Asset Inventory (CIS Control 1)

CIS Control 1 is about actively mapping and controlling all hardware assets in the organisation — computers, servers, network equipment and mobile devices. The principle is simple: you cannot protect what you do not know exists. The asset inventory is the foundation for all subsequent security.

Back to Dictionary

Why is the asset inventory critical?

CIS Control 1 is not positioned first by accident. Without knowledge of which devices are connected to the network, it is impossible to secure them. Unregistered devices are blind spots: they do not receive security updates, they are not securely configured and they are not monitored.

Attackers actively exploit these blind spots. An old server, an IoT device or an employee’s personal laptop connected to the corporate network can serve as the entry point for an attack.

What should the inventory include?

The asset inventory should cover all devices with access to the organisation’s network:

Computers and laptops (company-owned and BYOD)
Servers (physical and virtual)
Network equipment (routers, switches, firewalls)
Mobile devices (phones, tablets)
IoT devices and OT systems
Cloud-based virtual machines and instances

IG1 safeguards for Control 1

IG1 requires three safeguards for Control 1:

1.1: Establish and maintain a detailed asset inventory for all enterprise-owned assets.
1.2: Address unauthorised assets — devices not in the inventory must be isolated, investigated or removed.
1.3: Use DHCP logging to update the asset inventory.

Automate where possible: Manual maintenance of the asset inventory is error-prone and resource-intensive. Network scanning tools such as Nmap, or MDM solutions for mobile devices, can automate discovery and registration.

Maintaining the asset inventory

The asset inventory is only useful if it is kept up to date. Processes for acquisition, changes and disposal of hardware must all be reflected in the inventory. CIS recommends reviewing and updating the inventory at least monthly. For organisations also working with ISO 27001, the inventory aligns closely with asset management requirements.

Frequently Asked Questions about Asset Inventory and CIS Control 1

What is CIS Control 1?

CIS Control 1 — Inventory and Control of Enterprise Assets — requires organisations to actively maintain a complete and accurate inventory of all hardware devices connected to their network.

Why is asset inventory the first CIS control?

Because you cannot protect what you do not know about. Without a complete inventory, security updates, configurations and monitoring cannot be applied consistently, creating blind spots that attackers exploit.

What are IG1 safeguards?

Implementation Group 1 (IG1) safeguards are the minimum set of actions within each CIS control recommended for all organisations regardless of size. For Control 1, IG1 includes maintaining an asset inventory, addressing unauthorised assets and using DHCP logging.

How often should the asset inventory be updated?

CIS recommends reviewing and updating the asset inventory at least monthly. Automated tools can help keep it current in real time.

What is the difference between CIS Control 1 and CIS Control 2?

Control 1 focuses on hardware assets (physical and virtual devices), whilst Control 2 addresses software assets — ensuring only authorised software is installed and can execute on enterprise devices.