Asset criticality scoring
put a defensible tier on every asset before the queue has to decide

Systems whose loss, corruption, or compromise materially threatens the business: customer-data systems with regulated data, payments and revenue systems, identity and authentication systems, production-control systems for the primary product, and the systems that hold the encryption keys protecting the rest. Tier-zero assets earn the tightest SLA tier, the most defensive scanning cadence, and the most senior named owner. The tier-zero list is short by design and is reviewed against business impact rather than scanner output.

Examples: Customer database, payment processor, identity provider, primary product backend, key management service, source of truth for financial reporting.

Systems that support the primary business workflow but whose loss is recoverable inside a defined recovery window without immediate revenue or regulatory impact: customer-facing applications outside the core transaction path, internal applications that power core business operations, supporting data stores, and integration services that brokered traffic to tier-zero systems. Tier-one assets earn a strong SLA tier and routine remediation prioritisation; downtime is uncomfortable but not existential.

Examples: Customer-facing marketing site, internal HR system, internal finance system, internal CRM, support ticketing, internal collaboration platform that holds business data.

Systems that support internal operations but are not customer-facing and do not hold regulated data: developer tooling, internal documentation, operational dashboards, build infrastructure, monitoring stacks, and supporting services that compose the platform. Tier-two assets earn the standard SLA tier with normal remediation cadence; the failure mode is operational disruption rather than customer impact or regulatory exposure.

Examples: CI/CD runners, internal wiki, observability dashboards, developer sandbox environments, internal staging systems, build artefact registry.

Systems whose compromise produces a contained operational impact: ephemeral test environments, non-production sandboxes, marketing and content sites with no transactional capability, asset shells with no data, and decommissioning candidates. Tier-three assets earn the relaxed SLA tier and remediation in the standard maintenance window. The tier exists so the queue does not waste cycles treating low-impact findings as if they were business critical.

Examples: Marketing landing pages, ephemeral preview environments, isolated proof-of-concept hosts, decommissioning candidates running an end-of-life service tier.

The most regulated or business-sensitive data class the asset stores or processes: regulated personal data (PII, PHI, payment card data), authentication secrets, encryption keys, financial reporting data, intellectual property, internal-only operational data, public data. Data class is the strongest single contributor to the criticality decision because it is the dimension regulatory and contractual obligations attach to.

The realistic blast radius if the asset is unavailable, corrupted, or compromised: revenue impact per hour of downtime, regulatory or contractual penalty exposure, customer trust impact, recovery effort, downstream service degradation. Business impact is captured against the asset on the engagement so the criticality decision references a concrete impact narrative rather than a generic severity adjective.

The reachability of the asset from an unauthenticated attacker: internet-facing services, services reachable from a partner network, internal-only services with limited reach, internal services with broad reach, services reachable only by named maintenance accounts. Exposure interacts with the data and impact dimensions to produce the residual risk profile, and it should be captured as an annotation on the asset rather than inferred per finding.

Layered defences that demonstrably reduce the residual risk from a finding on the asset: network segmentation that constrains the blast radius, WAF rules that block the named exploit class, monitoring rules that detect the named exploitation pattern, session policies that constrain credential reuse, and isolation primitives that contain a compromise. Compensating controls are recorded with a rule, segment, or query reference rather than as a generic claim.

The maturity of the recovery primitive for the asset: tested backup-and-restore, point-in-time restore, automated failover, manual failover, no defined recovery. Recovery posture interacts with impact: a tier-zero asset with a tested ten-minute RTO carries different residual exposure than a tier-zero asset with a manual recovery taking several days, even when the data class and exposure are identical.

The downstream surface that depends on the asset: services that fail when this asset is degraded, customers affected when this asset is unavailable, internal teams blocked when this asset is offline. Dependent surface escalates criticality on assets that look operational in isolation but anchor the rest of the platform. The dependency graph is captured against the asset on the engagement so the routing layer respects the second-order impact.

Reducing the criticality decision to a single score (1 to 5, low to critical) flattens the underlying signals (data sensitivity, business impact, exposure, compensating controls, recovery posture, dependent surface) into a number that nobody can audit and few operators trust. The tier framework holds because each tier ties back to a named data class, business impact narrative, exposure profile, and recovery posture; the single-number alternative reads as a vote rather than a control.

