CIS Controls

The CIS Controls are

18 prioritised security measures from the Center for Internet Security based on real-world attack data. Unlike ISO 27001 or NIST CSF, which describe comprehensive management systems, the CIS Controls focus on concrete technical and organisational measures with measurable impact. Version

8 contains

153 individual safeguards prioritised through Implementation Groups (IG1�IG3) according to organisation size and risk profile. Studies show that IG 1 alone addresses approximately 85% of the most common cyber attacks.

The Implementation Groups tier the

153 safeguards by complexity and resource requirements. IG 1 encompasses

56 foundational safeguards for every organisation — even without a dedicated security team. IG 2 expands to

130 safeguards for organisations with IT security staff and sensitive data. IG 3 covers all

153 safeguards and targets organisations with a high risk profile, such as those in regulated industries like financial services or critical infrastructure. Each group builds cumulatively on the previous one.

The

18 controls in CIS v

8 are: 1) Inventory and Control of Enterprise Assets, 2) Inventory and Control of Software Assets, 3) Data Protection, 4) Secure Configuration of Enterprise Assets and Software, 5) Account Management, 6) Access Control Management, 7) Continuous Vulnerability Management, 8) Audit Log Management, 9) Email and Web Browser Protections, 10) Malware Defenses, 11) Data Recovery, 12) Network Infrastructure Management, 13) Network Monitoring and Defense, 14) Security Awareness and Skills Training, 15) Service Provider Management, 16) Application Software Security, 17) Incident Response Management, and 18) Penetration Testing.

Our implementation follows five phases: First, we conduct an assessment that evaluates your current security posture against the CIS Controls and identifies gaps. Then we prioritise controls based on your risk profile and the appropriate Implementation Group. In the third phase, we carry out phased implementation — from basic controls through foundational to organisational controls. Next, we establish monitoring and measurement systems for ongoing operations. The fifth phase ensures continuous improvement and maturity advancement.

The CIS Controls map directly to ISO 27001 Annex A controls and NIST CSF 2.0 categories. The Center for Internet Security provides official mapping documents linking each safeguard to corresponding controls in other frameworks. For organisations that have already implemented ISO 27001 or NIST CSF, this means many CIS requirements are already covered. ADVISORI performs cross-framework mapping, identifies overlaps and gaps, and thereby reduces the overall effort for multiple compliance requirements.

The CIS Controls are applicable across industries but are particularly relevant for financial services (regulatory requirements, DORA, PCI DSS), healthcare (patient data, medical devices), critical infrastructure (NIS2), manufacturing (OT security, supply chain) and the public sector. In regulated industries, the CIS Controls serve as demonstrable security standards for regulators. ADVISORI tailors implementation to industry-specific needs and takes sectoral regulation into account.

Duration and effort depend on the target Implementation Group, current maturity level and organisation size. An IG 1 implementation for a mid-sized company typically takes three to six months. IG 2 requires six to twelve months, IG 3 twelve to eighteen months. ADVISORI works with risk-based prioritisation and quick wins: the most effective controls are implemented first to achieve immediate security improvements. An initial gap analysis delivers a reliable effort estimate within two to four weeks.