Mapping Your Crown Jewels: Identifying the Data and Systems You Absolutely Must Protect.

During a security assessment of a Donegal engineering firm, the consultant asked the managing director to identify the three things that, if lost or compromised, would most harm the business. The managing director immediately named their project tender documents — years of proprietary cost modelling and technical specifications. They named their client contact database. And they named their accounts receivable records.

Then the consultant asked where those three things were stored, who had access to them, whether they were backed up, and what controls protected them. The managing director could not answer with confidence for any of them.

The firm had reasonable security in general. Their most critical assets had no specific protection beyond what general security controls happened to provide. This is the most common gap in Irish SME security posture.

What Are Crown Jewels?

Crown jewels are the specific data sets, systems, and processes that would cause the most serious harm to your business if they were lost, stolen, encrypted, or disclosed. They are what an attacker would most want to reach — and therefore what you most need to protect specifically, not just generally.

Every business has crown jewels. They differ by sector, size, and business model. Identifying them is the first step in any security programme that allocates protection proportionally to risk.

How to Identify Your Crown Jewels

The identification process takes one structured session of about 90 minutes with your management team. It asks three questions about every significant asset in your business.

What is the financial impact if this is lost or inaccessible for a week? This establishes the operational value of the asset. A client contract database that generates €2 million in annual revenue has a different weight than a training presentation used once a quarter.

What is the reputational or regulatory impact if this is disclosed? Personal data, legal documents, commercial pricing strategies, unreleased product information — these carry regulatory risk under GDPR and commercial risk if they reach competitors or are published publicly.

How difficult would this be to recreate if it were destroyed? Some data can be reconstructed. Some cannot. Irreplaceable data — original design files, years of client relationship history, unique pricing models — warrants a higher level of protection than data that could be recreated from source records.

Score each asset on these three dimensions. The assets with the highest combined scores are your crown jewels.

Most Irish SMEs, when they complete this exercise, find that their crown jewels have never been specifically identified — and that some of them are stored in locations, protected by controls, and accessible to individuals that would not be considered appropriate if anyone had thought about it explicitly. Book a free 20-minute strategy call — crown jewel mapping is a standard part of our initial SME security assessment.

What to Do Once You Have the List

Verify where each asset actually lives. Not where you think it is — where it actually is. Crown jewels are sometimes discovered in unexpected places: in an employee's personal OneDrive because that is where they found it convenient to work, in an old server that was never decommissioned, in an email attachment sent years ago and still sitting in multiple inboxes.

Audit who has access. For each crown jewel, list every individual and system with access. Apply least-privilege: if access is not needed for a specific role, remove it. The number of people with access to your most critical assets should be the minimum consistent with normal business operation.

Verify backup and recovery. Crown jewels need dedicated backup attention, not just inclusion in general backup schedules. Confirm that each critical asset is specifically covered by your backup, that the backup is tested, and that the recovery time is acceptable.

Apply additional controls proportionally. A crown jewel warrants stronger controls than a general business asset. This might mean additional access controls, activity logging, encryption at rest, or a separate storage location. The controls applied should be proportional to the value identified in the scoring exercise.

The Sector-Specific Context for Irish SMEs

For a Donegal or Sligo professional services firm — solicitors, accountants, financial advisers — the crown jewels typically include client matter files, trust account records, and client personal data. Loss or disclosure of these carries both regulatory consequences from the Data Protection Commission and professional consequences from the Law Society or CPA Ireland [^1].

For a North-West manufacturer or food processor, the crown jewels include production specifications, supplier contracts, and proprietary process documentation. For a healthcare supplier, client health data and clinical documentation carry both GDPR and regulatory obligations specific to the health sector.

The exercise of mapping crown jewels often reveals sector-specific regulatory obligations that general security guidance does not surface. An accountancy practice that maps its crown jewels and discovers that its client tax files are stored on a shared drive with no access logging has identified both a security gap and a professional standards gap simultaneously.

Why This Matters Right Now

NIS2 Article 21 requires organisations in scope to identify and manage risks to network and information systems — which requires knowing what those systems contain and what their criticality is. The Data Protection Commission's guidance on GDPR security measures specifically references the need to assess the risk associated with personal data based on its sensitivity and the severity of harm that disclosure would cause [^2].

A business that has mapped its crown jewels and applied controls proportional to their value is not only more secure — it is in a demonstrably better regulatory position. The mapping exercise produces documentation that shows regulators and auditors that security investment is risk-informed, not arbitrary.

What Next

1. Run the crown jewels identification session this month. Gather management. Score your assets on the three dimensions. Document the output. The list of your top five to ten most critical assets is the starting point for every subsequent security investment decision.

2. Audit access and storage for each identified crown jewel. Specifically. Not as part of a general access review, but with the specific question: is this asset stored appropriately, accessible only to those who need it, and backed up with a tested recovery procedure?

3. Review the findings with your IT provider. Ask them to confirm whether the controls protecting your crown jewels are adequate given their identified criticality. Their answer should be specific and verifiable.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• A Simple Risk Assessment Method for Busy Owners: Ranking Your Top Assets and Threats
• Access Control and Least Privilege: Who Really Needs Admin Rights?
• Data Classification: Deciding What Is Public, Internal, Confidential or Sensitive

[^1]: Data Protection Commission Ireland — GDPR Security Obligations [^2]: NCSC Ireland — Risk Management Guidance [^3]: An Garda Síochána — National Cyber Crime Bureau

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.