Powered by

# Identify Section Checklist

Use this checklist to confirm that the company has identified the data, assets, systems, accounts, and dependencies that must be protected.

The goal of this section is visibility. The company should know what exists, where it is, who owns it, who can access it, and what the business depends on.

# Identify Overview Checklist

☐ Assign an owner to coordinate the Identify section.

☐ Create one central place to store inventories, trackers, notes, and open questions.

☐ Confirm which departments, locations, systems, vendors, and business processes are included.

☐ Agree on standard inventory fields, including owner, location, criticality, sensitive data, internet exposure, vendor involvement, and last review date.

☐ Mark unknowns clearly instead of guessing.

☐ Set a review schedule so inventories stay current.

# Identify Data Checklist

☐ Identify the main types of data the company stores, processes, sends, receives, or shares.

☐ Include customer data, employee data, financial records, contracts, invoices, payroll, supplier records, credentials, intellectual property, and confidential business documents.

☐ Classify important data as Public, Internal, Confidential, or Restricted.

☐ Identify where important data is stored, including email, shared drives, cloud storage, laptops, SaaS platforms, databases, backups, vendor portals, and paper files.

☐ Assign a business owner to each important data set.

☐ Identify who can access important data, including employees, vendors, SaaS tools, integrations, and external parties.

☐ Identify where data is shared outside the company and how it is shared.

☐ Identify high-risk data locations, such as email attachments, public links, old folders, downloads folders, CRM exports, accounting exports, and former employee folders.

☐ Identify outdated, duplicated, abandoned, or unnecessary data for later review.

☐ Create a data inventory register.

# Identify Physical Assets Checklist

☐ Create a physical asset inventory.

☐ Include laptops, desktops, phones, tablets, servers, storage devices, firewalls, routers, switches, Wi-Fi equipment, printers, cameras, backup devices, and other connected equipment.

☐ Include remote worker devices, branch office devices, spare devices, old devices, and devices in storage.

☐ Record the assigned user, department, location, owner, device type, serial number, operating system, and support status.

☐ Mark whether each device is company-owned, personally owned, leased, vendor-owned, or unknown.

☐ Mark whether each device stores or accesses sensitive data.

☐ Mark whether each device is managed, protected, encrypted, patched, and backed up where applicable.

☐ Identify missing, unmanaged, unsupported, unused, or end-of-life devices.

☐ Create a physical asset register.

# Identify Assets and Services Checklist

☐ Create an inventory of business applications, platforms, websites, cloud services, and SaaS tools.

☐ Include email, Microsoft 365, Google Workspace, accounting, CRM, payroll, HR, file storage, project management, website CMS, e-commerce, backup, remote access, and security tools.

☐ Identify websites, domains, subdomains, DNS providers, registrars, hosting providers, SSL/TLS certificates, staging sites, and test sites.

☐ Identify cloud platforms, databases, virtual machines, APIs, integrations, and self-hosted applications.

☐ Identify shadow IT systems used directly by departments.

☐ Record the business owner, technical owner, vendor, support contact, and purpose of each system.

☐ Mark whether each system is business-critical, internet-facing, vendor-managed, or connected to sensitive data.

☐ Record key integrations, third-party access, service accounts, API access, and backup/export options.

☐ Identify unused, duplicated, abandoned, unsupported, or ownerless systems.

☐ Create a digital assets and services register.

# Identify Users and Accounts Checklist

☐ Create an inventory of users and accounts across company systems.

☐ Include employees, executives, contractors, vendors, MSP users, developers, service providers, and external collaborators.

☐ Identify accounts in email, cloud platforms, VPN, password managers, CRM, accounting, payroll, HR, file storage, website CMS, domain registrar, DNS, backup tools, and security tools.

☐ Identify administrator accounts, privileged accounts, shared accounts, service accounts, emergency accounts, vendor accounts, and former employee accounts.

☐ Identify accounts without MFA where MFA is available.

☐ Identify inactive accounts, unknown accounts, personal email accounts, and accounts with excessive permissions.

☐ Identify accounts that can export sensitive data, approve payments, reset passwords, create users, or change security settings.

☐ Record account owner, system, role, access level, MFA status, account type, last login where available, and review date.

☐ Create a users and accounts register.

# Identify Dependencies Checklist

☐ Create a dependency inventory.

☐ Identify technology dependencies such as internet providers, cloud providers, email platforms, SaaS tools, hosting providers, DNS providers, domain registrars, backup providers, endpoint protection, remote access tools, and MSPs.

☐ Identify business process dependencies such as invoicing, payroll, order processing, customer support, sales, procurement, logistics, finance, HR, production, and service delivery.

☐ Identify vendor dependencies, including payment processors, accountants, payroll providers, legal providers, developers, IT providers, logistics partners, software vendors, and outsourced support teams.

☐ Identify internal people dependencies where only one person knows how to operate, administer, repair, approve, or recover an important system or process.

☐ Identify infrastructure dependencies such as internet, electricity, office access, mobile networks, VPN, Wi-Fi, cloud hosting, and backup connectivity.

☐ Identify single points of failure involving one vendor, one employee, one account, one device, one location, or one internet connection.

☐ Record dependency owner, provider, business process affected, systems affected, criticality, support contact, alternative option, and known weakness.

☐ Create a dependency register.

# Final Identify Section Outputs

☐ Data inventory completed.

☐ Physical asset inventory completed.

☐ Digital assets and services inventory completed.

☐ Users and accounts inventory completed.

☐ Dependency inventory completed.

☐ Owners assigned to important data, assets, systems, accounts, and dependencies.

☐ Business-critical items marked.

☐ Sensitive-data items marked.

☐ Internet-facing items marked.

☐ Vendor-managed items marked.

☐ Shared accounts, service accounts, vendor accounts, and former employee accounts recorded.

☐ Unsupported, unmanaged, unknown, abandoned, or duplicate items recorded.

☐ Key integrations and external sharing points recorded.

☐ Single points of failure recorded.

☐ Open questions documented.

☐ Review schedule created.

☐ Priority issues carried forward into later playbook sections.

© Copyright 2026. All rights reserved.