We’ve sat in incident response calls where the first ten minutes were spent arguing about what systems were actually affected. Nobody could give a straight answer. The CTO thought the data lived in AWS, the engineer was pretty sure it had been migrated to GCP six months ago, and the security lead was still looking at a spreadsheet from 2023.
That’s what happens when you don’t have a real asset inventory.
CISO Assistant gives you a structured place to track everything your organization depends on, classify it by how much it matters, link it to the vendors who provide it, and connect it to the risks that threaten it. This guide walks you through building that inventory from scratch and, more importantly, keeping it alive.
What actually counts as an asset?
An asset is anything that has value to your organization and needs protecting. Most people immediately think of SaaS tools and cloud platforms, but it goes beyond that.
Your information assets include strategic documents, legal files, financial records, project documentation, sales proposals, HR files, and client contracts. These are often scattered across multiple systems, which makes them easy to forget when you’re building an inventory.
Software assets cover everything from cloud platforms like AWS, Azure, and GCP to productivity suites like Google Workspace and Microsoft 365. Don’t forget development tools (GitHub, JetBrains, Cursor), business applications (your CRM, ATS, invoicing system), security tools (SIEM, antivirus, password manager), and increasingly, AI tools like ChatGPT, Claude, and Gemini.
Then there are service assets that people overlook. Your internet connectivity, DNS management, email delivery services like SendGrid, VoIP platforms, automation tools like Zapier. These aren’t glamorous, but try running a business when your DNS goes down.
Hardware assets include network devices (routers, switches, firewalls, access points), workstations, mobile devices, and removable media like USB drives. Physical locations are assets too, and every office, server room, and coworking space should have its own entry. And sometimes people are assets, particularly people whose knowledge would be hard to replace.
Start by converting your solutions into assets
If you’ve already registered your third-party entities and solutions (covered in our vendor security management guide), you’ve done half the work. For every important solution, you’ll want a corresponding asset in CISO Assistant.
Head to Context > Assets and click Add Asset. Give it a clear, recognizable name that matches the solution name where possible. Write a description that explains what the asset does and what data it holds. Be specific here. “Cloud hosting” tells you nothing. “Production infrastructure hosting client databases and application backend” tells you everything. Assign it to the department that owns or manages it.
Not everything needs its own asset
We’ve seen teams go overboard and create an asset for every single tool in their stack. That’s a maintenance nightmare. Focus on solutions that store your organization’s data, are critical to daily operations, handle personal data with GDPR implications, or would cause real harm if compromised or unavailable.
Your identity and authentication systems like 1Password and JumpCloud should always be assets. Same goes for cloud infrastructure, source code repositories, email and productivity tools, SIEM and monitoring platforms, and your CRM. Beyond those essentials, use your judgment. Communication tools, project management platforms, knowledge bases, development tools, AI platforms, sales and marketing tools, and network infrastructure are worth tracking if they’re meaningful to your operations.
What you can safely skip are free trials you’re evaluating, tools used by one person with no organizational data, and anything that’s already inactive or decommissioned.
The physical stuff that everyone forgets
In our experience, the first draft of every asset inventory is 90% software. People forget that some of their most valuable and vulnerable assets are physical.
Each office location should be its own asset because physical risks like fire, flood, and break-ins apply to them directly. Network hardware - routers, switches, firewalls, and Wi-Fi access points - belongs in the inventory. Create category entries for your workstations (“macOS Workstations” and “Windows Workstations” work well), your mobile devices, and your removable media. USB drives and external hard disks are high-risk for data leakage and often get ignored completely.
And don’t forget document categories. “Strategic and Legal Documents,” “Project Documentation,” and “Sales Documents” are assets just like AWS is. Data doesn’t need to live in a specific system to be worth protecting.
Link everything together
Once you’ve created an asset, edit it and link it to the corresponding solution. This creates a traceability chain that goes from the vendor (Entity) through the product (Solution) to what you’re actually protecting (Asset).
For example, Google LLC as an entity provides Google Workspace as a solution, which maps to your “Google Workspace” asset. Amazon Web Services provides AWS. Recruitee BV provides Recruitee, which maps to your “Recruitee ATS” asset.
This linkage pays off during incidents and audits. When a vendor reports a breach, you can immediately see which of your assets are affected. During vendor assessments, you see exactly what depends on each vendor. And in risk analysis, the full chain from asset to solution to entity shows your complete exposure.
Organize assets by department
Keep things tidy by assigning each asset to the department that primarily owns or manages it. A typical breakdown might look something like this:
| Domain | Typical assets |
|---|---|
| Infrastructure Team | AWS, Azure, GCP, GitHub, JumpCloud, 1Password, Slack, Google Workspace, Atlassian, Coda, Docker, JetBrains, Cursor, AI tools, Hetzner, Cloudflare, internet connections, domain managers, Zapier, SendGrid |
| Security | Datadog SIEM, Datadog Logs, ESET, network devices, workstations |
| Sales | HubSpot, DocuSign, CloudTalk, Apollo.io, LinkedIn Sales Navigator |
| HR & Recruitment | Recruitee ATS |
| Finance | Finance application, Fakturownia, external accounting services |
| Marketing | Adobe Creative Cloud, Hotjar, Piwik Pro, Semrush, websites |
| Product/Engineering | Figma |
| Global | Office locations, documents, mobile devices, removable media, AI tooling |
This isn’t just for neatness. When something goes wrong with an asset, you want to immediately know who to call.
