Software Asset Management (CIS Control 2)

CIS Control 2 focuses on software asset management: maintaining a complete inventory of authorised software and actively preventing unauthorised software from being installed or executed. Unauthorised software is one of the most common entry points for malware and cyberattacks.

Back to Dictionary

Why software asset management matters

Unauthorised software poses a security risk for several reasons: it may not receive security updates, it may contain hidden malware, and it may include vulnerable components. Pirated or free software from untrusted sources is a classic attack vector.

Software asset management is also important for licence compliance and for preventing 'software sprawl' that unnecessarily increases the attack surface.

The software inventory

The software inventory should record the following for each application: software name and version, vendor, authorisation status, and the systems on which it is installed. The inventory is used on an ongoing basis to identify outdated software that needs updating or removal.

A comprehensive software inventory works hand in hand with the hardware asset inventory required by CIS Control 1, providing a complete picture of the organisation's IT landscape.

Handling unauthorised software

CIS Control 2 prescribes that unauthorised software must either be removed, blocked or subjected to a formal approval process. At IG2 and IG3, technical controls such as application whitelisting are typically employed to actively block any software not on the approved list.

Shadow IT: Employees often install software for productivity purposes without IT's knowledge. A clear software policy combined with easy access to approved alternatives reduces the shadow IT problem.

IG1 safeguards

IG1 requires the following for Control 2: establishing and maintaining a software inventory, ensuring that only authorised software is used, and handling unauthorised software when it is discovered.

Frequently Asked Questions about Software Asset Management (CIS Control 2)

What is CIS Control 2?

CIS Control 2 covers software asset management. It requires organisations to maintain a complete inventory of authorised software and actively prevent the installation and execution of unauthorised software.

Why is software asset management important for security?

Unauthorised software often lacks security updates, may contain malware, and increases the attack surface. By maintaining a controlled software inventory, organisations reduce the risk of compromise through unvetted applications.

What is application whitelisting?

Application whitelisting is a technical control that only allows pre-approved software to run on an organisation's systems. All software not on the approved list is automatically blocked, providing strong protection against unauthorised programs.

What does IG1 require for CIS Control 2?

IG1 requires organisations to establish and maintain a software inventory, ensure only authorised software is in use, and address any unauthorised software that is discovered on their systems.

How does CIS Control 2 relate to CIS Control 1?

CIS Control 1 covers hardware asset management and Control 2 covers software asset management. Together they provide a complete inventory of an organisation's IT assets, which is the foundation for all other security controls.