When every business owner argues their system is critical, the tier ceases to drive prioritisation. A defensible programme treats tier zero as a small, defensible list (often single digits to low double digits) where the loss is materially business threatening. Inflating the tier-zero list past the team capacity to defend it deflates the meaning of the tier and erodes the SLA system that depends on it.

Capturing criticality against the engineering ticket, the scanner output, the change record, or the team rather than against the asset itself produces a tier that does not survive when the team rotates, the ticket closes, or the scanner is replaced. The asset is the durable primitive; the tier lives against the asset on the engagement record so the next finding inherits the tier without a manual decision.

A tier-zero application running on tier-two infrastructure does not make the infrastructure tier-zero unless the dependency graph requires it. A defensible programme separates the application-level tier from the infrastructure-level tier and records the dependency relationship so a finding on the infrastructure escalates to the application tier when the dependency is load-bearing and stays at the infrastructure tier when it is not.

A tier assigned by the security team alone is a tier the business owner has not committed to defending. When the business owner is in the loop on the rationale, the SLA they will be measured against, and the compensating controls they need to maintain, the tier becomes a contract rather than a security-team opinion. Tiers without business commitment surface later as escalations the security team cannot escalate.

When the criticality field changes on an asset without an activity-log entry, the previous tier has no audit-readable reason for the change. Reassignment becomes a routing decision with no provenance. Audit committees expect the trail to show who re-tiered, when, and why; a silent field edit reads as an undocumented control change.

The four to five tier definitions the programme uses (commonly tier zero through tier three, sometimes tier four for archived or decommissioning candidates), each with a written description, an example asset class, and the SLA tier it maps to. The framework is the contract between the criticality decision and the SLA system; without it, every conversation about whether an asset is critical re-litigates the framework rather than the specific asset.

Each tier assignment carries a written rationale referencing the six scoring dimensions: data sensitivity, business impact of loss, exposure, compensating controls, recovery posture, and dependent surface. The rationale is the audit-readable record of why the asset earned the tier and the input the quarterly review reads to either confirm or re-tier.

Each asset carries the named business owner accountable for the tier and the named security contact accountable for the routing decisions. The business owner is in the loop on the SLA tier their asset earns, the compensating controls assumed in the tier rationale, and the change events that would trigger a re-tier. The accountability split keeps the criticality decision from being a security-team opinion.

How often the tier list is reviewed (quarterly is the steady cadence), who runs the review, and what triggers an out-of-cycle re-tier (a business reorganisation, a platform migration, a new regulated data class, a major compensating-control change, a recovery-posture downgrade, an asset retirement). The cadence is recorded on the engagement so a re-tiering cycle does not silently lapse.

The rule for shared and platform assets: an asset inherits the highest tier of the systems that depend on it unless a documented compensating control breaks the inheritance. The dependency graph is captured against the asset so the routing layer respects the second-order impact and the auditor can read why a shared service carries a different tier than its standalone description would suggest.

The explicit mapping from tier to SLA tier: tier zero maps to the immediate SLA tier (often 24 to 72 hours for critical findings), tier one to the strong tier, tier two to the standard tier, tier three to the relaxed tier. The mapping is recorded so the SLA system reads the tier from the asset rather than asking operators to set it per finding, and the breach metrics roll up consistently.

Criticality scoring builds on asset ownership mapping (the same canonical asset record carries both ownership and tier), scanner result triage (validated findings inherit the asset tier), and scanner to ticket handoff governance (the routing rule respects the tier when deciding which queue receives the ticket).

Tier evidence rolls up into vulnerability prioritisation (tier is the multiplier the queue applies), vulnerability SLA management (tier reads as the SLA tier the timer starts on), vulnerability backlog management (tier reads as a queue-health indicator), and security leadership reporting (tier coverage and breach-by-tier are headline indicators on the leadership cadence).

The asset reference resolves to a tier as the finding is created. The prioritisation queue does not pause for a tier lookup because the categorisation primitive already answered the question.

The tier list is reviewed on a documented cadence with a named reviewer and the business owner. Reorganisations and platform migrations land as a single re-tiering event rather than as a per-finding propagation problem.

The tier-zero list is short enough that the security team and the named business owners can credibly defend every system on it at the immediate SLA tier. Tier inflation is caught in review rather than in audit.

The framework, the per-asset tier, the rationale, the re-tiering history, and the SLA-by-tier breach metric all read from the live engagement record. ISO 27001, SOC 2, PCI DSS, NIST, and CIS assessors get the evidence as a query rather than a multi-week reconciliation sprint.