Assets identification
. Data: Identify the main data managed by the organization, including personal, financial, operational, and research data.. Applications: List all applications used to process, store, or transmit these data.
. Identify those managed internally and those outsourced (SaaS, etc.)
Application classification
Operational Importance:. Classify applications based on their importance to the business operations, from critical to non-essential.
. Sensitivity of the Processed Data: Consider the type of data processed or stored by the application to help determine its sensitivity level, especially in terms of the risks of disclosure or misuse of this data.
Risk Assessment
This is not about conducting a risk analysis, which can be lengthy and costly, but rather focusing on the applications critical to the business.. Risk Analysis: Assess the risks associated with each category of application, but especially those critical to the business. It's difficult to estimate the type of cyber threats, as threats evolve rapidly. The focus should instead be on the severity of the impact on the business or organization.
. Protection Measures: Determine the existing cyber-resilience security measures and define their effectiveness.