OR-04 IT Operations & Resilience

Asset & Configuration Management

IT assets are known, owned and managed.

Domain: IT Operations & Resilience
Control type: Preventive/Detective
Automated / manual: Hybrid
Frequency: Continuous
Framework reference: COBIT BAI09; MAS TRM – Asset

What good looks like

Assets inventoried, classified, owned and lifecycle-managed.

Risk if it fails

Unmanaged/unknown assets ('shadow IT').

How Tess tests it

3 tests — each concludes only on cited evidence.

Asset inventory/CMDB maintained

Design

Procedure: Inspect the inventory.
Expected: Exists.
Sample: 1 (design inspection)
Evidence: Asset register/CMDB.

Inventory complete & current

Operating

Procedure: Reconcile a sample.
Expected: Accurate and current.
Sample: 25 (or full config inspection)
Evidence: Asset register/CMDB.

Assets classified & owned

Operating

Procedure: Inspect classification/ownership.
Expected: Owner and classification assigned.
Sample: 25 (or full config inspection)
Evidence: Asset register/CMDB.

Evidence Tess looks for

Asset register/CMDB.

More in IT Operations & Resilience

OR-01 IT Governance & Oversight OR-02 IT & Information Security Policies OR-03 IT Risk Assessment OR-05 Regulatory & Compliance Monitoring

Want Tess to test OR-04 against your evidence?