Are business processes and information flows clearly defined and documented?
Answering this question helps to determine the information assets within the scope of compliance and their importance, as well as to design a proper set of controls to protect information as it is stored, processed, and transmitted across various departments and business units. Does a list of information assets exist? Is it current? All assets that may affect the organization’s security should be included in an information asset list. Information assets typically include software, hardware, documents, reports, databases, applications, and application owners. A structured list must be maintained that includes individual assets or asset groups available within the company, their location, use, and owner. The list should be updated regularly to ensure accurate information is reviewed during the compliance certification process. How are information assets classified? Information assets must be classified based on their importance to the organization and level of impact, and whether their c
