CIS Control 2.1: Establish and Maintain a Software Inventory
A complete software inventory is your foundation for asset management and compliance. CIS Control 2.1 requires documenting every licensed application across your enterprise—from installation dates to business purpose. Without it, you're operating blind to security risks and licensing exposure.
What this means
CIS 2.1 mandates creating and maintaining a comprehensive record of all software deployed on your company assets. Each inventory entry must capture: software title, publisher name, installation and first-use dates, documented business purpose, and where applicable, the app store source, current version(s), deployment method, and decommissioning date. This control ensures you know exactly what's running on your network, why it's there, and whether it's properly licensed—critical for both security and compliance audits.
How to comply
- 1.Conduct a complete discovery scan across all enterprise assets (workstations, servers, cloud instances) to identify installed software
- 2.Document core fields for each application: title, publisher, installation date, version, and business justification
- 3.Record secondary details including app store sources, deployment mechanisms (manual, MDM, automated), and licensing status
- 4.Assign an owner or team responsible for maintaining inventory accuracy as new software is deployed
- 5.Establish a regular review cadence (quarterly minimum) to catch undocumented installations and flag decommissioned applications
- 6.Integrate inventory data with your asset management system to link software to specific devices and users
- 7.Create a formal decommissioning process that updates inventory records when software is removed from service
Evidence auditors look for
- Exported software inventory report showing title, publisher, install date, version, and business purpose for all devices
- Asset management system report with linked hardware and software records
- Quarterly inventory review meeting notes and sign-off documenting accuracy verification
- Change log showing software additions, updates, and removals with timestamps and approvals
- License audit report cross-referenced with active inventory entries
- Mobile device management (MDM) or endpoint detection and response (EDR) tool export showing deployed applications
- Documentation of inventory owner role and maintenance responsibilities
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically discovers and catalogs all software across your infrastructure, automatically updating records when applications are installed or removed—eliminating manual spreadsheet maintenance and ensuring your CIS 2.1 inventory is always audit-ready.
See how GRCWatch handles this control automatically
Start free trial