Identify Function

Specification Documents

Unit Information Security Plan Specification – IDENTIFY (Authentication Required)

Additional Guidance:


The CI listed in the Key Requirements for the Risk Assessment ID does not imply that every asset needs an individual risk assessment. First, not every asset will even have all of the CI’s listed. For example, some assets may not be connected to the network, so the network address CI wouldn’t be relevant. So the same could apply for a risk assessment.

But the second thing to note is that the ISO has long recommended that a single risk assessment be conducted for groups of identical assets. For instance, a risk assessment could be done of the standard Windows desktop configuration used for all desktops in a unit and then each new desktop built using that configuration could reference that common risk assessment.


ISO will provide an example data flow catalog template TBA

The catalog lists data flows identified from individual information system risk assessments, as gathered in the data flow diagrams. 


Units may choose to use this example Threat Analysis


Threat impacts can be documented in the threat table in ID.RA-3


Units may choose to use this example Risk Register Template