Do you know what your most critical data and systems are, so you can prioritise restoration?
Demonstrate that the organization has identified, documented, and prioritized its critical data assets and systems based on business impact, and that this prioritization informs restoration sequencing during incident response and disaster recovery operations.
Description
What this control does
This control ensures the organization maintains a formally documented and regularly updated inventory of critical data assets and IT systems, ranked by business impact and recovery priority. It typically involves business impact analysis (BIA) processes that classify systems by Recovery Time Objective (RTO) and Recovery Point Objective (RPO), and identifies dependencies between systems and data. This prioritization is essential for effective disaster recovery and business continuity planning, enabling teams to make informed triage decisions during incidents and allocate recovery resources to the most mission-critical functions first.
Control objective
What auditing this proves
Demonstrate that the organization has identified, documented, and prioritized its critical data assets and systems based on business impact, and that this prioritization informs restoration sequencing during incident response and disaster recovery operations.
Associated risks
Risks this control addresses
- Recovery resources are misallocated during a disaster, restoring low-priority systems before critical business functions, extending downtime for revenue-generating operations
- Ransomware attackers encrypt critical databases and the organization cannot quickly identify which backup restoration should be prioritized, causing extended business disruption
- Interdependencies between systems are unknown, leading to failed restoration attempts when a supporting infrastructure component is not restored before dependent applications
- Legal or regulatory reporting deadlines are missed because systems holding compliance-critical data were not prioritized for recovery
- Incident response teams make inconsistent ad-hoc decisions during disasters without documented guidance, leading to chaotic and inefficient recovery efforts
- Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) are undefined, causing misalignment between business expectations and actual recovery capabilities during real incidents
- Critical intellectual property or trade secrets remain inaccessible for extended periods because the data's criticality was not documented and communicated to recovery teams
Testing procedure
How an auditor verifies this control
- Request and review the organization's business impact analysis (BIA) documentation and asset inventory identifying all data assets and IT systems categorized by criticality level
- Verify that each critical asset or system has assigned Recovery Time Objective (RTO) and Recovery Point Objective (RPO) values documented with business owner approval
- Select a representative sample of 10-15 systems spanning different criticality tiers and validate that the criticality classifications align with documented business functions and revenue impact
- Review the disaster recovery plan and business continuity plan to confirm that documented restoration sequences explicitly reference the criticality rankings from the BIA
- Interview IT operations and disaster recovery personnel to assess whether they can articulate which systems must be restored first and the rationale for restoration order
- Examine evidence of recent tabletop exercises or disaster recovery tests to verify that restoration priorities were followed and that the documented criticality rankings were used for decision-making
- Review change management records to confirm that the asset inventory and criticality classifications are updated when new systems are deployed or business processes change
- Verify that interdependencies between systems are documented, including which supporting infrastructure components must be restored before dependent applications become functional