Cyber Essentials
DashboardSign Out

Lesson 7.1 — Building and maintaining the device inventory

This lesson explains how to build a complete, accurate device inventory for Cyber Essentials purposes — what to include, how to structure it, and how to keep it current.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • build a structured device inventory that captures all in-scope devices with the detail needed to answer Cyber Essentials control questions for firewalls
  • configuration
  • updates and malware protection.

Why This Matters

The device inventory is not just an administrative record; it is the foundation that makes control answers credible and auditable.

The Core Rule

The device inventory is the foundation of Cyber Essentials preparation. Without it, many control answers cannot be reliably completed.

The inventory should cover all in-scope devices — laptops, desktops, mobile phones, servers, network equipment and any other device that connects to the in-scope environment. For each device, record the type, operating system, version, who manages it, and its current control status.

What counts as a device

For Cyber Essentials purposes, the following should all be considered when building the device inventory:

End-user devices:

  • Laptops (company-owned and any personal devices used for business work)
  • Desktop computers
  • Thin clients and virtual desktop clients

What to capture for each device

A useful device inventory captures enough information to answer the control questions — not more. For each device, record:

The operating system version is particularly important. A device running Windows 10 is different from one running Windows 10 version 21H2 versus 22H2 — and the support status of each version differs. The same applies to macOS, iOS, Android, Linux distributions and firmware versions on network devices.

Common inventory blind spots

Device inventories regularly miss the same categories of device. Before considering the inventory complete, check:

  • Director and senior leadership devices — these are often unmanaged or managed differently from standard staff devices.
  • Spare and standby devices — old laptops kept as replacements that are rarely switched on and never updated.
  • Home-worker devices — personal laptops used to access business systems, or company devices at remote locations.
  • Mobile phones — particularly where staff access email or cloud services on personal phones without a formal policy.
  • Devices managed by the IT provider — the provider may have devices registered to the organisation that the organisation itself is not aware of.
  • Virtual machines — VMs are sometimes overlooked because they do not have physical presence.
  • Network equipment — routers and firewalls are devices with operating systems and firmware that also need updates and configuration review.

Copy This

Work through the workbook activity for this lesson. Each question maps directly to the CE questionnaire.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] Why is the device inventory described as the foundation of Cyber Essentials preparation?
  • [ ] Which of the following is most commonly missed in a device inventory?
  • [ ] What does "managed device" mean in the context of a device inventory?
  • [ ] Why does the operating system version matter in the device inventory, not just the operating system name?
  • [ ] How current does the device inventory need to be for a Cyber Essentials assessment?

Your Action

Do this now — it takes 10–20 minutes.

Finalise your device inventory. Every in-scope device should have: type, make, OS, version, and owner. Cross-check against Section A2.

Key Takeaway

The inventory must be current at the time of assessment.

Your Workbook Activity

Complete: Complete device inventory

Next Lesson

In the next lesson: Approved and permitted software

Up next

Approved and permitted software

Define approved software rules so only permitted applications are used across managed devices.