology for categorizing and prioritizing assets (such as data, systems, applications, and infrastructure) according to their importance to business operations, sensitivity of information, and potential impact if compromised. Effective asset prioritization helps allocate security resources appropriately and ensures that the most critical assets receive proportionate protection measures.As evidence, you could provide a documented asset classification framework that defines criteria for prioritization (e.g., business impact, regulatory requirements, replacement cost, data sensitivity), along with a sample asset inventory showing how these criteria have been applied to categorize existing assets.

Implementation Example

Define criteria for prioritizing each class of assets

ID: ID.AM-05.131

Context

Function: ID: IDENTIFY
Category: ID.AM: Asset Management
Sub-Category: Assets are prioritized based on classification, criticality, resources, and impact on the mission

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub