ID.AM-1 / ID.AM-2 / CM-8 NIST CSF v1.1 NIST CSF

Do you have an up-to-date inventory of hardware, software, and data assets?

Demonstrate that the organization maintains a complete, accurate, and current inventory of all hardware, software, and data assets with sufficient metadata to support risk management and operational decisions.

Description

What this control does

This control requires the organization to maintain a current, comprehensive inventory of all hardware devices (servers, workstations, mobile devices, network equipment), software applications (licensed, open-source, SaaS), and data assets (databases, file repositories, classified datasets). The inventory must include identifying attributes such as owner, location, criticality, version, and business function. Accurate asset inventories enable risk identification, vulnerability management, incident response, and compliance verification by ensuring the organization knows what it owns, where it resides, and how it supports business operations.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Unmanaged or shadow IT assets introduce vulnerabilities that are not patched or monitored, creating entry points for attackers
Unauthorized software installations may include malware, unlicensed applications, or tools with known exploits that evade detection
Data assets stored in unknown locations cannot be protected, leading to exposure of sensitive information during breaches or insider threats
Inability to correlate security alerts or anomalies to specific assets delays incident response and containment
Compliance failures occur when auditors cannot verify protection of regulated data or systems that are undocumented
Resource waste and licensing violations result from purchasing duplicate software or maintaining unnecessary hardware

Testing procedure

How an auditor verifies this control

Request the organization's current hardware, software, and data asset inventories and verify the last update date is within the past 90 days
Review the inventory schema to confirm it includes critical attributes such as asset owner, location, business function, criticality rating, version or model, IP address or identifier, and data classification
Select a random physical location and conduct a walkthrough to identify hardware assets, comparing observed devices against the inventory for completeness
Query the organization's network scanning tools, endpoint management systems, or configuration management databases to obtain automated asset discovery reports
Compare automated discovery outputs with the documented inventory to identify discrepancies, undocumented assets, or orphaned entries
For software assets, pull a sample of installed applications from 10-15 endpoints using endpoint detection tools and verify each appears in the software inventory with accurate version information
Interview asset owners or data stewards for 3-5 critical systems to validate inventory metadata accuracy, including business function and criticality classification
Review asset inventory change management records or audit logs from the past quarter to confirm the process for adding, modifying, or decommissioning assets is followed consistently

Evidence required Collect current asset inventory exports in spreadsheet or CMDB format showing hardware, software, and data assets with metadata fields. Obtain automated discovery tool reports (network scans, endpoint agent outputs, cloud asset management dashboards) and reconciliation documentation. Gather photographs or observation notes from physical walkthroughs, change management tickets for recent asset additions or removals, and interview notes from asset owner validations.

Pass criteria The inventory is comprehensive with all identified assets documented, updated within 90 days, includes required metadata fields, and reconciles with automated discovery tools with discrepancies documented and resolved or scheduled for remediation.