Framework Category
Asset Management
Asset Management ensures that all organizational assets—hardware, software, systems, data, and third-party services—are identified, tracked, and managed throughout their lifecycle.
It supports effective cybersecurity by maintaining accurate inventories, understanding data flows, assigning responsibilities, and prioritizing assets based on their importance to the mission.
Implementation Questions
ID.AM-01
Inventories of hardware managed by the organization are maintained
Does your organization maintain comprehensive inventories of all hardware assets, including IT equipment, IoT devices, operational technology (OT), and mobile devices?
A complete hardware inventory is fundamental to effective security management as it provides visibility into all assets that need protection and could represent potential attack vectors. This inventory should include details such as device type, location, owner, operating system, network information, and security status for all IT equipment, IoT devices, operational technology systems, and mobile devices.
Does your organization implement automated network monitoring to detect new hardware and update inventory records in real-time?
Continuous network monitoring for new hardware is essential for maintaining an accurate asset inventory and identifying unauthorized devices that could pose security risks. Without automated detection, organizations may have blind spots in their network where unmanaged or rogue devices could operate undetected, potentially creating entry points for attackers or data exfiltration paths.
ID.AM-02
Inventories of software, services, and systems managed by the organization are maintained
Does your organization maintain a comprehensive inventory of all software and services, including commercial, open-source, custom, API, and cloud-based applications?
A complete software and service inventory is fundamental to effective security management as it enables organizations to track what needs to be patched, monitored, and secured. Without knowing what software and services exist in your environment, it's impossible to properly secure them against vulnerabilities or ensure compliance with licensing requirements.
Does your organization implement continuous monitoring for software and service inventory changes across all platforms, including containers and virtual machines?
Continuous monitoring of software and service inventory changes helps detect unauthorized modifications, potential vulnerabilities, and security risks in real-time. This includes tracking new software installations, updates, removals, and configuration changes across physical servers, virtual machines, and container environments like Docker or Kubernetes. Without this monitoring, malicious software could be installed or legitimate services could be modified without detection.
Does your organization maintain a comprehensive inventory of all systems within your environment?
A system inventory is a foundational security control that documents all hardware, software, and information systems that process, store, or transmit organizational data. Without knowing what systems exist in your environment, it's impossible to properly secure them against threats or ensure they meet compliance requirements.
ID.AM-03
Representations of the organization's authorized network communication and internal and external network data flows are maintained
Does your organization maintain documented baselines of expected network communication patterns and data flows for both wired and wireless networks?
Network baselines document normal communication patterns and data flows, enabling the detection of anomalies that could indicate security incidents. These baselines should include information about expected traffic volumes, protocols, source/destination pairs, and timing patterns for both wired and wireless networks.
Does your organization document and maintain baselines of expected communication patterns and data flows with third parties?
Establishing and maintaining baselines of communication and data flows with third parties helps detect anomalous activities that could indicate security incidents. These baselines should document expected network traffic patterns, data exchange volumes, access requirements, and communication protocols between your organization and each third party. Regular reviews of these baselines against actual traffic can reveal unauthorized changes or potential security breaches.
Does your organization maintain and document baseline communication and data flow patterns for all infrastructure-as-a-service (IaaS) environments?
Maintaining baselines of communication and data flows helps identify abnormal patterns that could indicate security incidents or unauthorized access within your IaaS environments. These baselines should document expected network traffic patterns, data transfer volumes, API calls, and service-to-service communications across your cloud infrastructure.
Does your organization maintain documentation of expected network ports, protocols, and services used among authorized systems?
This documentation serves as a baseline for normal network activity, allowing security teams to identify unauthorized or suspicious communications. It should include details such as port numbers, protocols (TCP/UDP), services (HTTP, SSH, etc.), and the systems that legitimately use them.
ID.AM-04
Inventories of services provided by suppliers are maintained
Does your organization maintain a comprehensive inventory of all external services, including cloud services (IaaS, PaaS, SaaS), APIs, and other externally hosted application services?
Maintaining an inventory of external services helps identify potential security risks, compliance requirements, and dependencies that could impact your organization. This inventory should include cloud services like AWS or Azure (IaaS), Heroku or Google App Engine (PaaS), Microsoft 365 or Salesforce (SaaS), as well as any third-party APIs and externally hosted applications your systems interact with.
Does your organization update its external service inventory when a new third-party service is adopted to ensure proper cybersecurity risk monitoring?
Maintaining an updated inventory of external services is crucial for tracking third-party risk exposure and ensuring appropriate security monitoring is in place. When new cloud services, SaaS applications, or other external dependencies are adopted, they introduce potential security vulnerabilities that must be identified and managed.
ID.AM-05
Assets are prioritized based on classification, criticality, resources, and impact on the mission
Has your organization established and documented criteria for prioritizing different classes of assets based on their criticality and value?
This question assesses whether your organization has a formal methodology for categorizing and prioritizing assets (such as data, systems, applications, and infrastructure) according to their importance to business operations, sensitivity of information, and potential impact if compromised. Effective asset prioritization helps allocate security resources appropriately and ensures that the most critical assets receive proportionate protection measures.As evidence, you could provide a documented asset classification framework that defines criteria for prioritization (e.g., business impact, regulatory requirements, replacement cost, data sensitivity), along with a sample asset inventory showing how these criteria have been applied to categorize existing assets.
Has your organization established and applied asset prioritization criteria to classify and rank assets based on their criticality?
