Information Technology’s chief role in an organization is to automate business processes. In order to do this, the processes must be well understood and the systems that automate them must be integrated. One of the problems today is that we can explain the business process, but we can’t explain how the automation steps are integrated. Inventories can help.

Inventories are an essential element in modern process, or service, oriented IT shops. Industry standard views like ITIL (Information Technology Infrastructure Library) incorporate inventories in a Configuration Management Database (CMDB). Maintenance of an CMDB is challenging, but maintenance of simple inventories can provide much of the same benefit.

From an information security perspective, inventories are essential to understand where security controls should be placed and the extent of a security incident. If your department is involved in a security incident, you will be expected to have this information available.


At a minimum, inventories should be kept for:

  • Application systems and system components
  • Databases
  • Virtual and real infrastructure

Inventories can be kept in spreadsheets, databases, or in a CMDB. Spreadsheets are the simplest approach.

Information about applications should include:

  • Name of application

  • Name or description of business process being automated

  • Major functions or components
  • Location of source code or authoritative copy of the system
  • Information about the application system’s users
  • Databases or information sources used by the system (if possible)
  • Infrastructure on which the system operates (if possible)

Information about databases and other information sources should include:

  • Name of database or information store

  • Location of schema, data dictionary, or format of the information

  • Information about the application the database supports (if possible)
  • Infrastructure on which the database or data store resides (if possible)

Information about virtual and real infrastructure

  • Name of device

  • Name of virtual system component

  • Physical location of the device or virtual component
  • Information about software revisions and patch levels
  • Information about maintenance contracts and key contacts
  • Information about the application or database that the infrastructure supports (if possible) 

The need for inventories does not stop with systems in the datacenter. Network components and even user PCs should also be inventoried.

If possible, PC inventories should include:

  • An inventory of software loaded on the PC

  • The physical location

  • User information
  • Support contact information