The NIS baseline Identification domain (ID) defines how entities maintain visibility over assets, assess cybersecurity risk, plan treatment actions, and run continuous improvement. For compliance execution, ID controls are the bridge between governance decisions and technical control prioritization.
Sources: ACN baseline obligations determination, ACN baseline reading guide
Key takeaways
- Identification controls are not only asset inventory tasks; they include risk evaluation, vulnerability handling, and improvement governance.
- Asset, software, service, and supplier visibility is required to support reliable risk decisions.
- Risk assessments must be documented, periodically updated, and linked to formal treatment plans.
- Improvement plans and updates should be traceable and governance-approved where required.
Sources: ACN baseline obligations determination
ID control model in practice
1. Asset management (ID.AM)
Maintain updated inventories for physical assets, software/services, and relevant network/service components used for critical activities.
2. Risk assessment (ID.RA)
Identify vulnerabilities, evaluate threats/vulnerabilities/probability/impact, and document risk decisions with periodic reassessment triggers.
3. Risk treatment (ID.RA-06)
Define treatment options, priorities, responsibilities, and implementation timelines for each relevant risk scenario.
4. Vulnerability process (ID.RA-08)
Establish formal intake, analysis, and response processes for vulnerability disclosures and remediation tracking.
5. Improvement cycle (ID.IM)
Use incidents, monitoring outputs, and review results to update plans and improve controls and resilience posture.
Sources: ACN baseline obligations determination, ACN baseline reading guide
Minimum evidence set for ID readiness
| ID area | Practical objective | Typical evidence |
|---|---|---|
| ID.AM | Complete and current visibility of relevant assets/services | Asset inventories, service inventories, update logs |
| ID.RA | Repeatable and documented risk evaluation | Risk assessment report, methodology, approval records |
| ID.RA-06 | Prioritized and owned treatment decisions | Risk treatment plan, owner matrix, deadlines |
| ID.RA-08 | Managed vulnerability intake and remediation | Vulnerability management procedure, remediation records |
| ID.IM | Continuous improvement from lessons learned | Improvement plan, update register, review outputs |
Sources: ACN baseline obligations determination
90-day execution checklist
- Reconcile existing asset inventories and define owners for update cadence.
- Validate risk-assessment methodology and establish periodic review triggers.
- Build or refresh the risk-treatment plan with measurable priorities and deadlines.
- Formalize vulnerability-intake and remediation workflow with clear accountability.
- Create an ID improvement register linked to incidents, audits, and management reviews.
FAQ
Are ID controls limited to maintaining an asset list?
No. The ID domain includes inventories, risk assessment, treatment planning, vulnerability processes, and improvement activities. Source: ACN baseline obligations determination
How often should risk assessment be updated?
The baseline model requires periodic updates and additional updates when incidents, organizational changes, or exposure changes occur. Sources: ACN baseline obligations determination, ACN baseline reading guide
What is the operational output of ID.RA-06?
A documented treatment plan with selected options, responsible owners, implementation sequencing, and timing. Source: ACN baseline obligations determination