GRCWatch
Sign inStart free trial

CIS Controls 3.8: Document Data Flows

Data flows are the connective tissue of your enterprise—and they're invisible without proper documentation. CIS Control 3.8 requires you to map how data moves through your organization and between service providers, creating the visibility needed to identify risks and enforce security policies.

What this means

Control 3.8 mandates creating and maintaining comprehensive documentation of how data moves through your enterprise environment, including all interactions with external service providers. This documentation must align with your organization's data management process and be reviewed and updated at least annually—or immediately when significant changes occur that could affect data flows. Without clear data flow maps, you cannot effectively identify where sensitive data resides, how it's accessed, or whether it's protected adequately.

How to comply

  1. 1.Establish a data management process that defines data classification, ownership, and handling standards
  2. 2.Create detailed data flow diagrams showing how data moves between systems, departments, and external parties
  3. 3.Map all service provider and third-party data flows, including APIs, integrations, and data exchanges
  4. 4.Document data flow entry points, processing locations, storage repositories, and exit points
  5. 5.Identify data transformations and enrichment steps that occur during processing
  6. 6.Assign ownership and responsibility for each documented data flow
  7. 7.Schedule annual reviews and document changes triggered by new applications, system migrations, or organizational restructuring
  8. 8.Store data flow documentation in a centralized, accessible repository for audits and incident investigations

Evidence auditors look for

  • Documented data flow diagrams with clearly labeled systems, databases, and external service providers
  • Data inventory spreadsheet mapping sensitive data to systems and showing movement patterns
  • Service provider data processing agreements and flow charts showing third-party integrations
  • Change log showing annual review dates and updates made in response to organizational changes
  • Email or meeting notes documenting data flow discovery sessions with system and business owners
  • Architecture diagrams with data flows overlaid and labeled with sensitivity classifications
  • Risk assessment reports identifying vulnerabilities discovered through data flow analysis

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates data flow discovery and mapping by integrating with your cloud environments and on-premises systems, then tracks changes throughout the year to keep your CIS 3.8 documentation current without manual re-mapping.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Controls 3.1 (Establish data handling policy)CIS Controls 3.2 (Address unauthorized data flows)CIS Controls 2.1 (Inventory authorized software)CIS Controls 2.2 (Establish software management processes)