Asset inventory drives patching scope
Demonstrate that the organization's asset inventory is complete, accurate, and directly integrated into vulnerability management and patch deployment processes such that all identified assets are included in patching scope.
Description
What this control does
This control ensures that the organization's comprehensive asset inventory serves as the authoritative source for defining the scope of vulnerability management and patch deployment activities. All systems, applications, and network devices documented in the asset inventory must be included in regular vulnerability scanning and patch management processes. By maintaining a complete and accurate asset register, the organization prevents unmanaged or forgotten systems from becoming security blind spots that evade patching cycles and accumulate exploitable vulnerabilities.
Control objective
What auditing this proves
Demonstrate that the organization's asset inventory is complete, accurate, and directly integrated into vulnerability management and patch deployment processes such that all identified assets are included in patching scope.
Associated risks
Risks this control addresses
- Untracked or shadow IT assets accumulate critical vulnerabilities and remain unpatched, providing attackers with easy entry points into the network
- Incomplete asset inventories result in critical systems being excluded from patch cycles, allowing known exploits to persist in production environments
- Attackers exploit legacy or decommissioned systems that remain connected but absent from asset management databases
- Vulnerability scanners miss entire subnets or application portfolios due to incomplete scope definitions derived from outdated inventories
- Compliance violations and audit findings occur when regulated systems are discovered but not documented or included in security maintenance processes
- Incident response teams lack visibility into compromised assets that were never inventoried, delaying containment and forensic investigation
- Resource waste occurs when patching teams deploy updates to decommissioned systems while missing active production assets due to inventory inaccuracies
Testing procedure
How an auditor verifies this control
- Obtain the current asset inventory from the configuration management database (CMDB) or asset management system, including all documented systems, applications, and network devices.
- Review the patch management policy and procedure documentation to verify that asset inventory is explicitly designated as the authoritative source for defining patching scope.
- Export the current scope configuration from the vulnerability scanning tool and patch management platform, including all target IP ranges, hostnames, and asset groups.
- Compare the asset inventory records against the vulnerability scanning scope to identify any assets present in inventory but excluded from scanning activities.
- Select a sample of 15-20 assets across different types (servers, workstations, network devices, cloud resources) from the inventory and verify each appears in recent vulnerability scan results.
- Conduct a discovery scan or network reconnaissance using approved tools to identify active systems on production networks, then cross-reference discovered assets against the official inventory to detect undocumented systems.
- Review patch deployment records and maintenance logs for the sample assets to confirm that patching activities correlate with vulnerability findings and asset inventory status.
- Interview IT operations and vulnerability management personnel to validate the process for adding newly discovered or provisioned assets to both the inventory and patching scope within defined timeframes.
Where this control is tested