If you don't know what devices exist on your network, you cannot secure them, update them, or even know when they've been compromised. A real example: a Delhi-based fintech firm discovered 12 months after a cyber attack that an old laptop, forgotten in a storeroom and never removed from their network, had been the entry point—costing them ₹45 lakhs in remediation and ₹2 crore in customer trust loss. Without an asset list, you also fail regulatory audits (DPDP Act requires you to know your data processing systems), cannot comply with customer security questionnaires, and risk operational collapse when key devices fail and you have no backup plan.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You ask people "what devices do you use" and get confused answers or no answers at all. No one knows the total count of laptops, phones, or servers, and old devices sit unused but still connected to the network.
Initial
You have a rough list on someone's email or a notebook of devices and their owners, but it's incomplete, outdated, and nobody is responsible for keeping it current. Devices appear and disappear from your network without anyone knowing.
Developing
You have a spreadsheet (Excel or Google Sheets) with device names, owners, purchase dates, and locations that is manually updated at least twice a year. The IT person or office manager maintains it, but it's still missing some devices and cloud subscriptions are tracked separately.
Defined
You maintain an updated inventory spreadsheet covering all laptops, desktops, phones, servers, printers, and major cloud tools, reviewed quarterly by IT and management, with clear responsibility for updates. You also have a simple procedure for adding new devices and removing old ones.
Managed
You use asset management software (free or paid) that automatically discovers or tracks devices on your network, with a documented inventory policy and monthly audits comparing what the system shows versus what actually exists. Employees report new devices when they arrive, and decommissioned devices are logged with disposal records.
Optimised
You run automated asset discovery tools continuously, maintain a real-time inventory integrated with your IT change management system, conduct quarterly full audits with third-party verification, and link asset ownership to your access control and patch management processes. Your inventory feeds directly into security decisions.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Walk through your office, create a basic list of all devices (laptops, desktops, printers, servers, phones) in a simple spreadsheet with device type, owner name, and location. Add any cloud tools you pay for (Microsoft 365, Google Workspace, accounting software, etc.). | Office manager or IT person | 1 day |
| 1 → 2 | Expand the spreadsheet to include device name/serial number, purchase date, OS/software version, and assign one person to update it monthly. Hold a short meeting with all teams to identify missing devices and cloud subscriptions. | IT person with support from office manager | 3-5 days |
| 2 → 3 | Formalize the inventory with a documented policy defining what counts as an asset, who approves new devices, how they are tagged/labeled, and how often the list is reviewed. Schedule quarterly reviews with your management team. | IT person and business owner/manager | 1-2 weeks |
| 3 → 4 | Implement free or low-cost asset discovery software (like Lansweeper free tier or Snipe-IT) to automatically scan your network and flag unknown devices. Link it to your manual spreadsheet and run monthly reconciliation. | IT person | 2-4 weeks |
| 4 → 5 | Integrate asset management data with your security tools (patch management, access control), conduct quarterly third-party audits, and establish automated alerts when new devices join the network or old ones fail to check in. | IT person with external security consultant | Ongoing (quarterly reviews and monthly monitoring) |
Documents and records that prove your maturity level.
- Asset inventory spreadsheet or database with at least: device type, owner/user name, serial number or MAC address, location, purchase date, OS/software version
- List of all cloud tools/SaaS subscriptions your business pays for, including vendor name, purpose, number of users, and renewal date
- Documentation of your asset management policy (even if just 1 page) stating who is responsible for maintaining the list and how often it is reviewed
- Record of at least one quarterly or annual asset review meeting with sign-off by owner/manager (email, meeting minutes, or sign-off sheet)
- Proof of device labeling, serial number tracking, or automated discovery tool output showing devices scanned in the last 30 days
Prepare for these questions from customers or third-party reviewers.
- "Can you show me your complete list of all IT devices and cloud tools your business owns or uses, and when was it last updated?"
- "How do you ensure devices are added to your inventory when they are purchased, and removed when they are decommissioned or sold?"
- "Do you know the total number of laptops, servers, and mobile devices currently in use? Can you account for all of them right now?"
- "Which devices or systems are most critical to your business, and do you know where they are and who has access to them?"
- "If I ask your team members to list the devices they use, will your inventory match what they tell me?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Automatically discover and inventory devices on your network without manual work | Lansweeper Community Edition (up to 100 assets) or Snipe-IT (self-hosted, open source) | Lansweeper Pro (₹40,000-₹60,000/year), Microsoft Intune (₹6,000-₹10,000 per device/year for MDM) |
| Create and maintain a simple asset list with tracking and reporting | Google Sheets template or Excel template (no cost if you have Microsoft 365) | Asset Panda (₹25,000-₹50,000/year), Freshworks AssetIT (₹35,000/year) |
| Scan your network for unknown or unauthorized devices | Nmap (command-line, requires technical skill) or GlassWire (free version with limited features) | Nessus Essentials (free for personal use; Nessus Pro ₹30,000/year) |
- Forgetting to count cloud tools and SaaS subscriptions in your asset list – many Indian SMEs pay for 10+ apps but only remember the main ones (email, accounting, CRM). This leaves shadow IT unprotected and unsecured.
- Not updating the inventory after someone leaves or a device is decommissioned – old laptops and phones with data still sit on the network or in storage, creating a breach risk when they are eventually sold or given away.
- Assuming 'it's too small to matter' – many owner-led businesses think asset tracking is only for big corporates, then are blindsided when a customer asks for proof of asset security or a regulator finds undocumented devices during an audit.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Reasonable Security Practices) – you must maintain an inventory of systems that process personal data |
| CERT-In 2022 (Incident Response Rules) | Direction 3: Organizations should maintain accurate inventory of IT assets and document security incidents; critical for incident reporting |
| ISO 27001:2022 | Annex A 5.9 (Inventory of Assets) – explicitly requires organization to keep an inventory of information and information processing facilities |
| NIST CSF 2.0 | Govern (GV.OC-01): Asset Management – establish processes for physical and cyber asset inventory and management |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →