CIS-1.1 / CM-8 / A.8.1 CIS Controls v8

Do you maintain an inventory of internal assets including OS, software, and version?

Demonstrate that the organization maintains a current, accurate, and comprehensive inventory of all internal assets that includes operating system types, installed software applications, and version information for each asset.

Description

What this control does

This control requires organizations to create and continuously maintain a comprehensive inventory of all internal assets, including details such as operating systems, installed software packages, and their respective versions. The inventory serves as a foundational element for vulnerability management, patch prioritization, and incident response by providing visibility into the organization's attack surface. Automated discovery tools and configuration management databases (CMDBs) are typically used to track hardware and software assets across on-premises, cloud, and hybrid environments.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Unpatched vulnerabilities go undetected because unknown or untracked systems are not included in vulnerability scanning or patch management programs
Unauthorized or shadow IT assets operate without security controls, creating entry points for attackers to establish initial access
Incident response teams cannot determine scope of compromise when affected systems or software versions are not documented in the inventory
End-of-life or unsupported software remains in production undetected, exposing the organization to exploits with no available patches
License compliance violations occur when software installations are not tracked, resulting in legal and financial penalties
Attack surface expansion goes unmonitored as new assets are deployed without being registered in the inventory system
Ineffective risk prioritization results from incomplete asset data, causing critical systems to receive inadequate protection

Testing procedure

How an auditor verifies this control

Request the organization's current asset inventory database or CMDB export containing all internal assets with OS, software, and version details
Review the inventory management policy and procedures to understand the scope, frequency of updates, and responsible parties for maintaining asset records
Select a representative sample of 20-30 assets across different departments, locations, and asset types (servers, workstations, network devices) from the inventory
Perform independent discovery scans using network scanning tools or agent-based asset management systems to identify assets in the sampled network segments
Compare the results of independent scans against the official inventory to identify discrepancies, missing assets, or outdated information
Verify that the inventory includes mandatory attributes for sampled assets: hostname/asset ID, operating system type and version, installed software packages, software versions, and last update timestamp
Interview IT operations and security personnel to confirm the processes for adding new assets, updating software versions, and decommissioning retired assets
Review evidence of inventory reconciliation activities from the past 90 days, including variance reports and remediation actions taken for inventory discrepancies

Evidence required The auditor collects exports from the asset inventory system or CMDB showing complete asset records with OS and software version data, timestamped reports from automated discovery scans, and variance or reconciliation reports. Policy documentation describing inventory maintenance procedures, roles and responsibilities, and update frequency requirements should be obtained. Screenshots or configuration files from scanning tools, sample asset records demonstrating required data fields, and records of inventory review meetings or remediation tickets addressing discovered gaps provide supporting evidence.

Pass criteria The control passes if the organization maintains a documented asset inventory covering at least 95% of discoverable internal assets, includes OS type, software applications, and version information for each asset, demonstrates inventory updates within the past 90 days, and shows evidence of regular reconciliation processes to address discrepancies.