Do you maintain a complete inventory of owned domains and subdomains, including legacy / acquired ones?
Demonstrate that the organization maintains a complete, documented, and current inventory of all owned and controlled domains and subdomains, including legacy and acquired assets, with verification processes to detect untracked or unauthorized registrations.
Description
What this control does
This control requires the organization to maintain a comprehensive, continuously updated inventory of all Internet-facing domains and subdomains under organizational ownership or control, including those inherited through mergers, acquisitions, legacy systems, and third-party registrations. The inventory must include registration details, nameserver configurations, ownership records, and operational status to enable effective attack surface management. Without this inventory, abandoned or forgotten domains can be exploited for phishing, man-in-the-middle attacks, or brand impersonation, as attackers routinely enumerate and target orphaned organizational assets.
Control objective
What auditing this proves
Demonstrate that the organization maintains a complete, documented, and current inventory of all owned and controlled domains and subdomains, including legacy and acquired assets, with verification processes to detect untracked or unauthorized registrations.
Associated risks
Risks this control addresses
- Attackers exploit abandoned or unmonitored subdomains for phishing campaigns that abuse organizational brand trust and bypass email security controls
- Subdomain takeover attacks occur when DNS records point to decommissioned cloud services, allowing adversaries to host malicious content on organizational infrastructure
- Legacy domains from acquisitions remain unpatched and vulnerable, providing initial access vectors that bypass perimeter defenses focused on known assets
- Certificate mismanagement on unknown subdomains enables man-in-the-middle attacks or creates certificate transparency log pollution that obscures legitimate monitoring
- Shadow IT creates untracked domains and subdomains outside procurement and security review processes, introducing unvetted third-party dependencies
- Data exfiltration occurs through forgotten but still-functional subdomains that lack logging, monitoring, or access controls applied to production environments
- Regulatory compliance failures result from inability to demonstrate control over all digital assets processing regulated data across merged organizational entities
Testing procedure
How an auditor verifies this control
- Request the organization's current domain and subdomain inventory documentation, including data sources, update frequency, and responsible ownership roles.
- Review domain registration records from all registrars used by the organization, comparing registered domains against the provided inventory to identify discrepancies.
- Execute automated subdomain enumeration using certificate transparency logs, DNS enumeration tools, and passive DNS databases against a sample of primary organizational domains.
- Compare enumeration results against the official inventory to identify undocumented subdomains, focusing on patterns indicating legacy systems or acquisitions.
- Select three acquired or merged entities from the past five years and trace their historical domain portfolios through WHOIS history and acquisition documentation.
- Interview IT, DevOps, and security teams to understand the process for onboarding new domains, decommissioning old ones, and discovering shadow IT registrations.
- Review change management records for the past quarter to verify that domain additions, modifications, and decommissions trigger inventory updates within defined timeframes.
- Test the inventory's operational integration by verifying that discovered domains feed into vulnerability scanning, certificate monitoring, and DNS security controls.