ID.AM-1: Physical device inventory

Requirement

Physical devices and systems used within the organisation are inventoried.

An inventory of assets associated with information and information processing facilities within the organisation shall be documented, reviewed, and updated when changes occur.

Guidance

• This inventory includes fixed and portable computers, tablets, mobile phones, Programmable Logic Controllers (PLCs), sensors, actuators, robots, machine tools, firmware, network switches, routers, power supplies, and other networked components or devices
• This inventory must include all assets, whether or not they are connected to the organisation's network
• The use of an IT asset management tool could be considered

Our Implementation

A complete physical device inventory is maintained as a structured evidence page, covering all 8 devices (3 laptops, 3 smartphones, 2 monitors) across 3 team members:

• Scope: All company-used devices inventoried, including BYOD — laptops, smartphones, and peripherals
• Detail level: Manufacturer, model, OS, encryption status, serial number, assignment, criticality rating, and active/inactive status
• Review cadence: Quarterly review with CTO ownership
• Classification: CIA-rated (High confidentiality, High integrity, Moderate availability)

Gaps / Planned improvements:

• All devices are BYOD — formal BYOD policy not yet documented (NEX-355)
• Full-disk encryption not yet verified on all devices — HW-003 flagged (NEX-345)
• No IT asset management tool — using structured markdown tables

Evidence

• Asset Inventory
• Cloud Infrastructure

Cross-references