Maintain a Comprehensive IT Equipment Register
Keep a regularly updated record of all IT equipment connected to the network.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Proactive
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
May 2024
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Section
IT equipment usageTopic
It Equipment RegistersA networked IT equipment register is developed, implemented, maintained and verified on a regular basis.
Source: ASD Information Security Manual (ISM)
Plain language
Having a complete and regularly updated list of all your company’s IT gear that's connected to your network is crucial. Without it, you might not know what's vulnerable in your system, could lose track of devices if they go missing, or face unexpected security risks.
Why it matters
Without a verified IT equipment register, unknown or unmanaged devices can connect to the network, creating blind spots that enable unauthorised access and data breaches.
Operational notes
Regularly reconcile physical, virtual and cloud assets against the register, record owners and locations, and promptly update entries when devices are added, moved or retired.
Implementation tips
- Have the IT manager create a detailed inventory: They should list all devices connected to the network, including computers, printers, and mobile devices. They should use a spreadsheet or asset management tool to record details like the device type, location, user, and purchase data.
- Instruct the IT team to update the register regularly: They should check every month for any new devices or changes to existing ones. This can be done by running network scans to spot devices and comparing these to the register.
- Have the office manager manage record consistency: Ensure that when new equipment is purchased, it’s added to the register right away. They should coordinate with the procurement team to get details of new purchases.
- Assign the IT security officer to verify the register: They should periodically check if the registered devices align with actual devices found on a network scan. Any discrepancies should be investigated and resolved.
- Make the process easy to follow: Provide training to procurement and IT staff on how to report and log new devices. Use simple forms or automated systems to ensure all relevant details are captured.
Audit / evidence tips
-
Ask: the latest IT equipment register: Request the spreadsheet or document listing all networked devices
Good: shows precise entries with specific update dates
-
Ask: recent scan results from the IT team
Good: match between them means the register is accurate
-
Ask: how often the register is updated and the process followed
Good: includes regular update intervals and specific steps used to ensure devices are logged
-
Ask: the procurement office for new purchase records: Request recent IT purchases and check if these items appear in the register
Good: shows a clear match of purchase records with entries in the register
-
Good: process means quick and error-free registration
Cross-framework mappings
How ISM-0336 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (1) | ||
| Annex A 5.9 | Annex A 5.9 requires developing and maintaining an inventory of information and associated assets, including ownership | |
E8
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (1) | ||
| E8-PA-ML1.1 | E8-PA-ML1.1 requires an automated method of asset discovery at least fortnightly to identify assets for subsequent vulnerability scanning | |
| Supports (1) | ||
| E8-PO-ML1.1 | ISM-0336 requires organisations to keep an accurate, verified register of network-connected IT equipment | |
| Depends on (1) | ||
| E8-PO-ML1.8 | E8-PO-ML1.8 requires organisations to replace operating systems that are no longer supported by vendors | |