Documented scope + data-flow diagram
Demonstrate that the organization has documented and approved boundaries for its cybersecurity program and maintains accurate data-flow diagrams that reflect current system architectures and data movement patterns.
Description
What this control does
This control requires the organization to maintain formal documentation defining the scope of systems, data, and business processes covered by its cybersecurity program, accompanied by data-flow diagrams that visually map how sensitive data moves between systems, networks, and external parties. The scope document identifies boundaries, exclusions, and custodianship, while data-flow diagrams illustrate data collection points, storage locations, processing activities, and transmission paths. Together, these artifacts provide the foundation for risk assessment, control design, and compliance validation by ensuring all stakeholders understand what is protected and how information traverses the environment.
Control objective
What auditing this proves
Demonstrate that the organization has documented and approved boundaries for its cybersecurity program and maintains accurate data-flow diagrams that reflect current system architectures and data movement patterns.
Associated risks
Risks this control addresses
- Unidentified assets fall outside the scope of security monitoring and control implementation, creating blind spots for attackers to exploit
- Critical data flows to third parties or cloud services occur without encryption or access controls because they were not mapped during design
- Incident response teams cannot trace data movement during a breach investigation due to incomplete or outdated flow diagrams
- Compliance audits fail because regulated data processing activities were not documented in scope definitions, resulting in fines or sanctions
- Shadow IT systems processing sensitive data operate outside the documented scope and lack baseline security controls
- Data residency violations occur when cross-border flows are not mapped, causing regulatory breaches under GDPR or similar frameworks
- Redundant or legacy data repositories remain active and vulnerable because they were not identified in scope inventory exercises
Testing procedure
How an auditor verifies this control
- Request the current scope documentation, including the version number, approval date, and list of in-scope systems, applications, data types, and organizational units.
- Verify that the scope document explicitly defines exclusions and provides justification for any systems or data types excluded from the cybersecurity program.
- Obtain all current data-flow diagrams covering the in-scope environment, noting diagram versioning, last update date, and responsible owner.
- Select a sample of critical systems or data types from the scope document and trace them through the data-flow diagrams to confirm they are accurately represented.
- Interview system owners and architects to confirm the data-flow diagrams reflect current infrastructure, including recent migrations, integrations, or decommissions.
- Cross-reference data-flow diagrams against network architecture diagrams, system inventories, and data classification records to identify discrepancies or omissions.
- Review change management records from the past 12 months to determine whether scope documents and data-flow diagrams were updated following significant infrastructure changes.
- Confirm that senior management or a governance committee has formally approved the scope documentation and data-flow diagrams within the last 12 months.
Where this control is tested