Template for the general inventory of the CDE

Many of us have already started to analyze and even work on the adjustments and new requirements for the transition process from PCI DSS version 3.2.1 to version 4.0.

In order to support the organizations with the adjustments, I developed a template of a general inventory of the CDE that allows them to have a base on which they can start working and modify according to the specific needs of each organization. This document considers some clarifications with respect to the previous version of the standard and includes new lists and/or inventories that are required by version 4.0.

If I have learned anything in these years as a QSA is that although the standard is the same for everyone, each entity is a world and reality very different, being that the same requirement totally changes its applicability from one environment to another. That is why I try to cover the widest possible spectrum with a very general document, with fields and minimum information required by the standard.

Last - and not least - I developed the document including the minimum information that I personally like to receive to start a PCI DSS level 1 assessment, always noting that the entities that manage a "centralized" inventory are the ones that generally (not always, but most of the time) have a level of maturity in the PCI DSS recertification process.

NOTE: In no way should this or any other format be considered "mandatory" to validate compliance with PCI DSS. The standard, in both versions, indicates that there must be an inventory with the minimum information required. However, it does not have to be a specific format and it is up to the entity to choose how it develops its documentation to comply with the specific requirements; feel free to modify and adapt the inventory to the specific needs of each organization.

Source: https://www.pcihispano.com/plantilla-para-el-inventario-general-del-cde/