Does your organization maintain a documented process for tracking and periodically updating asset priorities, especially following significant organizational changes?
Explanation
Asset prioritization helps organizations allocate security resources effectively by identifying which systems and data are most critical to operations or most vulnerable to threats. Regular updates to these priorities ensure that security controls remain aligned with the organization's current risk landscape as business objectives, system architectures, or threat environments change.
Evidence could include a documented asset prioritization methodology, meeting minutes showing periodic priority reviews, change management records that trigger priority reassessments, or a current asset inventory with clearly marked priority levels and review dates.
Implementation Example
Track the asset priorities and update them periodically or when significant changes to the organization occur
ID: ID.AM-05.133
Context
- Function
- ID: IDENTIFY
- Category
- ID.AM: Asset Management
- Sub-Category
- Assets are prioritized based on classification, criticality, resources, and impact on the mission
Related questions
- Does your organization maintain comprehensive inventories of all hardware assets, including IT equipment, IoT devices, operational technology (OT), and mobile devices?
- Does your organization implement automated network monitoring to detect new hardware and update inventory records in real-time?
- Does your organization maintain a comprehensive inventory of all software and services, including commercial, open-source, custom, API, and cloud-based applications?
- Does your organization implement continuous monitoring for software and service inventory changes across all platforms, including containers and virtual machines?
- Does your organization maintain a comprehensive inventory of all systems within your environment?
- Does your organization maintain documented baselines of expected network communication patterns and data flows for both wired and wireless networks?

