STEP 3: Identify Resources for Compliance
Know what you have. And what you don’t.
You can't secure what you can't identify
Healthcare compliance isn’t about meeting checklists
Without a full inventory, risk assessments fall flat. Gap assessments miss critical blind spots. And, remediation plans become guesswork.
You can’t:
- Secure what you haven’t identified.
- Assign ownership to what’s invisible.
- Prove compliance without documentation.
Before you assign responsibilities, write policies, or remediate risks, you need to know the people, systems, assets, and controls already in place.
What to Inventory (and Why)
Here's what you need to documents to understand your current state and uncover gaps before they become liabilities:
Assets
What systems, tools, and infrastructure are in play?
- Laptops, servers, mobile devices
- SaaS platforms, development environments
- Cloud services (AWS, Azure)
Why It Matters
Organizations
How is your organization and decision-making structured?
- Are you part of a parent org?
- Do you managed multiple business units?
- Is decision-making centralized or siloed?
Why It Matters
Locations
Where does your company operate and store data?
- Physical offices
- Remote employees
- Cloud infrastructure / Co-located datacenters
Why It Matters
Users
Who are the personnel involved in your systems?
- Who has access?
- Who approves access?
- Who owns which responsibilities?
Why It Matters
Documentation
What policies and procedures already exist?
- InfoSec policies
- Security training logs
- 3rd Party Risk documentation
- Access control, onboarding & offboarding procedures
Why It Matters
Security Controls
What security safeguards are already in place?
- MFA, firewalls, encryption, logging
- Vendor reviews
- Risk assessments
- Physical badge access + logs, shredding policies
Why It Matters
Compliance Inventory Mistakes to Avoid
Relying on Static Lists
Spreadsheets and one-time exports age quickly. They miss changes in staff, tools, and structure.
Use a living inventory that updates regularly and reflects your current systems, people, and assets—not what you had six months ago.
Tracking People, Not Roles
Listing users without understanding what they do leaves big gaps in responsibility and risk mapping.
Map users to roles and responsibilities so you know who owns what—and where policies and controls apply.
Overlooking Hidden Assets
Don't forget to include miss cloud services, mobile apps, 'shadow IT' - and others not procured without IT involvement.
Take a comprehensive view of assets across departments, device types, and platforms, not just what’s centrally managed by IT.
Not Connecting Documentation
Policies, procedures, and system diagrams often live in folders, disconnected from controls or audit prep.
Link every document to a control, risk, or requirement so it actually supports your compliance narrative and audit readiness.
Start Your Risk Assessment
Now that you have the right people and platform in place, it’s time to uncover what could go wrong — before it does.
Kick off a foundational risk assessment to identify threats, assess their likelihood and impact, and document a plan that satisfies auditors and protects your organization.
People Also Ask Us...
Kevin Brown
ISO & Director of Professional Services
How do I start a resource inventory for cybersecurity compliance?
Start simple. You can start with a spreadsheet or GRC platform to list all your hardware, software, and systems, along with who owns them and how they’re used.
Pull from what already exists —IT onboarding docs, purchase records, vendor contracts, etc.
Then add user access and data sensitivity. The goal isn’t to be perfect on day one—it’s to start tracking what matters most and refine as you go.
Why is documenting your assets important for compliance?
A complete asset inventory—covering hardware, software, people, and vendors—is foundational to every major framework.
It helps identify what’s in scope for controls, risk assessments, access reviews, and incident response plans. Anything that stores or touches sensitive data, it needs to be documented.
How can I fill compliance resource gaps?
Most teams don’t have the necessary skills in-house.
So, start by identifying your internal strengths (i.e., policies, security tools) and where you lack coverage (e.g., risk management, vendor due diligence, control implementation).
Then fill the gaps through fractional experts, compliance consultants, or bundled managed services.
Some GRC platforms offer guided workflows and templates to reduce your team’s workload and help you scale faster.