Asset Inventory

To meet the asset inventory requirement under VDA ISA 6.1.1, you must maintain an accurate inventory of information assets (hardware, software, data, and network components) and assign a named owner to each asset. Operationally, that means defining asset scope, standardizing attributes, integrating discovery and change processes, and keeping evidence that the inventory is complete, current, and used for security decisions. (VDA ISA Catalog v6.0)

Key takeaways:

• Your inventory must cover hardware, software, data, and network components, not just IT endpoints. (VDA ISA Catalog v6.0)
• Each asset needs an assigned owner accountable for classification and protection through the asset lifecycle. (VDA ISA Catalog v6.0)
• Auditors look for operational integration: discovery, updates on change, and inventory-driven controls (patching, access, decommission). (VDA ISA Catalog v6.0)

Asset inventory is the control everything else depends on: you cannot secure, patch, classify, or retire what you cannot name and track. Under VDA ISA 6.1.1, the expectation is straightforward but commonly under-implemented: maintain an inventory of information assets, and assign ownership. (VDA ISA Catalog v6.0)

For a Compliance Officer, CCO, or GRC lead supporting TISAX assessments, the practical challenge is not creating a spreadsheet. The challenge is operationalizing a living system of record that stays current as assets are procured, deployed, modified, moved to cloud services, connected to partner networks, or decommissioned. That system must include hardware, software, data, and network components, and it must connect to security processes like risk classification, access control decisions, vulnerability management, and secure disposal. (VDA ISA Catalog v6.0)

This page gives requirement-level implementation guidance you can execute quickly: what scope to include, what fields to capture, who owns what, how to keep the inventory updated, and what evidence to retain for assessors.

Regulatory text

Requirement (VDA ISA 6.1.1): “Maintain an inventory of information assets including hardware, software, data, and network components with assigned ownership.” (VDA ISA Catalog v6.0)

Operator interpretation:
You need a controlled inventory that identifies your information assets across four categories (hardware, software, data, network components) and shows a clear owner for each asset. The “owner” is not the IT admin who happens to manage it; it is the accountable role responsible for classification and protection decisions across the asset’s lifecycle. (VDA ISA Catalog v6.0)

What an assessor is trying to learn:

• Do you know what you have (including in cloud and in plants/labs), where it is, and why it matters?
• Can you show accountable ownership and classification?
• Do your downstream controls actually use the inventory (patching, access control, decommissioning)? (VDA ISA Catalog v6.0)

Plain-English requirement

Maintain a single, consistent view of information assets that your organization relies on, and make sure every asset has a responsible owner. The inventory must be broad enough to include endpoints and servers, software and services, datasets and repositories, and the network components that connect and expose them. (VDA ISA Catalog v6.0)

Who it applies to

Entity types: Automotive suppliers and OEMs pursuing or maintaining TISAX alignment and assessments. (VDA ISA Catalog v6.0)

Operational contexts where this becomes exam-critical:

• Mixed environments: corporate IT + engineering + manufacturing/OT + lab networks.
• Cloud adoption: SaaS and IaaS assets that “exist” as accounts, subscriptions, managed services, and identities.
• Third-party connectivity: supplier portals, remote support, EDI, VPNs, and extranet links.
• High-change environments: frequent builds, new programs, new plants, or rapid onboarding of contractors.

What you actually need to do (step-by-step)

1) Define “asset” scope and boundaries

Write a one-page scope statement that answers:

• In-scope asset categories: hardware, software, data, network components. (VDA ISA Catalog v6.0)
• In-scope environments: corporate, cloud, engineering, plant/OT (if applicable), labs, remote work.
• In-scope ownership model: asset owner vs. technical custodian vs. system administrator.

Practical tip: define information asset to include “anything that stores, processes, or transmits company or customer information,” then map that to the four required categories. (VDA ISA Catalog v6.0)

2) Choose your system of record (and stop treating “spreadsheet” as a strategy)

Pick one primary inventory location (CMDB, ITSM tool, asset platform, or governed database). You can ingest from multiple sources, but you need one place assessors can inspect and where ownership lives.

Minimum operational requirement: the inventory must be maintained. That implies controlled updates, not ad hoc edits. (VDA ISA Catalog v6.0)

3) Standardize required fields (your “asset record” schema)

Create mandatory fields per asset type. Keep it small enough that people will fill it in, but rich enough to drive controls.

