The study of 23 Member States did reveal that a "...significant number of Member States present a low level of maturity and lack a structured approach regarding identification of Critical Information Infrastructure..." However, this report does offer an overview of methodologies in the identification of CII assets and services which may be useful to other geographic regions, nation states and even large multi-national corporations. Some key aspects of the methodologies are summarized below.
Identification of Critical Sectors
One of the first steps listed in Section 4.3 is the identification of critical sectors. On pages 22-24 the report identifies 14 critical sectors including critical subsectors and critical services to be considered when identifying critical assets. The table showing this useful list is below:
Identification of Critical Services
Section 5.2 offers a suggested process of using criticality criteria in order to identify critical assets. The report notes that criticality is the (1) level of contribution of an infrastructure to society in maintaining a minimum level of national and international law and order, public safety, economy, public health and environment, or (2) impact level to citizens or to the government from the loss or disruption of the infrastructure.
Again, ENISA offers a table (below) showing eight different criteria with an explanation:
The next step in this process is to examine critical infrastructure (system) for the following types of dependencies:
- Interdependencies within a critical sector (intra-sector)
- Interdependencies between critical sectors (cross-sector), and, especially for CII
- Interdependencies among communication network assets (both physical and logical connectivity)