CIS Controls Review & Maturity Assessment

A CIS Controls maturity assessment systematically measures how completely and effectively your organization implements the

18 CIS Critical Security Controls. Each control is evaluated across the three Implementation Groups (IG1, IG2, IG3) – from essential cyber hygiene to advanced protection. The result clearly shows where your strengths lie and where action is needed. According to CIS studies, organizations with a high maturity level reduce their attack surface by up to 85%. For industries with regulatory requirements like NIS2, DORA, or ISO 27001, the assessment also provides verifiable compliance evidence.

Our assessment follows a structured four-phase model: In Phase

1 (Scoping), we define the assessment scope and assign your organization to the appropriate Implementation Group. Phase

2 (Evidence Collection) includes technical reviews, interviews, and document analysis for all relevant safeguards. In Phase

3 (Maturity Scoring), we evaluate each control on a defined maturity scale and compare results against industry benchmarks. Phase

4 (Roadmap) delivers prioritized measures with a clear timeline and estimated effort. The entire assessment typically takes two to four weeks depending on organization size.

CIS Implementation Groups are a prioritization model that helps organizations progressively implement the

153 safeguards of CIS Controls v8.1. IG 1 includes

56 foundational safeguards as essential cyber hygiene – suitable for smaller organizations with limited resources. IG 2 expands to

130 safeguards for organizations that handle sensitive data and have dedicated IT teams. IG 3 covers all

153 safeguards and targets organizations with a high risk profile, regulatory obligations, and dedicated security teams. The groups build on each other: achieving IG 2 requires all IG 1 safeguards to be in place.

CIS Benchmarks and CIS Controls assessments are related but distinct instruments. CIS Benchmarks are technical configuration guidelines for specific systems – such as Windows Server, AWS, or Kubernetes. They define secure baseline settings. A CIS Controls assessment, by contrast, evaluates the organization-wide implementation of the

18 overarching security requirements, including processes, governance, and technical measures. In practice, both complement each other: benchmark compliance of individual systems feeds into the overall controls assessment as evidence.

The assessment delivers a detailed maturity report with multiple layers: first, an overall maturity score with industry benchmarking. Then, an individual assessment of each of the

18 controls showing strengths, weaknesses, and specific action items. Additionally, a prioritized roadmap that separates quick wins from strategic projects. For the executive team, we create a summary with risk evaluation and investment recommendations. For the security team, there are technical detail reports with concrete implementation guidance per safeguard.

A full maturity assessment should be conducted at least annually. For significant changes – such as adopting new cloud services, organizational restructuring, or after security incidents – we recommend an event-driven re-assessment. Complementary to full assessments, we establish continuous monitoring of selected KPIs that track the current maturity level between assessments. This way, you detect deviations early and can course-correct before gaps become critical.

The CIS Controls can be systematically mapped to regulatory requirements. For NIS2, the controls cover essential requirements for risk management, incident response, and supply chain security. For DORA (Digital Operational Resilience Act), the assessment supports evidence obligations for ICT risk management and resilience testing. ISO 27001 benefits from clear mapping: many CIS safeguards correspond directly to Annex A controls of the ISO standard. As part of the assessment, ADVISORI creates a multi-standard mapping that shows which regulatory requirements are already fulfilled by your CIS Controls implementation.