Skip to main content
← All controls
CIS-2.1 / CM-8 / A.8.1.1 CIS Controls v8

SaaS inventory maintained

Demonstrate that the organization maintains an accurate, complete, and current inventory of all SaaS applications in use, including discovery mechanisms for shadow IT and regular validation processes.

Description

What this control does

This control ensures the organization maintains a current, comprehensive inventory of all Software-as-a-Service (SaaS) applications in use across the enterprise, including sanctioned and shadow IT applications. The inventory typically includes application names, owners, business purposes, user counts, data classifications, vendor information, and integration points. Maintaining this inventory is critical for managing third-party risk, enforcing access controls, preventing data exfiltration through unsanctioned channels, and enabling effective incident response.

Control objective

What auditing this proves

Demonstrate that the organization maintains an accurate, complete, and current inventory of all SaaS applications in use, including discovery mechanisms for shadow IT and regular validation processes.

Associated risks

Risks this control addresses

  • Unauthorized SaaS applications containing sensitive data remain unmonitored and unprotected, leading to data breaches or compliance violations
  • Shadow IT circumvents security controls such as DLP, encryption, and access management, creating uncontrolled exfiltration paths
  • Duplicate or redundant SaaS subscriptions increase attack surface and waste financial resources without visibility
  • Incident response teams lack awareness of all SaaS applications, delaying containment and forensic analysis during security events
  • Third-party vendor risks go unassessed when SaaS applications are deployed without procurement or security review
  • Departing employees retain access to undocumented SaaS applications, creating persistent unauthorized access channels
  • Compliance gaps emerge when auditors discover unmanaged SaaS applications processing regulated data outside approved controls

Testing procedure

How an auditor verifies this control

  1. Request the current SaaS application inventory document or system, including fields for application name, vendor, owner, data classification, user count, and last review date
  2. Review the documented process or procedure for discovering, documenting, and maintaining the SaaS inventory, including responsibilities and update frequency
  3. Examine evidence of automated discovery tools or methods used to identify shadow IT, such as CASB logs, DNS query logs, firewall logs, or SSO provider analytics
  4. Select a sample of 10-15 SaaS applications from the inventory and verify each entry contains complete required fields and current information
  5. Cross-reference the inventory against alternative sources such as SSO logs, payment/procurement records, and IT ticketing systems to identify undocumented applications
  6. Interview business unit representatives and IT staff to identify any SaaS applications in use that do not appear in the inventory
  7. Review evidence of periodic inventory validation activities, such as quarterly reviews, owner attestations, or automated reconciliation reports from the past 12 months
  8. Verify that newly identified SaaS applications from the testing process are documented and escalated according to the organization's procedures
Evidence required The auditor collects the current SaaS inventory spreadsheet or database export showing all tracked applications with metadata fields, screenshots or exports from discovery tools (CASB, DNS logs, SSO analytics) demonstrating automated detection capabilities, and documented procedures for inventory maintenance including update schedules and ownership assignments. Additional evidence includes reconciliation reports, owner attestation records, procurement system exports showing SaaS purchases, and correspondence demonstrating how newly discovered applications are added to the inventory and assessed.
Pass criteria The control passes if the organization maintains a documented SaaS inventory with complete required fields, employs automated discovery mechanisms to identify shadow IT, conducts validation activities at least quarterly, and demonstrates that the inventory reasonably reflects actual SaaS usage based on cross-referencing with independent data sources.

Where this control is tested

Audit programs including this control

SaaS Security Posture

How well is your SaaS estate protected — SSO, MFA enforcement, offboarding, third-party app review?

6 controls · v1.0