What should be included in the key mgmt inventory for compliance?

• A. Inventory of HSMs and other SCDs used for key management
• B. Inventory of all employees
• C. Inventory of software licenses
• D. Inventory of customer shipments

Answer: (A)

Key management relies on the devices that actually protect and handle cryptographic keys. The inventory must include hardware security modules and other secure cryptographic devices because these are the components responsible for generating, storing, protecting, and controlling access to keys, and they require ongoing oversight of location, ownership, access controls, firmware, and lifecycle.

Without knowing what devices exist and how they’re configured, you can’t effectively enforce key protection or respond to incidents. An inventory of people, generic software licenses, or shipments doesn't directly help manage the security of cryptographic keys or the devices that protect them, so they aren’t appropriate here.