CIS Control 1.1: Establish and Maintain Detailed Enterprise Asset Inventory
CIS Control 1.1 forms the foundation of effective cybersecurity governance by requiring organizations to maintain a comprehensive, current inventory of all assets that store or process data. Without visibility into what devices exist on your network, you cannot protect them. For SMBs, this means building a scalable asset tracking system that captures critical device details and network connectivity status.
What this means
You must create and continuously update a centralized inventory documenting every asset capable of storing or processing data across your organization. This includes end-user devices (laptops, desktops, tablets), network infrastructure (routers, switches, firewalls), IoT and non-computing devices (printers, cameras, sensors), and all servers. For each asset, your inventory must record the network address (IP), hardware address (MAC), machine name, assigned owner, department, and network approval status. The goal is complete visibility—no shadow IT, no unknown devices, no forgotten assets.
How to comply
- 1.Conduct a comprehensive network scan to identify all connected devices and establish baseline inventory
- 2.Document required attributes for each asset: IP address, MAC address, device name, owner, department, and approval status
- 3.Assign a single owner and department to each asset for accountability and change tracking
- 4.Implement automated asset discovery tools to detect new devices and flag unauthorized connections
- 5.Establish a review cycle (monthly or quarterly) to verify inventory accuracy against actual network state
- 6.Create a network approval process that prevents unapproved devices from connecting
- 7.Integrate inventory data with your IT asset management system for single source of truth
- 8.Document and track all inventory changes, including additions, removals, and ownership transfers
Evidence auditors look for
- Asset inventory spreadsheet or CMDB with minimum required fields populated for all devices
- Network scan reports showing discovery date and device details
- Asset approval log documenting which devices are authorized for network access
- Change management records showing inventory updates over time
- Automated discovery tool configurations and scan schedules
- Owner assignment documentation showing accountability chains
- Reconciliation reports comparing inventory records to actual network devices
- Incident response records demonstrating use of inventory during security investigations
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates asset discovery and continuous inventory management by integrating with your network infrastructure, eliminating manual tracking and ensuring your asset register stays synchronized with actual network state—cutting hours of monthly reconciliation work.
See how GRCWatch handles this control automatically
Start free trial