CIS Critical Security Controls
Prioritized controls that actually matter.
Evaluate implementation of the CIS Critical Security Controls for effective, prioritized cyber defense.
Overview
The CIS Critical Security Controls (formerly SANS Top 20) represent a prioritized, prescriptive set of security actions that stop the most common attacks. Unlike broader frameworks, CIS Controls are specific and actionable—telling you exactly what to implement. We assess your organization against all 18 control families, identifying which controls are implemented, partially implemented, or missing entirely.
What We Test
Our cis critical security controls engagements cover these key areas:
Basic Controls (1-6)
Inventory and control of assets, data protection, secure configuration, account management, access control, and vulnerability management.
Foundational Controls (7-16)
Email and browser protections, malware defenses, data recovery, network infrastructure, monitoring, and security awareness.
Organizational Controls (17-18)
Security program management, incident response, and penetration testing.
Our Approach
We evaluate each CIS Control's implementation status using the CIS implementation groups (IG1, IG2, IG3) appropriate for your organization size and risk profile.
Scope Definition
We determine your implementation group based on organization size, data sensitivity, and resources.
Control Assessment
Each applicable control is evaluated for implementation status and effectiveness.
Evidence Collection
We document evidence of control implementation including configurations, policies, and tool outputs.
Prioritized Roadmap
Gaps are prioritized based on CIS guidance and your specific threat landscape.
Common Findings
These are issues we frequently discover during cis critical security controls engagements:
Incomplete Hardware Inventory
HighControl 1 (Inventory of Enterprise Assets) not fully implemented—unknown devices on network.
No Privileged Account Management
HighAdministrative accounts not separately tracked, monitored, or controlled.
Missing Email Protections
MediumSPF, DKIM, DMARC not implemented or improperly configured.
No Security Awareness Program
MediumEmployees not receiving regular security training or phishing simulations.
Common Questions
What are implementation groups?
CIS defines three implementation groups based on organization size and risk. IG1 is for smaller organizations with limited IT resources. IG2 adds controls for mid-sized organizations. IG3 includes all controls for large enterprises or those with sensitive data. We help determine which group fits your organization.
How does CIS compare to NIST CSF?
CIS Controls are more prescriptive—they tell you specifically what to do. NIST CSF is broader and more flexible. Many organizations use NIST CSF as their overall framework and CIS Controls as the specific implementation guide.
Other Gap Assessment Options
NIST Cybersecurity Framework
Assess your organization against the NIST CSF 2.0 six core functions: Govern, Identify, Protect, Detect, Respond, and Recover.
PCI-DSS Readiness
Prepare for PCI compliance by identifying gaps in cardholder data protection before your QSA arrives.
ISO 27001 Readiness
Assess readiness for ISO 27001 certification with comprehensive control mapping and evidence review.
HIPAA Security Assessment
Evaluate your safeguards against HIPAA Security Rule requirements for protected health information.
SOC 2 Readiness
Prepare for SOC 2 Type I or Type II examination with gap identification across Trust Service Criteria.
Ready to Strengthen Your Defenses?
Schedule a free consultation with our security experts to discuss your organization's needs.
Or call us directly at (445) 273-2873