Criticality + safety classification per asset
Demonstrate that all information system assets have documented criticality and safety classifications that accurately reflect their business impact, operational importance, and potential safety consequences, and that these classifications are consistently applied in security processes.
Description
What this control does
This control requires the organization to assign a criticality level and safety impact classification to each information system asset, infrastructure component, and data repository based on operational importance, confidentiality requirements, and potential impact to human safety or public welfare. Classifications typically use tiered scales (e.g., critical/high/medium/low) and are documented in an authoritative asset inventory or configuration management database (CMDB). These classifications drive risk-based decision-making for resource allocation, incident response prioritization, backup frequency, patching cadence, and business continuity planning. The control is foundational for applying proportional security controls and ensuring high-value or safety-critical systems receive appropriate protection.
Control objective
What auditing this proves
Demonstrate that all information system assets have documented criticality and safety classifications that accurately reflect their business impact, operational importance, and potential safety consequences, and that these classifications are consistently applied in security processes.
Associated risks
Risks this control addresses
- Critical infrastructure or safety-impacting systems receive inadequate protection due to unrecognized importance, leading to catastrophic operational failures or physical harm
- Incident response teams misallocate resources during security events, addressing low-priority systems while high-impact assets remain compromised
- Patching and vulnerability remediation activities delay critical updates for high-value targets while prioritizing non-essential systems
- Business continuity and disaster recovery plans fail to prioritize restoration of mission-critical systems, prolonging operational outages
- Insufficient access controls or monitoring on improperly classified assets enable lateral movement to sensitive environments
- Regulatory non-compliance for safety-critical systems in healthcare, energy, transportation, or industrial control environments due to missing classifications
- Over-investment in protecting low-criticality assets while under-resourcing genuinely critical infrastructure, wasting security budget
Testing procedure
How an auditor verifies this control
- Obtain the current enterprise asset inventory, CMDB extract, or centralized asset register that documents all in-scope systems and data repositories
- Verify that each asset record contains a documented criticality rating (e.g., critical/high/medium/low or numeric scale) and a safety impact classification field
- Select a representative sample of 15-25 assets spanning all criticality tiers and business units, including at least three systems known to be mission-critical or safety-impacting
- Interview asset owners and business process leaders for sampled assets to validate that recorded classifications match operational reality and business impact assessments
- Review documented classification criteria or methodology (policy, procedure, or standard) to confirm objective, repeatable standards exist for assigning ratings
- Cross-reference asset classifications against incident response runbooks, patching schedules, backup policies, and access control matrices to verify operational alignment
- Identify any assets provisioned in the past 12 months and confirm they received classifications during onboarding or change management approval processes
- Test for completeness by comparing the classified asset inventory against network discovery scans, cloud resource inventories, and application portfolio lists to identify unclassified systems
Where this control is tested