Your CMDB says one thing, your discovery tool says another, and your fixed asset register says a third. Every IT estate carries three overlapping versions of the truth: the physical layer (devices that actually exist on desks, in racks and in store rooms), the logical layer (what agents, MDM and network discovery can see) and the financial layer (what the ledger says you bought and are depreciating). CPCON's IT asset inventory service in the UAE counts the physical layer wall-to-wall and reconciles all three — so the next time an auditor, a regulator or a CFO asks “how many laptops do we actually have, and where?”, the answer is evidence, not an estimate.
Why UAE companies are commissioning IT asset inventories now
The drivers are no longer just good housekeeping. Four compliance regimes now test the same artefact — a complete, owned, verifiable asset inventory:
- ISO 27001 (Annex A control 5.9). If your organisation holds or is pursuing ISO/IEC 27001 certification, control 5.9 requires an accurate, up-to-date inventory of information and other associated assets, with owners. Certification auditors increasingly sample devices on the floor against the inventory — and the inventory against the floor. Our guide to ISO 27001 asset inventory requirements covers what they test in practice.
- SOC 2 examinations. The Trust Services Criteria expect you to identify and manage an inventory of information assets as part of your control environment. A spreadsheet last touched at go-live is a finding; a physically verified inventory with a count date and evidence trail is a control.
- UAE PDPL — Federal Decree-Law No. 45 of 2021. Data mapping starts with device mapping. Controllers must know where personal data is processed and stored and protect it accordingly — impossible while ex-employee laptops and decommissioned servers sit unrecorded in cupboards. DIFC (DP Law No. 5 of 2020) and ADGM (Data Protection Regulations 2021) entities face parallel obligations.
- UAE corporate tax record-keeping. IT equipment is a fixed asset class like any other: taxable income is computed from IFRS-based accounts, depreciation must be supportable, and the FTA requires records behind corporate tax returns to be retained for seven years. Leased devices and equipment under IFRS 16 right-of-use accounting (see our IFRS 16 leases in the UAE guide) need the same physical evidence as owned ones.
- UAE Information Assurance Standards for government. Federal and critical-infrastructure entities subject to the UAE IA Regulation — the framework originally issued by NESA — must maintain and review asset inventories as a baseline security control. We deliver the count and the evidence in the format your information security office reports against.
One clarification we put in writing on every proposal: CPCON does not certify you, and we do not claim ISO or SOC certifications of our own. Certification is between your organisation and its certification body or service auditor. What we bring is 30 years and 4,500+ projects of physical counting discipline — to deliver the asset inventory evidence that your auditors require.
What we count
Everything with a power cord or a battery, plus the licences and contracts attached to it: end-user devices (laptops, desktops, monitors, tablets, phones), data-centre and comms-room equipment (servers, storage arrays, switches, routers, firewalls, racks, PDUs, UPS), printers and peripherals, meeting-room and AV kit, POS and warehouse handhelds — and the spares, returns and leaver-device cupboards where estates quietly rot. Each item is captured with serial number, asset tag, make/model, location, custodian, condition and photographs.
Methodology: physical × logical × CMDB reconciliation
- Scoping and data take-on. We take extracts from your CMDB or ITAM tool, your discovery/MDM/AD exports and your fixed asset register, agree locations, categories and the tagging convention, and plan the count around your business hours and change windows.
- Wall-to-wall physical count. Uniformed CPCON crews sweep every floor, rack and store room — Dubai, Abu Dhabi, Sharjah and across the GCC — scanning existing tags and applying new barcode, QR or RFID tags where needed (see asset tagging services in the UAE). Devices are captured desk-side in minutes per user; sensitive areas are counted out of hours.
- Three-way reconciliation. The floor data is matched against the logical layer and the CMDB: floor-to-system and system-to-floor. Out come the exceptions — devices on the network but not on the floor, on the floor but in no system, recorded twice, in the wrong country, or assigned to people who left. The same discipline drives our fixed asset verification service, and our article on why CMDBs lie without a physical count explains what this reconciliation typically uncovers.
