The Center for Internet Security calls out the First Five as being the most fundamental controls for an IT Security Program. The list includes Inventory of Authorized and Unauthorized Hardware inventory of authorized and authorized software and Continuous Vulnerability Assessment and Remediation Controlled Use of Administrative Privileges. Security specialists are sometimes surprised at the first two items in the list. One of the items of interest to the regulators was patching management, and the second question was, How do you know?”]
Source: https://www.csoonline.com/article/3231649/do-you-patch-your-systems-how-do-you-know.html