Has your organization established and applied asset prioritization criteria to classify and rank assets based on their criticality?
Explanation
Asset prioritization helps organizations allocate security resources efficiently by identifying which assets require the highest levels of protection based on their value, sensitivity, and business impact. This process typically involves categorizing assets (such as systems, data, and applications) according to predefined criteria like business criticality, regulatory requirements, and potential impact if compromised.
Evidence of fulfillment could include a documented asset prioritization framework or matrix, asset inventory with assigned priority levels, risk assessment reports showing prioritized assets, or meeting minutes where asset prioritization decisions were made.
Implementation Example
Apply the prioritization criteria to assets
ID: ID.AM-05.132
Context
- Function
- ID: IDENTIFY
- Category
- ID.AM: Asset Management
- Sub-Category
- Assets are prioritized based on classification, criticality, resources, and impact on the mission
Related questions
- Does your organization maintain comprehensive inventories of all hardware assets, including IT equipment, IoT devices, operational technology (OT), and mobile devices?
- Does your organization implement automated network monitoring to detect new hardware and update inventory records in real-time?
- Does your organization maintain a comprehensive inventory of all software and services, including commercial, open-source, custom, API, and cloud-based applications?
- Does your organization implement continuous monitoring for software and service inventory changes across all platforms, including containers and virtual machines?
- Does your organization maintain a comprehensive inventory of all systems within your environment?
- Does your organization maintain documented baselines of expected network communication patterns and data flows for both wired and wireless networks?

