PM-5(1): Inventory of Personally Identifiable Information

Control Family:

Program Management

Parent Control:

PM-5: System Inventory

CSF v1.1 References:

PF v1.0 References:

Baselines:

  • Privacy
Info icon.

Control is new to this version of the control set.

Control Statement

Establish, maintain, and update [Assignment: organization-defined frequency] an inventory of all systems, applications, and projects that process personally identifiable information.

Supplemental Guidance

An inventory of systems, applications, and projects that process personally identifiable information supports the mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein.