Asset Management and Cyber Essentials: If You Don't Know What's in Your Estate, How Can You Protect It?

By Mark Kindred, Senior Assessor – Get Cyber Certified Estimated reading time: 5 minutes

I'll be straight with you: asset management isn't a formal control within Cyber Essentials certification. There's no section in the question set that asks you to submit an asset register, and you won't fail your assessment because your inventory spreadsheet isn't tidy enough.

But in my experience as a senior assessor, poor asset management is one of the most common underlying reasons why organisations struggle to pass — or why they achieve certification but remain genuinely exposed. The logic is simple: if you don't know what's in your IT estate, you can't patch it, you can't control access to it, you can't configure it securely, and you can't accurately define what's in scope for your assessment. Every single one of the five Cyber Essentials controls depends, at some level, on knowing what you have.

This article is about why asset management matters, what Shadow IT and hidden devices look like in practice, and what I'd recommend every organisation does before starting their certification journey.

What Asset Management Actually Means

When I talk about asset management with clients, I'm not talking about a complex enterprise ITAM platform or a six-month discovery project. I'm talking about a clear, accurate, maintained record of every device, piece of software, cloud service, and user account that your organisation uses.

The NCSC's guidance on asset management puts it well: knowing what assets you have within your environment is fundamental to applying effective security controls. It's much easier to protect things you know about. That might sound obvious — but it's remarkable how often organisations start their Cyber Essentials application and discover devices, services, or accounts they'd either forgotten about or didn't know existed.

In practical terms, the assets you need to account for include:

• Hardware — laptops, desktops, servers, mobile phones, tablets, printers, network switches, routers, firewalls

• Software — operating systems, applications, browser extensions, plugins

• Virtual infrastructure — virtual machines, cloud-hosted servers, containers

• Cloud services and SaaS — Microsoft 365, Google Workspace, CRM platforms, cloud storage, project management tools

• User and administrator accounts — including service accounts, shared accounts, and any accounts for former employees that haven't been disabled

Even for a relatively small organisation, that's a substantial list. And in my experience, the initial inventory almost always turns up something unexpected.

Why Asset Management Underpins Every Cyber Essentials Control

Let me walk through how each of the five Cyber Essentials controls connects directly back to knowing your assets.

Firewalls and boundary controls — you can't configure a firewall correctly if you don't have a clear picture of what devices are connecting through it and what traffic is legitimate. An unknown device on your network is a device your firewall policy wasn't designed to handle.

Secure configuration — in our Passing Cyber Essentials Tips article, one of the first steps I recommend is inventorying your devices and software before you do anything else. You can't configure something securely if you don't know it's there, and you can't remove unnecessary software or disable default accounts on a device you've never documented.

Access control — our article on Achieving Cyber Essentials Certification: Understanding the Principle of Least Privilege explains how one of the most common weaknesses I find during assessment preparation is active accounts for staff who have left, or accumulated permissions that nobody has ever reviewed. Without a current asset and account inventory, permission creep goes unnoticed and dormant accounts remain live — both of which are direct compliance failures under Cyber Essentials.

Patch management — you cannot patch software you don't know exists. With the April 2026 changes introducing automatic failure if high-risk or critical updates aren't applied within 14 days of release, an incomplete asset inventory isn't just a scoping inconvenience anymore. It's a direct route to a failed assessment. I covered these changes in full in New Cyber Essentials Changes Announced for April 2026.

Malware protection — anti-malware controls must be applied across all in-scope devices. Devices missing from your inventory are devices missing from your protection.

The Scoping Connection

Asset management and scoping are inseparable. As I explain in How to Scope Cyber Essentials, scoping defines the boundary of your assessment and determines which systems your certification actually covers. To define that boundary accurately, you need to know every device capable of making or receiving an internet connection, every cloud service processing organisational data, and every end-user device used for business purposes.

If your asset inventory is incomplete, your scope will be incomplete. And an incomplete scope either means gaps in your protection that get caught during assessment, or — worse — gaps that get missed entirely and leave your organisation genuinely exposed.

Shadow IT: The Hidden Devices You Don't Know About

This is the part of the conversation that often surprises clients. When I mention Shadow IT, many people initially picture a rogue employee doing something deliberately subversive. The reality is almost always far more mundane — and far more widespread.

The NCSC defines Shadow IT as unknown assets used within an organisation for business purposes, but not accounted for in asset management and not aligned with corporate IT processes or policy. Because these assets are unmanaged, they represent an unknown risk — and unknown risks can't be controlled.

In practice, Shadow IT covers a much wider range of scenarios than most people initially consider:

• Personal devices used to access work email or cloud services without any formal enrolment or security controls applied

• IoT devices brought into the office or connected to work networks — as we discussed in Securing Your IoT Devices: Why Cyber Essentials is Crucial for Protection, these devices are frequently running outdated firmware, default passwords, and have no reliable patch mechanism

• Unauthorised Wi-Fi access points installed by staff because the signal in a particular area isn't good enough

• Personal cloud storage — Dropbox, Google Drive, iCloud — used to share or access work files outside of sanctioned systems

• Unapproved messaging or collaboration tools used as alternatives to corporate systems because they're more convenient

• Software installed locally on devices that IT has never reviewed or approved

Every one of these represents an asset that is in use for business purposes, potentially in scope for Cyber Essentials, and entirely outside your controls.

