Do you have a complete, current inventory of internet-facing assets (hosts, services, certificates, domains)?
Demonstrate that the organization maintains a complete, accurate, and current inventory of all internet-facing assets that is actively used for security operations and risk management.
Description
What this control does
This control requires the organization to maintain a continuously updated inventory of all internet-facing assets, including web servers, API endpoints, domain names, SSL/TLS certificates, cloud services, and other externally accessible infrastructure. The inventory must be comprehensive (covering all subsidiaries, business units, and shadow IT), accurate (reflecting current state), and accessible to security and operations teams. This inventory serves as the foundational layer for attack surface management, vulnerability management, and incident response, ensuring defenders know what attackers can see and target.
Control objective
What auditing this proves
Demonstrate that the organization maintains a complete, accurate, and current inventory of all internet-facing assets that is actively used for security operations and risk management.
Associated risks
Risks this control addresses
- Unmonitored internet-facing assets are exploited through unpatched vulnerabilities unknown to the security team
- Expired or misconfigured SSL/TLS certificates on forgotten endpoints enable man-in-the-middle attacks or service disruptions
- Shadow IT or abandoned development environments expose sensitive data or provide unauthorized entry points
- Domain registrations expire or are hijacked due to lack of tracking, enabling phishing or brand impersonation
- Incident response teams cannot identify the full scope of a breach because affected assets are not inventoried
- Compliance violations occur when auditors discover internet-facing systems containing regulated data that were not assessed or secured
- Redundant or decommissioned services remain accessible, expanding attack surface unnecessarily and wasting security resources
Testing procedure
How an auditor verifies this control
- Request the organization's current internet-facing asset inventory, including documentation of inventory methodology, data sources, and update frequency.
- Review the inventory schema to verify it captures critical attributes: IP addresses, hostnames, DNS records, service types, ports, SSL/TLS certificate details, asset owners, business criticality, and last verification date.
- Conduct independent external reconnaissance using DNS enumeration tools, certificate transparency logs, and commercial attack surface management platforms to discover internet-facing assets.
- Compare the organization's inventory against independently discovered assets, documenting any assets present in external scans but absent from the inventory.
- Select a sample of 15-20 assets from the inventory and verify their current operational status, configuration, and assigned ownership through interviews and technical validation.
- Review evidence of inventory maintenance processes, including automated discovery tool configurations, scheduled update procedures, and change management integration.
- Examine integration points between the asset inventory and other security systems such as vulnerability scanners, SIEM platforms, and certificate management tools.
- Interview asset owners and security personnel to confirm the inventory is actively referenced for security decisions, incident response, and vulnerability remediation prioritization.