cdpse-d3-data-purpose-data-inventory-and-classification

Data Inventory and Classification

isaca-cdpse · framework · Gold standard

Drawn fromCDPSE Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Data Inventory and Classification

Data Inventory and Classification is the systematic process of (1) discovering and documenting every data asset an organization holds — where it lives, who owns it, how it flows, and why it was collected — and (2) assigning each asset a sensitivity tier label and data-type category that governs how it must be handled throughout its lifecycle. Together, inventory and classification form the first operational control in the ISACA CDPSE Data Lifecycle model: you cannot protect, govern, retain, or delete data you have not first found and labeled. A complete data inventory answers WHAT data exists and WHERE; classification answers HOW SENSITIVE it is and WHY it was collected — its documented lawful purpose.

Where it stops · what it isn't

—IS: A living register of data assets capturing data type, sensitivity tier, location, named owner, lawful processing basis, and retention schedule.
—IS: A classification schema that assigns tiered sensitivity labels (e.g., Public / Internal / Confidential / Restricted) plus data-type categories (PII, Financial, Health/PHI, Operational, Anonymized).
—IS: Documentation of Data Purpose — the GDPR Article 6 lawful basis (Consent, Contract, Legal Obligation, Vital Interests, Public Task, Legitimate Interests) tied to each dataset.
—IS NOT: A data governance policy itself — the inventory is the input that makes policies enforceable.
—IS NOT: A one-time audit exercise — it is a continuously refreshed operational artifact.
—IS NOT: A data flow diagram (DFD) or system architecture map, although those artifacts feed into and depend on the inventory.
—IS NOT: Identical to a Records of Processing Activities (RoPA) — the RoPA is a regulatory output derived from the inventory, not the inventory itself.
—IS NOT: Synonymous with data quality management — classification governs sensitivity and purpose, not the accuracy or completeness of data values.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

ISACA CDPSE Data Lifecycle Domain — Data Purpose

ENABLES

Data Retention and Deletion SchedulesAccess Control and Role-Based PermissionsPrivacy Impact Assessment (PIA / DPIA)Records of Processing Activities (RoPA / Article 30 Register)Data Breach Response and Notification (GDPR Article 33)

REQUIRES

Data Discovery (automated scanning or manual survey)Cross-functional Ownership Model (IT, Legal, Security, Business Units)

RELATED TO

Data Minimization and Purpose Limitation

CONSTRAINS

Third-Party Data Sharing and Processor Agreements

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.