AuditRubric
id-am-7 high Identify / Asset Management

Inventories of data and corresponding metadata for designated data types are maintained

You cannot protect data you have not catalogued. Knowing where sensitive data lives, who owns it, and how it is classified is a prerequisite for access control, encryption decisions, and breach notification obligations. A data inventory also accelerates responses to deletion or portability requests under privacy regulations like GDPR or CCPA.

Estimated effort: 6h
datametadataclassificationinventory
Complete first: id-am-2

Implementation steps

  1. 1

    Identify designated data types and their locations

    Work with legal, engineering, and business teams to define which data types need to be tracked, for example: personal data, payment card data, protected health information, and proprietary trade secrets. Then locate where each type is stored: databases, cloud storage buckets, SaaS tools, file shares, and backups.

    varonisbigidmaciepurview
  2. 2

    Record metadata for each data store

    For each identified data store, capture: data type, classification label, business owner, system or service where it resides, legal basis for processing (if personal data), retention period, and access controls in place. A spreadsheet works for small environments; a data catalog tool scales better.

    collibraalationatlanconfluence
  3. 3

    Establish a data inventory review process

    Review the data inventory at least annually or when a new product feature, system, or third-party integration is introduced that creates or moves sensitive data. Assign a data owner for each designated data type who is responsible for keeping their section accurate.

Evidence required

Data inventory or data catalog

A document or tool record listing designated data types, where they are stored, who owns them, and how they are classified.

  • · Spreadsheet mapping data types to databases, owners, and classification
  • · Data catalog export from Collibra, Alation, or similar
  • · AWS Macie sensitive data discovery report with identified S3 buckets

Data classification policy

A written policy defining which data types are designated for tracking and what the classification tiers mean.

  • · Data classification policy document approved by leadership
  • · Internal wiki page defining PII, confidential, and public data categories
  • · Privacy policy or records of processing activities (ROPA) under GDPR

Evidence of recent review

Proof that the data inventory was reviewed or updated within the last 12 months.

  • · Dated change log on the data inventory spreadsheet
  • · Ticket or project tracking the annual data inventory review
  • · Data catalog audit log showing recent updates

Related controls

id-am-1 critical

Inventories of hardware assets are maintained

Asset Management
id-am-2 high

Inventories of software assets are maintained

Asset Management
id-am-3 high

Authorized network communication and data flow representations are maintained

Asset Management
id-am-4 high

Inventories of services provided by suppliers are maintained

Asset Management