- Evidence pack and handover. You receive a load-ready file for your CMDB and ERP, an exception report (ghost, unrecorded, moved, duplicated) with photographic evidence, and a management summary written for the audience that asked: the CISO, the auditor or the CFO. If you adopt RFID, every future count drops from weeks to hours.
What the evidence pack does for your audits
Audits fail on assertions and pass on evidence. After a CPCON inventory, the question “is your asset inventory accurate and current?” is answered with a dated wall-to-wall count, item-level photos and serials, a reconciliation working paper and a remediated CMDB — the same artefacts your ISO 27001 certification auditor samples under control 5.9, your SOC 2 auditor walks through in the control environment, your external financial auditor tests for existence, and the FTA expects behind depreciation. One count, four audiences.
When to commission an IT asset inventory
- Before a certification or surveillance audit — walking into stage 2 of ISO 27001, or a SOC 2 examination window, with a count dated this quarter rather than a register dated at go-live.
- Around an office move or free zone relocation — baseline before the move, verify after it; transitions are where estates lose track of themselves.
- At financial year-end — when external audit tests existence of IT fixed assets and finance needs disposals, impairments and ghost assets cleared from the register before the corporate tax computation.
- On M&A, separation or outsourcing — pricing or transferring an IT estate nobody has physically counted is how surprises become disputes.
- After rapid growth or high staff turnover — the leaver-laptop drawer and the unrecorded-joiner-kit problem compound quietly until someone counts.
Sectors and free zones we serve
Banks and financial institutions (including one of the world's largest IT asset visibility programmes for a banking leader), government entities reporting under the IA Standards, hospitals and clinics, schools and universities, hotels, logistics operators and corporate head offices — onshore and in DIFC, ADGM, JAFZA, DAFZA, DMCC and KIZAD. For the wider methodology behind device-level tracking, see our overview of IT asset inventory tracking & management.
Frequently asked questions
What is the difference between an IT asset inventory and a CMDB?
The CMDB (or ITAM database) is the record; the inventory is the act of proving the record true. A CMDB describes configuration items and their relationships, but it only knows what tools and people have told it. A physical IT asset inventory walks the floors, scans every device that actually exists and reconciles the result against the CMDB, the discovery-tool output and the fixed asset register — surfacing ghost records, unrecorded devices and wrong locations.
Is CPCON ISO 27001 or SOC 2 certified?
No — and that is the point of the engagement. ISO 27001 certification and SOC 2 reports belong to your organisation and are issued by your certification body or service auditor. CPCON is the independent field team that delivers what those audits keep asking for: a physically verified IT asset inventory, reconciled to your CMDB and ledger, with photographic and timestamped evidence. 30 years and 4,500+ projects of counting discipline, applied to your audit.
Which IT assets do you cover in an inventory?
End-user devices (laptops, desktops, monitors, tablets, phones), data-centre and comms-room equipment (servers, storage, switches, routers, firewalls, racks, UPS), printers and peripherals, meeting-room and AV equipment, POS and handheld terminals, and the spares cupboard everyone forgets. Software licences are reconciled where discovery exports are provided; the physical estate is counted item by item.
How does a physical IT inventory support UAE PDPL compliance?
Federal Decree-Law No. 45 of 2021 (the UAE PDPL) expects controllers to know where personal data is processed and stored and to apply appropriate technical and organisational measures. You cannot map data flows across devices you do not know you have. A verified device inventory — including the leaver laptops and retired servers still sitting in store rooms — is the foundation layer of any defensible data map, and the same logic applies under the DIFC and ADGM data protection regimes.
Do you work inside DIFC, ADGM and the other free zones?
Yes. CPCON crews mobilise from Dubai across all seven emirates and routinely work in DIFC, ADGM, JAFZA, DAFZA, DMCC and KIZAD, as well as across the GCC for multi-country estates. Free zone moves are exactly where IT assets go missing, so we often baseline an estate immediately before or after a relocation.
How long does an IT asset inventory take and how disruptive is it?
A single office of 1,000–2,000 devices is typically counted, tagged and reconciled within a week, working desk-side in minutes per user or outside business hours for trading floors and clinical areas. Data-centre work follows your change windows. Multi-site programmes are phased by emirate or country, and RFID tagging makes every subsequent count a fraction of the first.