Maintain a Comprehensive IT Equipment Register
Keep a regularly updated record of all IT equipment connected to the network.
Plain language
Having a complete and regularly updated list of all your company’s IT gear that's connected to your network is crucial. Without it, you might not know what's vulnerable in your system, could lose track of devices if they go missing, or face unexpected security risks.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Section
IT equipment usageTopic
It Equipment RegistersOfficial control statement
A networked IT equipment register is developed, implemented, maintained and verified on a regular basis.
Why it matters
Without a verified IT equipment register, unknown or unmanaged devices can connect to the network, creating blind spots that enable unauthorised access and data breaches.
Operational notes
Regularly reconcile physical, virtual and cloud assets against the register, record owners and locations, and promptly update entries when devices are added, moved or retired.
Implementation tips
- Have the IT manager create a detailed inventory: They should list all devices connected to the network, including computers, printers, and mobile devices. They should use a spreadsheet or asset management tool to record details like the device type, location, user, and purchase data.
- Instruct the IT team to update the register regularly: They should check every month for any new devices or changes to existing ones. This can be done by running network scans to spot devices and comparing these to the register.
- Have the office manager manage record consistency: Ensure that when new equipment is purchased, it’s added to the register right away. They should coordinate with the procurement team to get details of new purchases.
- Assign the IT security officer to verify the register: They should periodically check if the registered devices align with actual devices found on a network scan. Any discrepancies should be investigated and resolved.
- Make the process easy to follow: Provide training to procurement and IT staff on how to report and log new devices. Use simple forms or automated systems to ensure all relevant details are captured.
Audit / evidence tips
- AskThe latest IT equipment register: Request the spreadsheet or document listing all networked devices GoodShows precise entries with specific update dates
- AskRecent scan results from the IT team GoodMatch between them means the register is accurate
- AskHow often the register is updated and the process followed GoodIncludes regular update intervals and specific steps used to ensure devices are logged
- AskThe procurement office for new purchase records: Request recent IT purchases and check if these items appear in the register GoodShows a clear match of purchase records with entries in the register
- GoodProcess means quick and error-free registration
Cross-framework mappings
How ISM-0336 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.9 | Annex A 5.9 requires developing and maintaining an inventory of information and associated assets, including ownership | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-PA-ML1.1 | E8-PA-ML1.1 requires an automated method of asset discovery at least fortnightly to identify assets for subsequent vulnerability scanning | |
| handshake Supports (1) expand_less | ||
| E8-PO-ML1.1 | ISM-0336 requires organisations to keep an accurate, verified register of network-connected IT equipment | |
| extension Depends on (1) expand_less | ||
| E8-PO-ML1.8 | E8-PO-ML1.8 requires organisations to replace operating systems that are no longer supported by vendors | |
ISO 42001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 4.5 | Annex A 4.5 requires the organisation to document the system and computing resources used by the AI system | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.