No controls match your search.
▼
Domain 1: Inventory and Control of Enterprise Assets
CIS 1
▼
1.1
Establish and Maintain Detailed Asset Inventory
Immediate
CIS 1
Does the business maintain a complete, up-to-date inventory of all IT assets, including: end-user devices (including BYOD and mobile), network devices, servers (virtual, physical, and cloud), and third-party assets regularly connected to the network?
Why It Matters
You cannot protect what you cannot see. Without an asset inventory, the business has no visibility over what is connected to its environment. Breaches involving unknown assets are significantly harder to detect and remediate, and incident response cannot scope the impact of an attack without a baseline.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
A basic inventory exists, typically a spreadsheet or shared document, covering end-user devices and servers. However, it is manually maintained, updated irregularly, and likely incomplete - missing cloud instances, BYOD devices, or third-party connected assets. Coverage is estimated at 50-70% of the actual estate.
Evidencea spreadsheet or document listing known assets with at least device name, OS, and owner.
▼
L2
Repeatable
A complete, centralised inventory covers all asset categories: endpoints, servers (physical, virtual, and cloud), network devices, cloud infrastructure, and third-party connected assets. It is reviewed and updated at least bi-annually, with each record capturing: network address, hardware address/serial number, device name, asset owner, department, OS version, and purchase date. A nominated owner is responsible for accuracy. The inventory is maintained in a dedicated CMDB or asset management tool (e.g., Lansweeper, ServiceNow, Snipe-IT) and reconciled across multiple sources (endpoint management, cloud platform inventories, network scans). A directory service such as Active Directory or Entra ID may be an input to the inventory but is not sufficient as the sole source, as it does not cover network devices, cloud infrastructure, or unmanaged assets.
EvidenceCMDB or asset management tool export with timestamped updates showing 90%+ coverage across all asset categories; confirmation that multiple sources have been reconciled.
▼
L3
Defined
The inventory is fully automated using discovery tooling (e.g., Lansweeper, Qualys CSAM, Rumble/runZero) that scans across on-premises networks, cloud environments (AWS, Azure, GCP), and remote endpoints. New assets are detected and added automatically. Cloud infrastructure is inventoried via native tools (e.g., AWS Config, Azure Resource Graph). A formal policy governs asset addition, removal, transfer, and disposal. The inventory is reconciled against network scans and cloud platform exports at least quarterly, with discrepancies investigated within a defined SLA (e.g., 5 business days). Coverage target: 98%+ with documented exceptions.
Evidenceautomated discovery tool reports, cloud asset inventory exports, reconciliation logs, published asset management policy with version history, and annual review sign-off.
▼
1.2
Manage Unauthorised and Unmanaged Devices
Medium
CIS 1
Does the business identify and manage devices that are not under corporate control, including rogue devices on the network and personal (BYOD) devices accessing corporate data? Are unmanaged devices either brought under management, restricted to limited access, or blocked?
Why It Matters
Unauthorised and unmanaged devices represent an uncontrolled attack surface. Rogue devices on the network can introduce malware and enable lateral movement. Personal devices accessing corporate data without MDM controls create significant risk of data leakage, as the business cannot enforce encryption, restrict data sharing, or remotely wipe a lost or compromised device. In modern cloud-first environments, conditional access and device compliance policies are the primary mechanism for addressing both risks.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
The business is aware of the risk from unauthorised and unmanaged devices and has taken some steps, but the approach is inconsistent. Some BYOD devices may be enrolled in MDM (e.g., Microsoft Intune, Jamf, VMware Workspace ONE), but coverage is partial - typically less than 60%. There is no systematic process for detecting rogue devices on the network, and reviews happen reactively rather than on a schedule.
EvidenceMDM console showing at least some enrolled devices; or emails, tickets, or notes referencing at least one instance of an unauthorised device being identified and acted upon.
▼
L2
Repeatable
An MDM or MAM solution is deployed centrally covering all known BYOD and corporate mobile devices (90%+ coverage). Minimum security controls are enforced at enrolment: screen lock, device encryption, remote wipe, and access limited to permitted apps. Conditional access or NAC policies prevent unmanaged devices from accessing corporate resources. For cloud-first environments, conditional access with device compliance policies (e.g., Intune compliance + Entra ID conditional access) is the primary enforcement mechanism. Unauthorised device reviews are conducted on a defined schedule (e.g., quarterly) for any environment with physical network access.
EvidenceMDM compliance dashboard showing enrolled device count vs total; conditional access policy configuration blocking non-compliant devices; quarterly review records for network-connected environments.
▼
L3
Defined
A formal BYOD and device management policy is in place, communicated to all users, and reviewed annually. All BYOD users sign an acceptable use agreement before enrolment. MDM enforces: encryption, application allow-listing, corporate data containerisation, remote wipe, and automatic compliance checks. Non-compliant devices are automatically blocked from accessing corporate resources. For environments with physical network infrastructure, detection is continuous or near-real-time using NAC (e.g., Cisco ISE, Aruba ClearPass, Forescout, or 802.1X) with automated quarantine. Device compliance is reported monthly. Targets: 100% compliant enrolled devices; unmanaged devices blocked within 1 hour of detection.
Evidencesigned user agreements, MDM compliance reports, conditional access configuration, NAC configuration (where applicable), automated alert and quarantine logs, policy document with version history, and annual review sign-off.
▼
1.4
Hardware Maintenance Contracts
Medium
CIS 1
Does the business ensure active hardware maintenance contracts are in place for all critical system components, with renewal dates tracked and contracts stored centrally?