Asset prioritization helps organizations allocate security resources efficiently by identifying which assets require the highest levels of protection based on their value, sensitivity, and business impact. This process typically involves categorizing assets (such as systems, data, and applications) according to predefined criteria like business criticality, regulatory requirements, and potential impact if compromised.
Does your organization maintain a documented process for tracking and periodically updating asset priorities, especially following significant organizational changes?
Asset prioritization helps organizations allocate security resources effectively by identifying which systems and data are most critical to operations or most vulnerable to threats. Regular updates to these priorities ensure that security controls remain aligned with the organization's current risk landscape as business objectives, system architectures, or threat environments change.
ID.AM-06
Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
ID.AM-07
Inventories of data and corresponding metadata for designated data types are maintained
Does your organization maintain a documented inventory of designated data types of interest that require protection?
This question assesses whether your organization has formally identified and cataloged sensitive data categories that require special handling and protection. Examples include personally identifiable information (PII), protected health information (PHI), financial account data, intellectual property, and operational technology data.
Does your organization have a process to continuously discover and analyze ad hoc data to identify new instances of sensitive data types?
This question assesses whether your organization actively monitors and analyzes data across systems to identify previously unknown or newly created instances of sensitive information (like PII, financial data, or intellectual property). Continuous discovery helps prevent data sprawl and ensures that all sensitive information receives appropriate protection controls regardless of where it resides or when it was created.
Has your organization implemented a system for assigning data classifications to designated data types through tags or labels?
Data classification through tags or labels helps organizations identify and manage sensitive information according to its security requirements. By implementing a tagging system, you can ensure appropriate controls are applied based on data sensitivity levels (e.g., public, internal, confidential, restricted). This practice enables automated policy enforcement, simplifies compliance reporting, and helps prevent data leakage or mishandling.
Does your organization maintain a tracking system that records the provenance, data owner, and geolocation for all designated sensitive data types?
This question assesses whether your organization has implemented data tracking mechanisms that maintain visibility of where sensitive data originated from, who is responsible for it, and where it is physically or virtually stored. Such tracking is essential for data governance, regulatory compliance (like GDPR or CCPA), and enables proper incident response when data breaches occur.
ID.AM-08
Systems, hardware, software, services, and data are managed throughout their life cycles
Has your organization implemented a Secure Development Lifecycle (SDL) that integrates cybersecurity considerations at each phase for all systems, hardware, software, and services?
A Secure Development Lifecycle ensures cybersecurity is built into products from requirements through deployment and maintenance, rather than added as an afterthought. This includes security requirements gathering, threat modeling during design, secure coding practices, security testing during development, and security validation before release. It also covers post-deployment security monitoring and update processes.
Has your organization integrated cybersecurity considerations into all phases of your product development lifecycle?
This question assesses whether security is built into products from conception through retirement rather than added as an afterthought. Effective integration includes security requirements gathering, threat modeling during design, secure coding practices during development, security testing before release, and vulnerability management post-deployment.
Does your organization have a process to identify and manage unauthorized or unapproved technology solutions (shadow IT) being used to meet business objectives?
Shadow IT refers to technology systems, software, devices, or services used within an organization without explicit IT department approval or knowledge. These unofficial solutions often emerge when employees seek to improve productivity or overcome limitations in approved tools. Examples include using personal cloud storage accounts for work files, unauthorized collaboration tools, or employee-developed applications.
Does your organization have a formal process to periodically identify and remove redundant systems, hardware, software, and services that could unnecessarily increase your attack surface?
Redundant or unnecessary systems and components expand your organization's attack surface, creating additional entry points for attackers while increasing maintenance overhead. These might include legacy systems no longer in active use, duplicate software installations, orphaned cloud resources, or services running without business justification.
Does your organization have a formal pre-deployment security hardening process for all systems, hardware, software, and services before they enter production?
This question assesses whether your organization follows a systematic approach to secure all technology components before they become operational in your production environment. Proper pre-deployment hardening includes activities such as removing unnecessary services, applying security patches, configuring secure authentication, implementing least privilege access controls, and ensuring secure network configurations.As evidence, you could provide documentation of your pre-deployment security checklist, hardening standards for different system types, screenshots of configuration management tools, or sample security validation reports that must be completed before production deployment approval.
Does your organization update asset inventories when systems, hardware, software, and services are moved or transferred internally?
Maintaining accurate asset inventories requires updating records whenever assets change location or ownership within the organization. This includes documenting when workstations are reassigned to different departments, when servers are relocated to different data centers, or when software licenses are transferred between business units. Without these updates, organizations risk losing track of critical assets, creating security blind spots, and making inaccurate decisions based on outdated information.
Does your organization have a documented process for securely destroying data according to your retention policy, including maintaining destruction records?
This question assesses whether your organization properly destroys data when it reaches the end of its retention period using appropriate destruction methods, and maintains records of these destructions. Proper data destruction prevents unauthorized access to sensitive information that is no longer needed and demonstrates compliance with data protection regulations like GDPR or CCPA.
Does your organization have a documented procedure for securely sanitizing data storage media before hardware is retired, decommissioned, reassigned, or sent for repairs?
Data sanitization ensures that sensitive information cannot be recovered from storage media when hardware leaves your control. Without proper sanitization, confidential data, credentials, or intellectual property could be exposed to unauthorized parties even after physical possession of the hardware changes.
Does your organization provide secure methods for destroying paper documents, storage media, and other physical forms of data storage?
Proper data destruction methods prevent unauthorized access to sensitive information that may remain on physical media after disposal. Organizations should have documented procedures for securely destroying different types of media including paper shredding, hard drive degaussing or physical destruction, and secure disposal of removable media like USB drives or backup tapes.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
