Does your organization maintain a comprehensive inventory of all software and services, including commercial, open-source, custom, API, and cloud-based applications?
Explanation
A complete software and service inventory is fundamental to effective security management as it enables organizations to track what needs to be patched, monitored, and secured. Without knowing what software and services exist in your environment, it's impossible to properly secure them against vulnerabilities or ensure compliance with licensing requirements.
Evidence of fulfillment could include a centralized software asset management (SAM) database or spreadsheet that lists all applications with details such as vendor, version, purpose, owner, deployment location (on-premises/cloud), licensing information, and security approval status.
Implementation Example
Maintain inventories for all types of software and services, including commercial-off-the-shelf, open-source, custom applications, API services, and cloud-based applications and services
ID: ID.AM-02.122
Context
- Function
- ID: IDENTIFY
- Category
- ID.AM: Asset Management
- Sub-Category
- Inventories of software, services, and systems managed by the organization are maintained
Related questions
- Does your organization maintain comprehensive inventories of all hardware assets, including IT equipment, IoT devices, operational technology (OT), and mobile devices?
- Does your organization implement automated network monitoring to detect new hardware and update inventory records in real-time?
- Does your organization implement continuous monitoring for software and service inventory changes across all platforms, including containers and virtual machines?
- Does your organization maintain a comprehensive inventory of all systems within your environment?
- Does your organization maintain documented baselines of expected network communication patterns and data flows for both wired and wireless networks?
- Does your organization document and maintain baselines of expected communication patterns and data flows with third parties?

