ID.AM-07 Data Asset Inventory - NIST CSF 2.0 Checklist

ID.AM-07 requires organizations to inventories of data and corresponding metadata for designated data types are maintained. This NIST CSF 2.0 control falls under the Identify (ID) function and the Asset Management category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: ID.AM-07
Title: Data Asset Inventory
Function: Identify (ID)
Category: Asset Management
Framework: NIST CSF 2.0

Inventories of data and corresponding metadata for designated data types are maintained.

Inventories of data and corresponding metadata for designated data types are maintained. The organization identifies where sensitive data resides, how it flows and who has access to it.

Why This Matters

Data is the ultimate target in most breaches. Without knowing where sensitive data lives and flows, organizations cannot apply appropriate protections or detect unauthorized access and exfiltration.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of ID.AM-07.

Classify data types based on sensitivity and regulatory requirements
Map data flows across systems, networks and third parties
Maintain a data inventory identifying storage locations for sensitive data
Assign data owners and stewards for each data category
Review and update data inventories after system changes or acquisitions

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with ID.AM-07 during an audit.

Data classification policy and taxonomy
Data flow diagrams showing sensitive data movement
Data inventory or register with storage locations and owners
Data stewardship assignment records

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with ID.AM-07.

Data classification exists on paper but is not applied to actual systems
No data flow diagrams exist for sensitive information
Data inventories do not account for data stored in cloud services or SaaS platforms

FAQ

What does ID.AM-07 require?

ID.AM-07 (Data Asset Inventory) requires that inventories of data and corresponding metadata for designated data types are maintained. The organization identifies where sensitive data resides, how it flows and who has access to it. This control is part of the NIST CSF 2.0 Identify function under the Asset Management category.

How do I prove compliance with ID.AM-07?

To demonstrate compliance with ID.AM-07, prepare the following evidence: Data classification policy and taxonomy; Data flow diagrams showing sensitive data movement; Data inventory or register with storage locations and owners. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment