Skip to main content

AST-01.2: Stakeholder Identification & Involvement

AST 5 — Medium Identify

Mechanisms exist to identify and involve pertinent stakeholders of critical Technology Assets, Applications, Services and/or Data (TAASD) to support the ongoing secure management of those assets.

Control Question: Does the organization identify and involve pertinent stakeholders of critical Technology Assets, Applications, Services and/or Data (TAASD) to support the ongoing secure management of those assets?

General (13)
Framework Mapping Values
COBIT 2019 EDM05.01 EDM05.02 EDM05.03 DSS06.02
ISO 27001 2022 (source) 4.2 4.2(a)
ISO 27002 2022 5.9
ISO 27017 2015 8.1
ISO 27701 2025 4.2
ISO 42001 2023 9.3.2(c) A.4.6 A.8 A.8.2 A.8.3 A.8.4 A.8.5
NIST AI 100-1 (AI RMF) 1.0 GOVERN 1.1 GOVERN 2.0 GOVERN 5.0
NIST Privacy Framework 1.0 ID.IM-P2 ID.IM-P8
NIST CSF 2.0 (source) GV.OC GV.OC-02 ID.AM ID.AM-08
TISAX ISA 6 1.2.2 1.3.1
SCF CORE ESP Level 1 Foundational AST-01.2
SCF CORE ESP Level 2 Critical Infrastructure AST-01.2
SCF CORE ESP Level 3 Advanced Threats AST-01.2
US (3)
Framework Mapping Values
US CERT RMM 1.2 GG2.GP7 MON:SG1.SP2
US NERC CIP 2024 (source) CIP-003-8 R3
US TSA / DHS 1580/82-2022-01 III.A
EMEA (3)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.3.2(16) 3.5(54)
EMEA Saudi Arabia OTCC-1 2022 2-1-1-4
EMEA UK CAF 4.0 A3.a (point 4)
APAC (5)
Framework Mapping Values
APAC India SEBI CSCRF GV.PO.S5
APAC Japan ISMAP 4.4.3 4.4.3.1
APAC New Zealand HISF 2022 HSUP27
APAC New Zealand HISF Suppliers 2023 HSUP27
APAC Singapore MAS TRM 2021 3.3.1(c)

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to identify and involve pertinent stakeholders of critical Technology Assets, Applications, Services and/or Data (TAASD) to support the ongoing secure management of those assets.

Level 1 — Performed Informally

Asset Management (AST) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.
  • Asset inventories are performed in an ad hoc manner.
  • Software licensing is tracked as part of IT asset inventories.
  • Data process owners maintain limited network diagrams to document the flow of sensitive/regulated data that is specific to their initiative.
  • IT personnel work with data/process owners to help ensure secure practices are implemented throughout the System Development Lifecycle (SDLC) for all high-value projects.
Level 2 — Planned & Tracked

Asset Management (AST) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Asset management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for asset management.
  • Administrative processes and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
  • Asset management is formally assigned as an additional duty to existing IT/cybersecurity personnel.
  • Technology assets are categorized according to data classification and business criticality.
  • Inventories cover technology assets in scope for statutory, regulatory and/ or contractual compliance, which includes both physical and virtual assets.
  • Software licensing is tracked as part of IT asset inventories.
  • Users are educated on their responsibilities to protect technology assets assigned to them or under their supervision.
  • IT/cybersecurity personnel maintain network diagrams to document the flow of sensitive/regulated data across the network.
Level 3 — Well Defined

Asset Management (AST) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • An IT Asset Management (ITAM) function, or similar function, governs asset management to help ensure compliance with requirements for asset management.
  • An ITAM function, or similar function, maintains an inventory of IT assets, covering both physical and virtual assets, as well as centrally managed asset ownership assignments.
  • Technology assets and data are categorized according to data classification and business criticality criteria.
  • A Cybersecurity Supply Chain Risk Management (C-SCRM) function oversees supply chain risks including the removal and prevention of certain technology services and/ or equipment designated as supply chain threats by a statutory or regulatory body.
  • Data/process owners document where sensitive/regulated data is stored, transmitted and processed, generating Data Flow Diagrams (DFDs) and network diagrams to document the flow of data.
  • Quarterly IT asset inventories are reviewed and shared with appropriate stakeholders.
Level 4 — Quantitatively Controlled

Asset Management (AST) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement.

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to identify and involve pertinent stakeholders of critical Technology Assets, Applications, Services and/or Data (TAASD) to support the ongoing secure management of those assets.

Assessment Objectives

  1. AST-01.2_A01 pertinent stakeholders of critical systems, applications and services are identified and documented.
  2. AST-01.2_A02 pertinent stakeholders of critical systems, applications and services are involved in supporting the ongoing secure management of those assets.

Evidence Requirements

E-CPL-03 Controls Responsibility Matrix (CRM)

Documented evidence of a Controls Responsibility Matrix (CRM), or similar documentation, that identifies the stakeholder involved in executing assigned controls (e.g., Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix).

Compliance

Technology Recommendations

Micro/Small

  • System Security & Privacy Plan (SSPP)

Small

  • System Security & Privacy Plan (SSPP)

Medium

  • System Security & Privacy Plan (SSPP)

Large

  • System Security & Privacy Plan (SSPP)

Enterprise

  • System Security & Privacy Plan (SSPP)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free