Information asset inventory

by John Bandler

An information asset inventory is a listing of various information assets of an organization.

What's an information asset?

I think of the term broadly, and also in terms of the Four Pillars of Cybersecurity.

  • People (yes, I know people are not property but they are important assets of an organization and the most important part of cybersecurity, we need to manage who has access to what, train them, etc.)
  • Devices (computer devices, like servers, desktops, laptops, tablets, smartphones, networking devices, etc)
  • Data and online accounts (data stored, data categories, data places, online accounts of all types, and even service accounts)
  • Networks and internet usage (and also communications tools, service accounts)

"Inventory" sounds like the most unfun thing that can be done

You would have to be a twisted type of person to enjoy doing an inventory, right? A root canal is more fun, isn't it?

First, it doesn't have to be miserable. It is a learning process of discovery and improvement. One way to really learn things is to inventory them, including by putting them into a spreadsheet and analyzing them that way. I like getting into the weeds, and it is a way to learn and master the details.

That said, if you are looking for fun and entertainment, plan something for your vacation and free time that you enjoy. But if you are looking to improve and protect an organization, that takes work, and work (by definition) is not always fun and excitement. So this needs to be done, to a degree, so resolve to do it. Or hire someone to do it.

Do we really need to do this?

Yes, it must be done. The good news is it can be done at a reasonable pace, and perfection and infinite detail is not required, and certainly not immediately. Your reasonable pace should be prioritized, meaning you list and assess the most important areas first.

Realize that this statement is contradictory and implies the organization has work to do.

  • "Our cybersecurity is excellent, our management of information assets is excellent. The only caveat is that that we don't know what we are securing and managing because we never inventoried it."

When organizations do not inventory, these things happen:

  • Domain name stolen, loss of email and website. Some organizations are unaware of where and how their domains are rented and secured. Unaware until it is stolen, then they become painfully aware.
  • Data breach or ransomware. Imagine not knowing one of your branch offices maintained a local server with personal data on it, and thinking all of your data was stored in the cloud. Then you find out the server might have been breached and realize what was on it, and that it might be a reportable incident.
  • Lost laptop. Your employee loses a laptop. Now you wish you knew the serial number, what data was on it, and how it was secured.
  • Cloud accounts, email systems, applications, devices, and more.

A process in parallel with the Four Pillars of CybersecurityInformation asset inventory

The information asset inventory can be done in parallel with the Four Pillars of Cybersecurity.

It is a process of discovery, improvement, better management and security.

First, let's talk about the process by category:

  1. First, think on people. Who are employees, contractors, service providers, what access to they have to various systems, what training do they have.
  2. Think computer devices. Servers, desktops, laptops, tablets, smartphones, network devices (or with 4), etc.
  3. Data and online accounts. Prioritize this and start with what is most important. Data (wherever it is), online accounts (of all types), email, data, documents, cloud, website, social media, service providers, etc.
  4. Network and internet. Modems, routers, switches, Wi-Fi access points, service providers (or with 3), internet service, phone service, etc.


Next, let's talk about the process by priority and level of detail:

  • Think of your inventory has a process of continual improvement, not something that is never "done"
  • Start general, higher priority, basics
  • Proceed to more detail, lower priorities, more refinement, as time allows
  • Periodically review and update the inventory. Try achieve greater precision, accuracy, detail
  • Always assess what you learned, and what priority cybersecurity improvements might be next.

Ways this helps the organization

  • We need to know what we have in order to make good decisions about how to protect it, how to manage it effectively, what services and products to buy
  • Helps with short term tactical decisions
  • Helps with long term strategy and legal advice
  • What do we protect and with what level of priority?


  • An inventory process can help with a process for bringing a new device into service securely, and for decommissioning an old device.
  • If a device is lost or stolen, our inventory helps.
  • If an account were compromised, or the service has an issue, our inventory with contact information helps us know who to contact to correct things.


This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

This is to inform, you assume all risk for cybersecurity decisions you make. This is a work in progress. This is a limited amount of words.

I may explain nuances further in other articles, or one of my books. Other experts may have differing opinions.

Ask ten different IT or IS experts, you will get ten or more different definitions for a term, and as many different recommendations for cybersecurity posture. Cybersecurity is about decisions and risk management.


If you are a cybercrime victim, see the resources here, and contact me if you need professional assistance.

If your organization needs help with improving its cybersecurity and identity theft protection, feel free to contact me.

Additional reading

This article is hosted at, copyright John Bandler, all rights reserved.

This article is also available on at NOT YET (though not kept as up to date).

Originally posted 6/27/2023, updated 7/19/2023.