01) Does your organisation keep an up-to-date inventory of all IT hardware assets with assigned owners?
IT Operations Hardware Asset Database CMDB
Written by Haydn Brooks
Created on March 18, 2019
Modified on June 7, 2020

Answer yes if your organisation keeps an up-to-date inventory of all hardware assets within your IT estate. The inventory must list an owner against each asset.

The first step to implementing and maintaining an effective security programme is understanding what assets your company has to protect. Your company should therefore keep track of both its physical hardware (which is what this control covers) and all of its data assets (this is covered by the next control in this domain, control G2).

An inventory of all of your hardware assets is a spreadsheet or database that lists all of the hardware assets within your organisation, and an owner who is responsible for each. It is important that the list covers all of your data carrying devices (if you don’t want it to you can leave out non-data carrying devices such as monitors and keyboards and mice).

A hardware asset inventory helps to ensure that you keep track of all of your company devices and can help to reduce IT spend. It is also useful from a security point of view as it helps the security team to keep track of what devices need to be secured, helps them make sure that all of the company’s devices have up-to-date security configurations (the asset database is the first step to building a full CMDB, Configuration Management Database), helps to keep track of recovering devices from employees leaving the company (this is an integral part of your company’s joiners/moves/leavers process which is a key security control), and can help in an incident response scenario in the cleaning and recovering all of your company’s IT assets.

How to implement the control:

For organisations that are small in size (up to 50 devices) an asset register can be implemented and maintained using an excel spreadsheet or Microsoft Access database.

A template excel spreadsheet for a small organisation can be requested at info@riskledger.com.

Microsoft provide an Access Asset Tracking Template which can be found here.

To help manage more devices you can use Asset Tagging software which allows you to tag assets with an RFID bar code, this is often an easy way of maintaining an asset register.

It is important to keep your asset register up to date. Make sure to add all new devices to the database when purchased and issued to staff, and make sure to remove any assets that are destroyed. Keeping an asset register continuously up to date is a lot easier than trying to build an asset register from an incorrect data set!

For larger organisations we would recommend using a dedicated piece of software. Most IT Service Management (ITSM) software suites include a feature to help manage and track IT assets.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.