Baseline fields (all asset types):

• Unique asset ID
• Asset type (hardware/software/data/network)
• Name/description
• Business service / process supported
• Environment (prod/dev/test; site/plant; cloud account/subscription)
• Owner (named role and individual)
• Technical custodian (optional but useful)
• Classification / sensitivity label (at least a simple tier)
• Location (physical or logical)
• Lifecycle status (planned/active/retired)
• Last verified date (manual or automated)
• Link to evidence source (discovery tool, procurement record, cloud inventory export)

Ownership and classification are the non-negotiables. The requirement calls out assigned ownership and links ownership to classification/protection across the lifecycle. (VDA ISA Catalog v6.0)

4) Build the initial inventory (fast, then refine)

Use multiple feeds to get to acceptable coverage quickly:

• Procurement/AP feed: purchased hardware, software subscriptions.
• Endpoint management: workstations, mobile devices.
• Server/virtualization/cloud exports: instances, managed services, storage.
• Network tooling: IPAM, switches/routers/firewalls, VPN concentrators.
• Software discovery: installed applications, critical agents.
• Data mapping workshops: top datasets and repositories by business process.

Do not try to perfect everything before you have anything. Get a credible baseline that you can defend, then mature it. (VDA ISA Catalog v6.0)

5) Assign owners and make ownership real

Define what “owner” means in your governance:

• Approves classification and required protections
• Confirms access model (who should have access)
• Accepts risk or escalates exceptions
• Approves decommissioning and data retention/disposal actions

Then operationalize:

• Add owner as a mandatory field for “active” lifecycle status.
• Create a workflow to resolve “unknown owner” records.
• Add ownership confirmation to onboarding of new systems and to quarterly service reviews.

If you cannot name owners for key systems and datasets, the inventory will read as administrative rather than operational. (VDA ISA Catalog v6.0)

6) Connect inventory to change and security processes

This is where most programs fail audits: they can show a list, but not a controlled process.

Minimum integrations to implement:

• Change management: any change that introduces or materially changes an asset must update the inventory record (new system, new subnet, new SaaS, major version upgrades).
• Joiner/mover/leaver: identities and privileged accounts should link to inventoried systems and services.
• Vulnerability and patching: patch scope derived from inventory, with documented exceptions tied back to asset records.
• Incident response: asset criticality and owner drive triage routing.
• Decommissioning: inventory status change triggers access removal, certificate/key rotation where needed, and data disposition.

You are building proof that the inventory is maintained and used for protection decisions across the lifecycle. (VDA ISA Catalog v6.0)

7) Define update cadence and “verification” rules

Set two mechanisms:

• Event-driven updates: procurement, deployment, change tickets, new cloud resources.
• Periodic verification: owners/custodians attest that records are accurate and assets still exist.

Avoid arbitrary cadence statements that you cannot evidence. Instead, define a verification workflow and keep the logs. (VDA ISA Catalog v6.0)

8) Document exceptions and unknowns

You will have gaps (shadow IT, lab gear, legacy switches, acquired environments). Track them explicitly:

• “Discovered but unmanaged”
• “Owner pending”
• “Unknown software publisher”
• “Network component not reachable by scanner”

Auditors prefer visible, managed gaps over hidden gaps.

Required evidence and artifacts to retain

Keep evidence that shows both existence and maintenance of the inventory:

Core artifacts

• Asset inventory export (dated) showing coverage of hardware, software, data, and network components and assigned owners. (VDA ISA Catalog v6.0)
• Asset inventory procedure/work instruction describing: scope, required fields, ownership definition, update triggers, and verification steps. (VDA ISA Catalog v6.0)
• RACI or role description for asset owners (who assigns, who approves, who maintains). (VDA ISA Catalog v6.0)

Operational evidence

• Samples of completed asset records for critical systems and datasets (showing owner and classification). (VDA ISA Catalog v6.0)
• Change tickets or procurement records that resulted in inventory updates (before/after or linked references).
• Periodic verification/attestation logs (owner confirmations, exceptions, remediation actions).
• Decommission records with inventory status change and downstream actions (access removal, disposal confirmation where applicable).

Common exam/audit questions and hangups

Expect these lines of questioning:

1. Scope completeness: “Show me your inventory for network components” and “Where do you inventory SaaS?” (VDA ISA Catalog v6.0)
2. Ownership: “Who is the owner of this system/data set, and what does ownership mean here?” (VDA ISA Catalog v6.0)
3. Currency: “How do you ensure the inventory stays accurate?” Askers will look for change linkage and verification evidence. (VDA ISA Catalog v6.0)
4. Lifecycle: “How do you track decommissioning, and what happens to data and access when an asset is retired?” (VDA ISA Catalog v6.0)
5. Use in controls: “How does vulnerability management know what to scan?” “How do you decide criticality?” Inventory should be the reference point. (VDA ISA Catalog v6.0)

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails	Fix
Inventory equals “IT hardware list”	Ignores software, data, and network components explicitly required. (VDA ISA Catalog v6.0)	Build four asset domains with accountable owners for each domain.
“Owner” is the IT admin	Owners must be accountable for classification and protection decisions. (VDA ISA Catalog v6.0)	Assign business/system owners; keep technical custodians separate.
No update mechanism	Lists decay fast and assessors can tell.	Tie updates to procurement and change tickets; keep verification logs.
Data assets omitted	Data is explicitly in scope. (VDA ISA Catalog v6.0)	Start with crown-jewel datasets and repositories; expand iteratively.
Network inventory missing	Firewalls, routers, VPNs, and core services often get missed. (VDA ISA Catalog v6.0)	Source from network team systems (IPAM/config backups) and map ownership.

Enforcement context and risk implications

No public enforcement cases are provided in the source material for this requirement. The risk is still practical and immediate: an incomplete or stale asset inventory breaks downstream controls (patching, access control, incident response routing, and decommissioning). For TISAX assessments, that usually becomes a “can’t demonstrate” problem rather than a purely technical gap. (VDA ISA Catalog v6.0)

A practical 30/60/90-day execution plan

First 30 days (stabilize scope and ownership)

• Publish the scope statement and asset owner definition mapped to VDA ISA 6.1.1 categories. (VDA ISA Catalog v6.0)
• Select the system of record and lock the schema (mandatory fields, especially owner and classification). (VDA ISA Catalog v6.0)
• Identify top critical services/systems and assign owners for them first.
• Stand up a weekly inventory triage: unknown owners, duplicates, unmanaged discoveries.

By 60 days (baseline inventory + operational hooks)

• Build baseline inventory from procurement, endpoint management, cloud exports, and network sources. (VDA ISA Catalog v6.0)
• Implement event-driven update triggers in change management for new/modified assets.
• Create owner attestation workflow and start collecting attestations for critical assets.
• Produce an “audit-ready export” view that includes owners and lifecycle status.

By 90 days (prove maintenance and lifecycle control)

• Expand data asset inventory to include key repositories and datasets tied to business processes. (VDA ISA Catalog v6.0)
• Connect vulnerability/patch scope to the inventory (document the linkage and exceptions).
• Run a decommission exercise: retire a system, update inventory, and capture evidence of access removal and data disposition steps.
• Hold an internal “mock assessment” sampling exercise: pick assets at random and prove record accuracy, ownership, and current state.

Where Daydream fits naturally: If you are coordinating inputs from IT, engineering, plants, and third parties, Daydream can act as the workflow layer that chases ownership, collects attestations, and keeps an evidence packet tied to each asset record, so you are not rebuilding proof during every assessment.

Frequently Asked Questions

What counts as an “information asset” for this requirement?

VDA ISA 6.1.1 explicitly includes hardware, software, data, and network components. Treat anything that stores, processes, or transmits information as in scope, including cloud services and core network infrastructure. (VDA ISA Catalog v6.0)

Do we need a CMDB, or is a spreadsheet acceptable?

The requirement says “maintain an inventory,” which implies controlled updates and ownership. A spreadsheet can work early, but it often fails on change control, auditability, and evidence of maintenance as scope grows. (VDA ISA Catalog v6.0)

Who should be the asset owner?

The owner should be accountable for classification and protection decisions across the lifecycle, typically a business service owner or system owner. Keep “technical custodian” as a separate role for day-to-day administration. (VDA ISA Catalog v6.0)

How do we inventory SaaS applications and cloud services?

Record them as software/information assets with the subscription/account as the “location,” include the service owner, classification, and the administrative tenant details. Back the record with exports from your cloud/SaaS admin consoles and procurement records. (VDA ISA Catalog v6.0)

How detailed does the data inventory need to be?

Start with critical datasets and repositories (customer data, engineering IP, regulated datasets) and track ownership, classification, and where the data lives. Expand iteratively; assessors expect coverage and a working process, not perfection on day one. (VDA ISA Catalog v6.0)

What’s the fastest way to prove the inventory is “maintained”?

Show update triggers (change/procurement), periodic verification evidence, and a sample trail where a new or changed asset resulted in an updated inventory record with an assigned owner. Auditors accept sampled proof if it is consistent. (VDA ISA Catalog v6.0)