Home Compliance & Certification Asset Inventory List ICT Vendor Guide

Asset Inventory List ICT Vendor Guide

Last updated on Dec 18, 2025

1. Purpose of This Guide

This guide helps you show that you maintain a clear, up-to-date inventory of hardware and software assets used by ICT vendors to deliver services to your organisation.

In simple terms:
If a vendor runs systems, software, or cloud resources on your behalf, you know what they arewhere they live, and when they expire.

This matters because:

  • You can’t protect what you don’t know exists

  • Vendor-managed assets are still part of your risk

  • Asset visibility underpins patching, access control, and incident response

This artefact proves you’re tracking vendor assets — not guessing.

2. What You Will Submit

You will submit an asset inventory list covering ICT vendor–managed assets, such as:

  • A spreadsheet or table listing:

    • Vendor-hosted systems

    • Third-party software and tools

    • Cloud instances (OS, software, services)

  • Records that also track:

    • Licence or certificate expiry

    • End-of-support (EOS) dates

    • Renewal timelines

This is documentation evidence, not a screenshot of a live system.

3. How to Collect / Obtain / Generate This Evidence

Step 1: Identify In-Scope ICT Vendors

List vendors that:

  • Host systems or applications for you

  • Manage cloud infrastructure

  • Provide managed IT, development, or platform services

Examples:

  • Cloud service providers (AWS, Azure, GCP)

  • Managed service providers (MSPs)

  • Software vendors hosting SaaS platforms

Step 2: List Vendor-Managed Assets

For each vendor, record assets such as:

  • Virtual machines or servers

  • Operating systems

  • Databases

  • Third-party software or tools

  • Cloud services or subscriptions

Include what is hosted, not just who hosts it.

Step 3: Capture Key Asset Details

Where available, include fields like:

  • Asset name or description

  • Vendor name

  • Asset type (hardware / software / cloud service)

  • Hosting location (on-prem, cloud, region)

  • Business purpose

  • End-of-support (EOS) date

  • Licence or certificate expiry date

  • Vendor contact or support reference

Don’t worry if some fields are blank — completeness improves over time.

Step 4: Review and Save

  • Review the list for accuracy

  • Save the document as a spreadsheet or PDF

  • Make sure it reflects current usage, not historic contracts

4. Evidence Format

Accepted file types

  • XLSX

  • CSV

  • PDF

Suggested naming format
YourCompanyName_AssetInventory_ICTVendors_Date

Example
AcmePteLtd_AssetInventory_ICTVendors_2025-07-01.xlsx

5. What “Good” Looks Like

Your evidence is solid if it shows:

  • Visible element: Clear list of ICT vendor–managed assets
    Why it matters: Demonstrates visibility over third-party infrastructure

  • Visible element: Inclusion of cloud-hosted OS and software
    Why it matters: Confirms cloud assets aren’t treated as “someone else’s problem”

  • Visible element: Expiry or EOS tracking
    Why it matters: Enables proactive risk and lifecycle management

  • Visible element: Reviewable, structured format
    Why it matters: Makes audits and updates straightforward

6. Tips from Sir Stonk 🛡️

  • Start simple. A clean spreadsheet beats a mythical perfect CMDB.

  • Review at least annually — or whenever you change vendors or platforms.

If vendors are part of your stack,
their assets belong on your map.