CIS IG1 Control 1.1: Establish and Maintain a Detailed Enterprise Asset Inventory

By Heath Gieson If you don’t know what you have, how can you protect it? That simple question is why the very first control in the Center for Internet Security (CIS) Critical Security Controls focuses on asset inventory. Before you can secure your organization, you need to understand what needs protecting. I always picture a […]
Speak With An IT Expert

By Heath Gieson

If you don’t know what you have, how can you protect it?

That simple question is why the very first control in the Center for Internet Security (CIS) Critical Security Controls focuses on asset inventory. Before you can secure your organization, you need to understand what needs protecting. I always picture a grizzled old cowboy saying, “You can’t protect what you don’t know you have.” Sure, the grammar could use some work, but the truth in that statement runs deep.

What Does Control 1.1 Require?

Control 1.1 asks organizations to establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data. That includes:

  • End-user devices (desktops, laptops, mobile phones)
  • Network devices
  • Non-computing/IoT devices (think smart speakers, printers, cameras)
  • Servers
  • Cloud accounts and services (Azure, AWS, OneDrive, Box, Dropbox, etc.)

Your inventory should include:

  • Network address (if static)
  • Hardware address
  • Machine name
  • Asset owner and department
  • Whether the asset is approved to connect to the network

And yes, this applies to assets connected physically, virtually, remotely, and in the cloud. CIS recommends reviewing and updating this inventory at least twice a year.

Don’t Let This Overwhelm You

Reading that list can feel overwhelming. Most organizations freeze because the scope seems massive. Don’t let this paralyze you into inaction.

Here’s the practical approach:

  1. Create a policy stating that your organization requires an asset inventory for all devices that store or process data.
  2. Start small. Begin with end-user computers and servers. Build from there.
  3. Set a review cadence. Quarterly or semi-annual reviews are a great starting point.

Doing something is better than doing nothing. Over time, you can expand your inventory to include IoT devices, cloud accounts, and everything else mentioned in the control.

Where to Find the Data

If you work with a managed IT or security provider like Forthright, chances are they already maintain an inventory for you. If not, your internal IT team probably has some of this information.

When I consult with organizations, I often start with the finance team. The people paying the bills usually have a good record of systems and services the organization uses.

Why This Matters

Asset inventory isn’t just a checkbox for compliance. It’s the foundation of security. If you don’t know what you have, you can’t secure it. And if you can’t secure it, you’re leaving the door wide open for risk.

I hope you found this helpful. Come back next week when we’ll cover Control 1.2: Addressing Unauthorized Assets.

Further reading

Written by on January 5, 2026 Under Cybersecurity, Secure IT operations, Tech Insights

Further reading