IG1 IG2 IG3

Establish and Maintain a Software Inventory

Control Group: 2. Inventory and Control of Software Assets

Asset Type: Applications

Security Function: Identify

Description

Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently.

Implementation Checklist

1

Document current state and create baseline inventory

2

Define data fields and attributes to track

3

Assign ownership and responsibilities

4

Establish review cadence and update procedures

5

Select and deploy inventory management tool

6

Populate initial inventory with all known assets

7

Establish process for adding/removing inventory entries

Tool Recommendations

Microsoft Intune Gartner MQ Leader, UEM 2024

Unified endpoint management platform for device enrollment, software deployment, configuration, and compliance across Windows, macOS, iOS, and Android

Microsoft · Per-user/per-device subscription

VMware Workspace ONE Gartner MQ Leader, UEM 2024

Digital workspace platform combining UEM with virtual app delivery and zero-trust access for endpoint management

Broadcom (VMware) · Per-device subscription

Flexera One Gartner MQ Leader, SAM 2024

IT asset management and software asset management platform with license optimization and SaaS management

Flexera · Enterprise subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Supply Chain Compromise via Untracked Software

Integrity

Malicious or backdoored software installed without inventory tracking evades security review, enabling supply chain attacks like those seen in SolarWinds-type compromises.

License Compliance Exploitation

Confidentiality

Unlicensed or pirated software installed outside inventory controls introduces trojanized versions or cracks that contain embedded malware and credential stealers.

Abandoned Software as Attack Surface

Integrity

Applications installed for past projects but never inventoried remain on systems with known vulnerabilities, providing easy exploitation targets for attackers.

Vulnerabilities (When Safeguard Absent)

No Centralized Software Inventory

Without a maintained software inventory, the organization cannot determine what applications are installed across endpoints, leaving unknown software unpatched and unmonitored.

Inability to Verify Software Legitimacy

Without records of publisher, version, and business purpose, the organization cannot distinguish authorized software from unauthorized or malicious installations.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Document	Current inventory or catalog documentation	Maintained continuously, reviewed quarterly
Document	Process/procedure documentation for identification activities	Reviewed annually
Technical	Asset/software inventory export with required fields populated	Exported quarterly for review
Record	Inventory review meeting minutes or sign-off	Per review cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Software Asset Management Policy

Control 2

Related Safeguards in Control 2

2.2 Ensure Authorized Software is Currently Supported

2.3 Address Unauthorized Software

2.4 Utilize Automated Software Inventory Tools

2.5 Allowlist Authorized Software

2.6 Allowlist Authorized Libraries

2.7 Allowlist Authorized Scripts