What matters (asset identification)¶

Duration: 30-45 minutes

Materials: Index cards or sticky notes, markers, wall or large table

The exercise¶

Identify what your organisation depends on to deliver services. Not everything, just what actually matters.

Step 1: Brainstorm assets (10 minutes)

Working individually or in small groups, write down assets on cards. One asset per card. Think broadly:

• Information: Customer data, financial records, intellectual property, operational data

• Systems: Applications, databases, websites, infrastructure, control systems

• Services: Critical business processes, third-party services, supply chains

• People: Key personnel, specialised knowledge, relationships

• Physical: Facilities, equipment, hardware

Step 2: Cluster and categorise (10 minutes)

Group similar assets together. Create categories that make sense for your organisation. Common groupings:

• Customer-facing systems

• Internal operations

• Data repositories

• Infrastructure and platforms

• Third-party dependencies

Step 3: Identify critical assets (15 minutes)

Ask for each asset or group:

• If this was unavailable for a day, what breaks?

• If this was compromised, what’s the impact?

• Is this a single point of failure?

• Can we operate without this?

Mark the 10-20 assets that are truly critical. These are your focus.

Step 4: Document dependencies (10 minutes)

For critical assets, note what they depend on:

• What systems does this rely on?

• What data does it need?

• What people manage it?

• What suppliers support it?

Output¶

• List of critical assets (10-20 items)

• Categories or groupings

• Key dependencies noted

• Shared understanding of what matters most

Common pitfalls¶

“Everything is critical” → Force prioritisation. What breaks operations immediately?

“Too technical” → Include business perspective, not just IT.

“Missing context” → Note why each asset matters (revenue, compliance, safety, etc.).