GRCWatch
Sign inStart free trial

CIS Controls 3.2: Establish and Maintain a Data Inventory

Data inventory is the foundation of effective data protection. CIS Controls 3.2 requires you to document where sensitive data lives across your organization, then keep that inventory current. Without visibility into your data, you can't protect it—or prove you're complying.

What this means

CIS Controls 3.2 requires organizations to create and maintain an authoritative record of where data exists, with priority given to sensitive and regulated data. This inventory must be reviewed and updated at least annually, capturing data location, classification, ownership, and sensitivity level. The control ensures your organization knows what data it holds and can apply appropriate protection measures.

How to comply

  1. 1.Define sensitive data for your organization (PII, PHI, payment card data, trade secrets, etc.) based on industry, regulations, and business context.
  2. 2.Conduct a data discovery exercise across all systems, databases, file shares, cloud storage, and endpoints to identify where sensitive data resides.
  3. 3.Document each data asset with owner, location, classification level, retention period, and access controls.
  4. 4.Create a centralized inventory or database that is easily searchable and queryable by stakeholders and compliance teams.
  5. 5.Establish a data steward or data governance role responsible for maintaining inventory accuracy.
  6. 6.Schedule annual review cycles (minimum) to identify new data sources, reclassifications, or obsolete records.
  7. 7.Update inventory when new systems are deployed or data migration occurs.

Evidence auditors look for

  • Spreadsheet or database of sensitive data assets with columns for location, owner, classification, and last review date.
  • Data mapping documentation showing how sensitive data flows through applications and systems.
  • Policy document defining what qualifies as sensitive data and annual review requirements.
  • Records of annual data inventory reviews, including date, reviewer, additions, and updates.
  • Automated discovery tool output showing scanned systems and identified sensitive data.
  • Sign-off or audit trail showing data owners and stewards acknowledged inventory accuracy.
  • Decommissioning records showing removal of obsolete data from inventory.

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates data discovery and inventory management, scanning your systems to identify sensitive data, tracking changes in real-time, and surfacing evidence for your annual review without manual spreadsheet updates.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Controls 1.1 — Establish and Maintain a Software Asset InventoryCIS Controls 2.1 — Establish and Maintain a Hardware Asset InventoryCIS Controls 3.3 — Address Unauthorized SoftwareCIS Controls 6.1 — Establish and Maintain an Inventory of Unvetted Software