This document is an UNCLASSIFIED publication that has been issued under the authority of the Head of the Canadian Centre for Cyber Security

This publication provides organizations with advice and guidance related to information technology (IT) asset management (ITAM). It will assist you in gaining a better understanding of ITAM, what it means, why it’s important to cyber security, and what your organization should consider to efficiently track, monitor, and maintain your IT assets. Organizations of all sizes can use this guidance to define the set of practices, tailored to their business requirements, that will allow them to track and manage IT assets in their environment.

By implementing an ITAM process, your organization will be able to reduce your IT asset maintenance costs, use licenses more efficiently, increase asset utilization, and better manage security risks. You will be better prepared for compliance audits and increase the efficiency of other information technology infrastructure library (ITIL) processes.

ITAM is an important component to any security risk management framework such as the IT security risk management: A lifecycle approach (ITSG-33)Footnote 1, the NIST Cyber Security FrameworkFootnote 2, and the ISO/IEC 27001:2013Footnote 3. Integrating ITAM into your organization’s security framework will help improve your cyber security posture and provide security assurances of confidentiality , integrity , and availability for your business assets.

Organizations who don’t have the financial means or human resources needed to implement an in-depth cyber security framework are encouraged to follow our Baseline cyber security controls for small and medium organizationsFootnote 4. This publication will help you identify your organization’s valuable assets by assessing the injury level associated to them. By doing so, you’ll be able to adequately categorize your IT asset, choose the right monitoring and tracking tools, as well as the security controls needed to enhance your cyber security posture.