“Plan, establish and manage the capability to detect, investigate, respond to and recover from information security incidents to minimize business impact.”

“Develop and maintain an information security program that identifies, manages and protects the organization’s assets while aligning to information security strategy and business goals, thereby supporting an effective security posture.”

“Manage information risk to an acceptable level based on risk appetite in order to meet organizational goals and objectives.”

Control objectives are the foundation for controls. For each control objective, one or more controls will exist to ensure the realization of the control objective.

Controls are used in two primary ways in an organization: they are created to ensure desired outcomes, and they are created to avoid unwanted outcomes.

An organization develops controls to ensure that its business objectives will be met, risks will be reduced, and errors will be prevented or corrected.

The policies, procedures, mechanisms, systems, and other measures designed to reduce risk are known as controls.

The well-known control framework known as the Critical Security Controls by the Center for Internet Security (known as the CIS 20) lists hardware asset inventory as the first control. I believe there is a specific purpose to this: an organization cannot protect assets that it does not know about.

Why Asset Management Is Control #1