The organization shall maintain a list of data sets contained in the data stores it manages.
The documentation shall include at least the following information:
The organization shall list all relevant protected assets to determine ownership and to ensure that security measures cover all necessary items.
A large portion of the protected assets (including data sets, data systems, personnel / units, and partners) are treated through other tasks. In addition, the organization must list other important assets, which may be, depending on the nature of its operations, e.g. hardware (servers, network equipment, workstations, printers) or infrastructure (real estate, power generation, air conditioning). In addition the organization should make sure that relevant external devices are documented.
Assets to be protected related to information and data processing services should be inventoried. The purpose is to ensure that the cyber security is focused on the necessary information assets.
Inventory can be done directly in the management system, but an organization may have other, well-functioning inventory locations for certain assets (including code repositories, databases, network devices, mobile devices, workstations, servers, or other physical assets).
Describe in this task, which lists outside the management system are related to protection of information assets.