Establish and Maintain Detailed Enterprise Asset Inventory
Description
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.
Implementation Checklist
Tool Recommendations
Cyber asset attack surface management platform providing comprehensive asset inventory across IT, cloud, SaaS, and OT environments
Axonius · Enterprise subscription
Enterprise IT asset management and CMDB platform with automated discovery and lifecycle management
ServiceNow · Enterprise subscription
IT asset discovery and inventory platform scanning networks for hardware, software, and cloud assets
Lansweeper · Per-asset subscription
Cloud-native CAASM platform providing cyber asset visibility, context, and governance across all digital operations
JupiterOne · Enterprise subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Shadow IT Asset Exploitation
ConfidentialityAttackers compromise untracked devices connected to the network that are invisible to security tooling, using them as persistent footholds for lateral movement.
Incomplete Patch Coverage Due to Unknown Assets
AvailabilityCritical vulnerabilities remain unpatched on devices not included in the asset inventory, allowing ransomware or worms to propagate through unmanaged endpoints.
Regulatory Non-Compliance from Untracked Data Stores
ConfidentialitySensitive data resides on assets not captured in the inventory, leading to unprotected PII/PHI exposure during a breach and regulatory penalties.
Vulnerabilities (When Safeguard Absent)
No Centralized Asset Visibility
Without a detailed asset inventory, the organization cannot determine the full scope of devices storing or processing data, leaving blind spots in security coverage.
Stale or Inaccurate Asset Records
Absence of a maintained inventory means decommissioned, relocated, or repurposed assets are not tracked, creating inconsistencies between assumed and actual network state.
Inability to Scope Incident Response
When a breach occurs, responders cannot quickly identify all potentially affected assets, extending dwell time and increasing the blast radius of incidents.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Document | Current inventory or catalog documentation | Maintained continuously, reviewed quarterly |
| Document | Process/procedure documentation for identification activities | Reviewed annually |
| Technical | Asset/software inventory export with required fields populated | Exported quarterly for review |
| Record | Inventory review meeting minutes or sign-off | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |