Home Compliance & Certification Account Inventory List Guide

Account Inventory List Guide

Last updated on Oct 06, 2025

1. Purpose of this Guide

This artefact proves that your company keeps track of all user accounts across systems. This is vital because it shows you know:

  • Who has access,

  • What level of access they have, and

  • Whether their account is still active or should be closed.

It’s your master roll call of accounts — making sure no “ghost logins” sneak past your defences.

2. What You Will Submit

You will need:

  • An Account Inventory List document or spreadsheet. This should include:

    • Name and username of the account holder

    • Department / role

    • Role or account type (e.g. user, admin, read-only)

    • System accessed

    • Approved by (who authorised the account)

    • Date of account creation

    • Last logon date

    • Current account status (active, disabled, etc.)

    • Remarks if relevant (e.g. “required for role,” “temporary account,” etc.)

3. How to Collect / Obtain / Generate This Evidence

  • Use StrongKeep's template, which can be found in the document library.

    • List each system your staff use (email, HR, cloud tools, developer platforms, etc.).

    • Record the required fields for each account, where possible.

    • Keep this updated — add new hires, remove leavers.

    • Export or save a copy (XLSX or PDF).

  • If you use an IT management tool (e.g. Microsoft 365 Admin Center, Google Workspace Admin Console, AWS IAM, Atlassian, GitLab), you can export a list of users and roles, then combine these into a single master file.

  • If you don’t yet have a consolidated list:

    1. Create a new spreadsheet.

    2. List each system your staff use (email, HR, cloud tools, developer platforms, etc.).

    3. Record the required fields for each account as listed above.

    4. Keep this updated — add new hires, remove leavers.

4. Evidence Format

  • Accepted file types: XLSX, CSV, or PDF.

  • Suggested naming format:
    YourCompanyName_AccountInventoryList_YYYY-MM-DD.xlsx

5. What “Good” Looks Like

A strong submission will show:

  • Comprehensive coverage (all systems and accounts, not just email).

  • Up-to-date logon dates — proves accounts are actively reviewed.

  • Clear status (active, disabled, revoked) so auditors see you manage leavers.

  • Approval trail — someone authorised each account.

Why this matters: Auditors want assurance that accounts aren’t created ad hoc, and that dormant or risky accounts don’t linger.

6. Tips

  • Update your inventory at least quarterly — stale records weaken your evidence.

  • Shared accounts (e.g. admin@company.com) should be minimised and well justified — note why they exist.

  • Redact sensitive notes before uploading (e.g. internal comments that don’t add value to the evidence).