INF-003 System Component Inventory
Description
An accurate, maintained inventory of all production system components — including servers, containers, virtual machines, cloud resources, and network devices — is kept. The inventory captures component type, owner, environment, and version. It is reviewed and reconciled at a defined frequency.
Rationale
You cannot protect what you cannot see. A complete, current inventory is the foundation of vulnerability management, change control, and incident response.
Framework Mappings (3)
| DCS-07 | Assets Cataloguing and Tracking | partial |
| CM-8 | System Component Inventory | full |
| CC6.1 | Logical Access Security Software, Infrastructure, and Architectures | partial |
Evidence (2)
Asset inventory export from a CMDB or cloud-native discovery tool listing all production system components with type, owner, environment, and version.
Example: AWS Config resource inventory export, Snipe-IT or ServiceNow CMDB export, or Terraform state file listing for production environments, dated within the last review cycle
Test: Request the asset inventory export and the most recent reconciliation record. Verify: (1) the inventory includes all production component types (servers, containers, VMs, cloud resources, network devices); (2) each record has an owner, environment tag, and version; (3) inventory was reconciled against actual deployed resources within the defined review period; (4) cross-reference a sample of 10 live resources against the inventory to confirm coverage.
Completed inventory reconciliation record demonstrating the inventory was reviewed and updated within the defined frequency.
Example: Inventory reconciliation ticket or change record (e.g., Jira or ServiceNow task) showing the last reconciliation date, reviewer, and any discrepancies resolved
Test: Request the last three inventory reconciliation records. Verify: (1) reconciliations occur at or within the defined frequency; (2) discrepancies identified during reconciliation are documented and resolved; (3) the record includes the name of the person responsible for the review.
Questions (2)
Is an accurate, maintained inventory of all production system components kept, capturing component type, owner, environment, and version?
The inventory should cover servers, containers, virtual machines, cloud resources, and network devices. Cloud-native discovery tools or a CMDB are the expected mechanisms.
How frequently is the production asset inventory reconciled against actual deployed resources?
Continuous or weekly automated reconciliation is preferred. Quarterly is the minimum acceptable frequency for a controlled environment.