Set security objectives for each asset
Every asset needs security objectives that express how important each security property is. You’ll rate these on a 1-to-4 scale using the CIA-PAuPrS model (Confidentiality, Integrity, Availability, Proof, Authenticity, Privacy, Safety). Our Business Impact Analysis guide covers the reasoning in detail, but here’s a quick cheat sheet to get you started.
The highest criticality assets are your password managers (C=4, I=4, because a compromise means access to everything), identity providers (C=4, I=4, A=4, because no authentication means no work), cloud infrastructure (I=4, A=4), and financial systems (C=4, I=4, Pr=4).
High criticality includes email and productivity tools (A=4 because email downtime stops all business communication), code repositories (I=4 because code tampering is critical, P=4 for the audit trail), monitoring and SIEM (I=4, P=4 because log integrity matters), and network devices (I=4, A=4).
Moderate criticality covers project management tools, design tools, AI tools (watch out for Pr=4 on those because of privacy risk from prompts), and sales tools.
Low criticality is for non-essential SaaS, optional analytics, and marketing extras.
Honestly, the rating process can feel tedious when you have 50+ assets. But these numbers drive everything downstream in your risk assessment and compliance evidence, so it’s worth doing properly.
Set disaster recovery objectives
While you’re editing each asset, also set the RTO (how fast you need to restore it), RPO (how much data loss is acceptable), and MTD (the maximum tolerable downtime before the damage becomes permanent).
| Asset category | RTO | RPO | MTD |
|---|---|---|---|
| Identity and security systems | 4 hours | 2 hours | 24 hours |
| Cloud infrastructure | 8 hours | 4 hours | 48 hours |
| Security monitoring | 8 hours | 4 hours | 48 hours |
| Network devices | 8 hours | 4 hours | 48 hours |
| Email and productivity | 24 hours | 8 hours | 72 hours |
| Code repositories | 24 hours | 8 hours | 72 hours |
| Business applications | 24-48 hours | 8-24 hours | 72 hours to 1 week |
| Financial systems | 24 hours | 8 hours | 72 hours |
| Workstations | 24 hours | 8 hours | 72 hours |
| Documents | 72 hours | 24 hours | 1 week |
| Physical locations | 72 hours | 24 hours | 1 week |
| External services | 1 week | 72 hours | 2 weeks |
These are starting points. Validate them with the teams who actually use the systems. You might be surprised how different their expectations are from yours.
Connect assets to risk scenarios
This is where your asset inventory starts earning its keep. For each risk scenario in your assessment, you need to identify which assets would be affected if that risk materialized.
Think about it from the risk scenario’s perspective. If you’re looking at an unauthorized data access scenario, link everything that stores sensitive data: password managers, CRM, ATS, source code repos, financial systems, cloud platforms, Google Workspace, documents.
For malicious code risks, you’re looking at software-based assets that could be infected: workstations, cloud platforms, email, development tools, communication tools. Data loss scenarios affect cloud platforms, repos, financial systems, documents, and knowledge bases. Social engineering targets people-facing systems like email, CRM, identity management, communication tools, and your password manager.
Hardware-dependent assets like network devices, workstations, and internet connections are the ones at risk from equipment failure. Physical risks like fire and flood affect office locations, network devices, and on-premises workstations. Theft and loss scenarios hit portable assets: workstations, mobile devices, removable media.
And if your organization uses AI tools, don’t skip the AI-specific risks. Link your AI tooling assets to data leakage, hallucination, and prompt injection scenarios.
Keep the inventory alive
An asset inventory is only useful if it reflects reality. The moment it goes stale, it becomes another document that nobody trusts.
Add new assets whenever a team adopts a new SaaS tool, new hardware gets purchased, a new office opens, or a new business application is deployed. Update existing assets when ownership changes, when security or DR objectives shift, or when you migrate to a different vendor. When a tool or service is decommissioned, don’t delete the asset. Change its status or add a note. You’ll need that historical record for compliance and audits.
For regular reviews, a monthly quick scan to catch newly adopted tools works well. Every quarter, review your security objectives and DR targets to make sure they’re still accurate. And once a year, do a proper full inventory audit. Walk through every asset with each department head. Yes, the annual review is painful. Do it anyway.
The pitfalls we see most often
Shadow IT is the big one. Teams adopt tools without telling anyone. The marketing team signs up for a new analytics platform, stores client data in it, and nobody in security knows it exists. Combat this by making it easy to report new tools and periodically scanning expense reports and SSO logs for unknown services.
Stale entries creep in fast. The tool you registered in 2024 got replaced six months ago, but the old entry is still sitting there looking official. Calendar reminders for quarterly reviews help, but honestly you need someone who cares enough to actually do the cleanup.
Missing physical assets are almost universal. Everyone remembers to list AWS, but the FortiGate firewall in the server closet and the USB drives in the supply cabinet get ignored. Physical assets are often the most vulnerable because they’re the least monitored.
No clear ownership turns assets into orphans. Nobody maintains them, nobody reviews them, and nobody responds when something goes wrong. Every single asset needs a department that takes responsibility for it.
Ignoring information assets is surprisingly common. “Strategic, Legal, and Financial Documents” is an asset just like your cloud platform is. Data doesn’t need to live in a specific system to need protection.
Asset management is nobody’s favorite task, but it’s the foundation everything else sits on. Your risk assessment is only as complete as your asset inventory. Your BIA is only as accurate as your asset classifications. Your compliance evidence is only as convincing as your asset documentation. Get this part right, and the rest of your ISMS gets much easier to build and maintain.
Ready for the next step? Set security objectives and recovery targets in your business impact analysis, then connect everything to risk scenarios with our risk assessment guide. If you’re working toward ISO 27001 certification, our compliance mapping guide shows how to tie assets and controls to framework requirements.
