GRCWatch
Sign inStart free trial

NIST ID.AM-5: Resource Prioritization Based on Criticality

Resource prioritization is foundational to effective cybersecurity governance. ID.AM-5 requires you to classify and rank your hardware, software, data, and personnel based on business impact—ensuring your security investments protect what matters most. Without this prioritization, you'll waste resources on low-risk assets while critical systems remain exposed.

What this means

ID.AM-5 mandates that your organization establish and maintain a resource prioritization framework. Resources—including hardware, devices, data, personnel time, and software—must be ranked according to three key dimensions: their classification level, operational criticality, and direct business value. This enables informed decision-making about where to allocate security controls, funding, and monitoring efforts. Organizations must document which resources are mission-critical, which support secondary functions, and which are non-essential, then align security investments accordingly.

How to comply

  1. 1.Conduct a complete resource inventory including all hardware, software, data repositories, and personnel roles across your organization
  2. 2.Define classification levels for your resources (e.g., public, internal, confidential, restricted) based on sensitivity and regulatory requirements
  3. 3.Assess operational criticality by identifying which resources are essential to business continuity and which support secondary functions
  4. 4.Calculate business value for each resource category based on revenue impact, compliance penalties, and customer trust if compromised
  5. 5.Create a prioritization matrix that maps classification × criticality × business value to assign each resource a priority ranking
  6. 6.Document your prioritization methodology and maintain it in a centralized asset management system
  7. 7.Review and update your resource prioritization framework at least annually or when significant business changes occur
  8. 8.Communicate priority levels to security, operations, and executive teams to align budget allocation with risk

Evidence auditors look for

  • Asset inventory spreadsheet with classification tags, criticality levels, and business value scores
  • Resource prioritization framework document outlining your methodology and scoring criteria
  • Business impact analysis (BIA) reports ranking applications and data by criticality
  • IT asset management system showing resource classifications and priority assignments
  • Budget allocation reports demonstrating security spend aligned with resource priorities
  • Risk assessment matrices linking resource priority to control investment decisions
  • Annual review and update records showing prioritization framework refresh

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates your asset inventory and prioritization framework, automatically tagging resources by classification and business criticality so you can prove ID.AM-5 compliance without manual spreadsheet management.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ID.AM-1 — Business ContextID.AM-2 — Information and Technology AssetsID.AM-3 — Information and Technology Assets (Third Party)ID.AM-4 — External Information SystemsPR.AC-1 — Access Control PolicyDE.CM-1 — Asset Monitoring