IG1 IG2 IG3

Establish and Maintain an Inventory of Accounts

Control Group: 5. Account Management

Asset Type: Users

Security Function: Identify

Description

Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.

Implementation Checklist

1

Document current state and create baseline inventory

2

Define data fields and attributes to track

3

Assign ownership and responsibilities

4

Establish review cadence and update procedures

5

Select and deploy inventory management tool

6

Populate initial inventory with all known assets

7

Establish process for adding/removing inventory entries

Tool Recommendations

Microsoft Entra ID Gartner MQ Leader, Access Management 2024

Cloud identity and access management with SSO, MFA, conditional access, and identity governance

Microsoft · Per-user subscription (P1/P2)

SailPoint Identity Security Gartner MQ Leader, IGA 2024

Identity governance and administration platform with access certification, lifecycle management, and AI-driven access intelligence

SailPoint · Per-identity subscription

CyberArk Privileged Access Manager Gartner MQ Leader, PAM 2024

Privileged access management platform for securing, managing, and auditing privileged credentials and sessions

CyberArk · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Orphaned Account Abuse by Former Employees

Confidentiality

Former employees, contractors, or third parties retain active accounts that are not tracked in an inventory, using them to access systems and data after their authorization has ended.

Privilege Accumulation in Untracked Accounts

Confidentiality

Accounts not tracked in an inventory accumulate permissions over time through role changes without review, creating over-privileged accounts that represent high-value targets.

Compromised Shared Account Without Attribution

Integrity

Shared or generic accounts not captured in the inventory are compromised, and investigations cannot attribute actions to a specific individual due to lack of account tracking.

Vulnerabilities (When Safeguard Absent)

No Centralized Account Inventory

Without a maintained inventory of all accounts, the organization cannot determine how many accounts exist, who owns them, or whether they are all still authorized.

No Recurring Account Authorization Validation

Without quarterly reviews against the account inventory, unauthorized or orphaned accounts persist indefinitely without detection or remediation.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Document	Current inventory or catalog documentation	Maintained continuously, reviewed quarterly
Document	Process/procedure documentation for identification activities	Reviewed annually
Technical	Asset/software inventory export with required fields populated	Exported quarterly for review
Record	Inventory review meeting minutes or sign-off	Per review cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Account and Credential Management Policy

Control 5, Control 6

Related Safeguards in Control 5

5.2 Use Unique Passwords

5.3 Disable Dormant Accounts

5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts

5.5 Establish and Maintain an Inventory of Service Accounts

5.6 Centralize Account Management