| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
IT Asset Management
This episode of the ISACA Certified Information Systems Auditor (CISA) exam prep series introduces IT asset management, the foundation on which every other information security control rests. It covers how organisations identify, record, and govern their technology assets across the full asset lifecycle, and why maintaining an accurate inventory is a prerequisite for effective protection and compliance.
What this episode covers
- What counts as an asset — tangible and intangible resources, including data, people, infrastructure, and finances.
- Asset inventory fields — the owner, custodian, unique identifier, value, impact, location, classification, and lifecycle stage every record needs.
- Building the inventory — drawing from purchasing systems, contracts, and network scans to create the initial master list.
- Keeping it current — adding assets on arrival, confirming ownership periodically, and retiring records promptly.
- Hardware vs. software tracking — physical tagging for hardware versus network scanning and annual licence review for software.
- Remote wipe and disable — how asset management enables rapid response when a device carrying sensitive data is lost, stolen, or returned by a departing employee.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What counts as an IT asset worth tracking?
An asset is anything of value worth protecting, which can be tangible such as a server or phone, or intangible such as data or an organisation’s reputation. People, infrastructure, and financial resources all qualify as assets. The key principle is that you cannot protect what you do not know you have.
What fields should every asset inventory record contain?
Each inventory record should include an owner accountable for the asset, a custodian who handles day-to-day care, a unique identifier, the asset’s value, impact if lost, recovery priority, physical or virtual location, and a security and risk classification. Additional fields cover the larger system it belongs to, its lifecycle stage, legal or regulatory obligations, authorised users, and the date it was retired or removed.
How do hardware and software asset tracking differ?
Hardware assets are often physically tagged with a label and recorded against the person or location that holds them. Software assets are typically tracked by scanning the network to discover what is installed on devices, and licences are reviewed annually to confirm they are still needed. Both sit under the same asset management programme but use different discovery and verification methods.
How do you keep an asset inventory accurate over time?
An inventory is a living record, not a one-time snapshot. New assets should be added as they arrive and are assigned, ownership should be periodically confirmed, and assets must be removed once they are returned or destroyed. Automated tools that discover software across laptops and phones, flag unapproved programs, and block unauthorised installs all help maintain accuracy.
📚 Master the ISACA CISA Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISACA CISA certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in IT Asset Management.