Does your organization maintain a comprehensive inventory of all systems within your environment?
Explanation
A system inventory is a foundational security control that documents all hardware, software, and information systems that process, store, or transmit organizational data. Without knowing what systems exist in your environment, it's impossible to properly secure them against threats or ensure they meet compliance requirements.
Evidence of fulfillment could include a centralized asset management database, spreadsheet, or specialized inventory management tool that lists all systems with details such as system name/ID, owner, location, purpose, operating system, IP address, and security classification.
Implementation Example
Maintain an inventory of the organization's systems
ID: ID.AM-02.124
Context
- Function
- ID: IDENTIFY
- Category
- ID.AM: Asset Management
- Sub-Category
- Inventories of software, services, and systems managed by the organization are maintained
Related questions
- Does your organization maintain comprehensive inventories of all hardware assets, including IT equipment, IoT devices, operational technology (OT), and mobile devices?
- Does your organization implement automated network monitoring to detect new hardware and update inventory records in real-time?
- Does your organization maintain a comprehensive inventory of all software and services, including commercial, open-source, custom, API, and cloud-based applications?
- Does your organization implement continuous monitoring for software and service inventory changes across all platforms, including containers and virtual machines?
- Does your organization maintain documented baselines of expected network communication patterns and data flows for both wired and wireless networks?
- Does your organization document and maintain baselines of expected communication patterns and data flows with third parties?