Why It Happens — and How to Respond

The NCSC makes an important point that I think is worth repeating: Shadow IT is rarely malicious. In the vast majority of cases, it happens because a member of staff can't do what they need to do using the approved tools — so they find an unofficial workaround. The person who stores files in their personal Dropbox because the corporate file share is painfully slow, or installs a free utility because the approved equivalent doesn't quite meet their needs, isn't trying to create a security problem. But the risk they create is real regardless.

This matters for how you respond when you discover Shadow IT in your organisation. The NCSC is explicit on this: reprimanding staff for using unsanctioned tools can seriously backfire. If people fear blame, they — and their colleagues — will be far less likely to come forward about other informal practices, which reduces your visibility of risk even further. A far more effective approach is to understand why the unofficial tool or device is being used, address the underlying need where possible, and bring the asset above-board rather than simply banning it without context.

The Impact on Your Cyber Essentials Assessment

From an assessment perspective, Shadow IT and poor asset management create concrete, identifiable problems:

Unpatched devices outside your inventory — a device that isn't in your asset register won't be in your patch management process. If it's on your network and capable of accessing organisational data, it is in scope for Cyber Essentials. An unpatched in-scope device is a failed control, and under the April 2026 changes, that failure can now be automatic.

Incomplete scope declarations — as I explain in How to Scope Cyber Essentials, you cannot exclude devices from scope simply because you're unaware of them. If a device accesses organisational systems or data, it's in scope — whether or not it appears in your records.

Cloud services with no controls applied — personal or unapproved cloud storage used for business data is in scope for Cyber Essentials where organisational data is processed. If you don't know it's being used, you can't ensure the right controls are in place. The April 2026 changes include a formal definition of cloud services specifically to address ambiguity in this area.

Access control failures — as our Principle of Least Privilege article makes clear, uncontrolled access is one of the most common weaknesses I find during assessment preparation. Without a complete account inventory, it's virtually impossible to demonstrate that access has been properly restricted and reviewed.

Practical Steps: Getting Your Asset Inventory in Order

You don't need a sophisticated platform to do this well, but you do need a process and you need to start before you open your assessment application. Here is how I guide clients through it:

1. Treat asset discovery as step one — before you answer a single question in the assessment, walk through your environment and document every device, service, and account in use. Include devices used for home and hybrid working, not just those physically in the office.

2. Ask your staff, not just your IT team — the IT team knows what they provisioned. Your staff know what they're actually using. Have the conversation, and approach it without blame so people are honest with you.

3. Include cloud services explicitly — list every SaaS platform, cloud storage service, and web application used for business purposes. Don't assume your IT team has visibility of everything — personal cloud storage and collaboration tools frequently fly under the radar.

4. Scan your network for unknown devices — network scanning tools can surface devices that are connected but not in your records. The NCSC's guidance on asset management suggests that making it difficult for unregistered assets to authenticate to your systems in the first place is an effective long-term control.

5. Cross-reference accounts against your current staff list — disable dormant accounts and remove access for anyone who no longer requires it. This is a direct Cyber Essentials requirement under access control, and something I check during every assessment. Our Principle of Least Privilege article covers this in detail.

6. Use your inventory to define your scope — once you have a complete picture of your estate, use it to make informed, accurate scoping decisions. Our How to Scope Cyber Essentials guide walks through exactly how to translate your asset inventory into a well-defined assessment boundary.

7. Keep it current — an asset inventory only has value if it's maintained. Build a process for adding new devices, retiring old ones, and reviewing cloud service usage regularly. Certification is annual; your inventory should be a living document.

Final Thoughts

I've assessed a large number of organisations for Cyber Essentials, and the ones that sail through tend to have one thing in common: they know their estate. They know every device, every service, every account — and they can demonstrate control over all of it.

The organisations that struggle tend to start the process believing they have a clear picture of their IT environment, and then discover during assessment preparation that the picture is less complete than they thought. Unknown devices surface during network scans. Cloud services turn up that nobody in IT knew staff were using. Former employee accounts are found still active. None of these are unusual — but all of them need to be resolved before a clean certification is possible.

Asset management won't appear in your Cyber Essentials certificate as a named control. But it is the foundation that every other control is built on. If you don't know what's in your estate, you genuinely cannot protect it.

If you'd like support building your asset inventory, or you're ready to start your Cyber Essentials certification, please get in touch. Scoping and pre-assessment guidance is included in our supported service, and I'm always happy to talk through a specific situation before you commit to an approach.

Further Reading on the Get Cyber Certified Resource Hub

• 📄 How to Scope Cyber Essentials

• 📄 Achieving Cyber Essentials Certification: Understanding the Principle of Least Privilege

• 📄 Securing Your IoT Devices: Why Cyber Essentials is Crucial for Protection

• 📄 New Cyber Essentials Changes Announced for April 2026

• 📄 Passing Cyber Essentials Tips

• 📄 Why Network Segregation Matters: Cyber Security and Scoping Cyber Essentials

External Resources

• NCSC – Asset Management Guidance

• NCSC – Shadow IT Guidance

• IASME – Cyber Essentials Overview

• IASME – April 2026 Cyber Essentials Changes

Mark Kindred is the Senior Assessor at Get Cyber Certified, an IASME-accredited Cyber Essentials certification body. For support with your certification, visit www.getcybercertified.co.uk or email team@getcybercertified.co.uk.