GOV-014 Asset Inventory
Description
An inventory of information assets and their associated processing systems is maintained with designated owners for each asset. The inventory is updated when assets are added, modified, or decommissioned, and reviewed at defined intervals.
Rationale
Controls cannot be applied to assets that are not known to the organization. An asset inventory is the prerequisite for classification, access control, and risk scoping.
Framework Mappings (3)
| GRC-05 | Information Security Program | partial |
| 5.9 | Inventory of information and other associated assets | full |
| PM-5 | System Inventory | partial |
Evidence (2)
Asset inventory listing information assets and processing systems with designated owners, asset classification, and last-reviewed date.
Example: Asset inventory (Vanta / Drata asset register, CMDB in ServiceNow, or maintained spreadsheet) showing: asset ID, asset name, type, owner (named individual or team), classification, and last review date — reviewed within the last 12 months.
Test: Export the asset inventory. Verify: (1) all production systems and critical data stores are represented, (2) each entry has a named owner, (3) the inventory has a last-reviewed date within the defined interval, (4) recently onboarded systems appear (cross-reference a sample of infrastructure against the inventory), (5) decommissioned assets are removed or marked inactive.
Cloud infrastructure discovery scan or CSPM output confirming that discovered assets match the asset inventory.
Example: Cloud asset inventory export from AWS Config, GCP Asset Inventory, or Azure Resource Graph — dated within the last 30 days — cross-referenceable against the organization's asset register.
Test: Run or request the latest cloud asset discovery output. Cross-reference a sample of cloud resources against the asset register. Verify: (1) no production cloud assets are absent from the inventory, (2) each cloud asset has a tagged or documented owner, (3) the discovery report is dated within 30 days.
Questions (2)
Does your organization maintain a documented inventory of information assets and processing systems, with designated owners for each asset?
The inventory should include all production systems and critical data stores, show a named owner per asset, and have a last-reviewed date within the defined interval.
How does your organization keep the asset inventory current as assets are added, modified, or decommissioned?
An automated discovery cross-reference or change-management trigger is the most reliable control — the inventory should match live cloud infrastructure within 30 days.