How to Map Your Information Assets in Compliance with Law 25
Asset mapping is the first step of any effective GRC program and an explicit requirement of Law 25. Here is a methodical guide to accomplish it without getting lost.
You cannot protect what you do not know. This is the fundamental premise of any information security approach. Law 25 translates this principle into a legal obligation: organizations must be able to demonstrate that they know the personal information they hold, why they have it, where it is located and who has access to it.
Law 25: a concrete requirement
The Personal Information Protection and Electronic Documents Act (PIPEDA) and Law 25 require organizations to know the personal information they hold. Without mapping, it is impossible to conduct a PIA, notify an incident or respond to an access request.
Asset categories to inventory
Data assets
Customer databases, HR files, email lists, health records, biometric data, financial records
Application assets
CRM, ERP, HRIS, web applications, APIs, microservices, automation scripts
Infrastructure assets
Physical and virtual servers, cloud systems (AWS, Azure, GCP), networks, firewalls, workstations
Third-party service assets
SaaS vendors, subcontractors with data access, business partners, cloud services
Physical assets
Removable media (USB keys, hard drives), paper files, physical archives, mobile devices
5-step methodology
Identify asset owners
Each asset must have a responsible owner for its protection. Without a designated owner, accountability becomes diffuse and obligations are not met.
- Define the concept of asset owner in your policies
- Assign an owner to each system or database
- Create an ownership register accessible to stakeholders
Conduct an exhaustive inventory
The inventory must cover 100% of systems processing personal information. Forgotten assets are the most dangerous during an audit or incident.
- Interview IT, business and HR teams to identify systems
- Scan the network to detect unreported assets (shadow IT)
- Include SaaS services used without IT supervision
- Document legacy systems even if being decommissioned
Classify assets by sensitivity
Law 25 requires specific classification of sensitive information. Classification guides the protection levels to apply.
- Define your classification grid (e.g. Public, Internal, Confidential, Restricted)
- Classify each asset by sensitivity
- Identify sensitive information under Law 25 (health, finances, biometrics, religious beliefs, etc.)
- Document specific protection requirements for each level
Map data flows
Understanding how data flows is essential for PIAs and third-party risk management.
- For each asset: where does the data come from? Where does it go?
- Identify transfers outside Quebec (Law 25 requirements)
- Document third-party vendor access
- Validate that data sharing agreements are in place
Keep the inventory up to date
An outdated inventory is worse than no inventory: it creates a false sense of security.
- Define an update process triggered by any system change
- Schedule an annual complete inventory review
- Integrate mapping into the PIA process
- Automate asset discovery if possible
Recommended classification grid
Information intended for the general public, no restriction
Examples : Website, press releases, product documentation
Information for internal use, non-confidential
Examples : Internal policies, operational procedures, org charts
Sensitive information whose disclosure could harm the organization or individuals
Examples : Customer data, contracts, general HR information
Highly sensitive information, access limited to the minimum required
Examples : Health data, personal financial information, biometric data, trade secrets
CapGRC integrates asset mapping into your GRC program
Asset register, automated classification, data flows and direct link with risks and PIAs.