Home Compliance & Certification Business Critical Data Inventory List Guide

Business Critical Data Inventory List Guide

Last updated on Sep 23, 2025

1. Purpose of this Guide

This artefact proves that your company has identified and catalogued its most valuable data — the crown jewels. Cyber Essentials requires this because without knowing what your critical data is, you can’t protect it. An inventory ensures sensitive data is properly safeguarded, backed up, and only accessible to those who need it.

2. What You Will Submit

You will need:

  • Your Business-Critical Data Inventory List document or spreadsheet.

  • It should include:

    • Data type/category (e.g. customer PII, financial records, health data, intellectual property).

    • Location (where it’s stored — e.g. local server, AWS S3, M365 SharePoint).

    • Data owner (department or role responsible).

    • Sensitivity/criticality rating (e.g. High/Medium/Low).

    • Access permissions (who can view/edit).

    • Backup method/frequency.

    • Retention or disposal schedule.

3. How to Collect / Obtain / Generate This Evidence

  • If you already manage a data register:

    • Export your document into XLSX or PDF.

    • Ensure it includes both business value and security handling details.

  • If starting from scratch:

    1. Use the Business Critical Data Inventory List Template from StrongKeep .

    2. List each category of business-critical data (start with customer, financial, HR, legal/compliance).

    3. For each, capture its location, owner, access rights, backup method, and retention period.

    4. Review the list quarterly and after major business/IT changes.

4. Evidence Format

  • Accepted file types: XLSX, CSV, PDF.

  • Suggested naming format:
    YourCompanyName_DataInventory_YYYY-MM-DD.xlsx

5. What “Good” Looks Like

  • Covers all major categories of business-critical data.

  • Assigns owners and responsibilities (no orphaned data).

  • Shows security controls (restricted access, backups, retention).

  • Updated regularly, not a one-time snapshot.

Why it matters: auditors want to see that you know where sensitive data lives, who touches it, and how it’s protected.

6. Tips

  • Use consistent sensitivity labels (e.g. Confidential / Restricted / Public).

  • Cross-reference this inventory with your backup records and asset inventory.

  • If outsourcing storage (e.g. cloud), make sure the service and backup responsibilities are clearly noted.