Why It Matters
Critical hardware without active maintenance contracts may become unserviceable or fall out of vendor support without warning. Extended downtime, inability to obtain replacement parts, and loss of vendor security patches can result from lapsed contracts.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Some hardware maintenance contracts exist for key systems, but records are kept informally without a central register. Renewal dates are not proactively tracked.
Evidencecopies of at least some active hardware maintenance contracts, even if held informally across teams.
▼
L2
Repeatable
All critical hardware components have active maintenance contracts. A central register records: component name, vendor, contract number, SLA terms, renewal date, and contract owner. The register is reviewed at least annually, with renewal actions initiated 60-90 days before expiry.
Evidencecentral register with timestamps, renewal activity log, and annual review sign-off.
▼
L3
Defined
The contract register is integrated into broader asset and vendor management. Automated reminders are set for renewals (e.g., 90 and 30 days in advance). A formal review assesses whether SLA terms remain appropriate for each component's criticality. Gaps in coverage (e.g., end-of-life hardware) are escalated with a documented risk decision.
Evidencecontract management tool or CMDB records, automated renewal alerts, documented risk decisions for uncovered assets, and annual review sign-off.
▼
Domain 2: Inventory and Control of Software Assets
CIS 2
▼
2.1
Ensure Operating Systems Are Currently Supported
Immediate
CIS 2
Does the business ensure all operating systems (server, desktop, and cloud instances) are within vendor support and receiving security patches? Where end-of-life operating systems remain in use, is there a documented exception with compensating controls, management sign-off, and a funded migration plan?
Why It Matters
End-of-life operating systems receive no security patches, creating a permanently vulnerable attack surface. Threat actors actively scan for and exploit known vulnerabilities in unsupported OS versions (e.g., Windows Server 2012 R2, Windows 7, unsupported Linux distributions). Unlike application vulnerabilities, an unsupported OS cannot be mitigated by patching - the only resolution is migration. Every day an end-of-life OS remains in production increases the risk of exploitation.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
The BU has some awareness of OS versions in use but no systematic tracking against vendor support lifecycle dates. End-of-life operating systems may be present without documentation or a migration plan. Checks are reactive rather than scheduled.
Evidencea list or asset inventory export showing OS versions in use, with confirmation that at least the majority of systems are running supported versions.
▼
L2
Repeatable
All operating systems across the estate (servers, desktops, cloud instances) are tracked against vendor support lifecycle dates. The OS inventory is reviewed at least bi-annually. Any end-of-life OS instances are logged in a formal exception register with: compensating controls (e.g., network isolation, enhanced monitoring), management sign-off, and a defined migration timeline. New deployments on OS versions within 12 months of end-of-support are prohibited.
EvidenceOS version inventory with vendor support end-dates; exception register with management approvals and migration timelines; deployment policy confirming restriction on near-EOL versions.
▼
L3
Defined
OS lifecycle status is tracked continuously using endpoint management or vulnerability tooling (e.g., Intune, SCCM, Qualys, Tenable, Lansweeper) that flags end-of-life or approaching-EOL operating systems automatically. Alerts are generated when OS versions enter the final 12 months of vendor support. All exceptions are subject to formal risk acceptance with a named owner, funded migration plan, defined remediation date, and quarterly review. Target: zero end-of-life operating systems in production, or 100% covered by mitigated exceptions with active migration plans.
Evidenceautomated OS lifecycle reports from endpoint/vulnerability tooling, exception register with named owners and migration dates, quarterly exception review records, and annual process review sign-off.
▼
2.2
Address Unauthorised Software
Medium
CIS 2
Does the business perform at least quarterly scans across all assets to confirm no unsupported or unauthorised software is present without a documented exception?
Why It Matters
Unauthorised software, including shadow IT, cracked tools, and known-vulnerable applications, is a common initial access vector for ransomware operators. Without scanning and detection, any software can be installed and run without the business being aware.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Some software review is conducted, but coverage is incomplete - only a subset of endpoints are scanned, or reviews rely on manual spot-checks rather than tooling.
Evidencescan outputs or manual review records covering at least a subset of devices.
▼
L2
Repeatable
Automated software scans run across all managed assets at least quarterly using endpoint management or vulnerability tooling (e.g., Microsoft Intune, Qualys, Tenable.io, or EDR with software inventory). Unauthorised applications are removed or blocked within a defined timeframe. Exceptions are documented with owners and compensating controls.
Evidencequarterly scan reports showing 95%+ asset coverage, remediation tickets with closure dates, and exception log with management approvals.
▼
L3
Defined
Software control is continuous. An application allow-listing or deny-listing solution (e.g., AppLocker, WDAC, or equivalent) prevents unauthorised software from executing. EDR provides real-time visibility into running software. The formal process is documented, approved, and reviewed annually. Exception reviews are conducted quarterly, with overdue exceptions automatically escalated. Targets: 100% of assets with compliant software; zero unreviewed exceptions older than 12 months.
Evidenceallow-listing policy configuration, EDR software inventory dashboards, exception register with age tracking, and annual process review sign-off.
▼
Domain 3: Data Protection
CIS 3
▼
3.1
Establish and Maintain a Data Management Process
High
CIS 3
Does the business maintain a documented data management process that covers: data types processed (e.g., PII, ePHI), roles and responsibilities, storage locations, retention limits, disposal requirements, and named data owners?
Why It Matters
Without a data management process, the business cannot identify what data it holds, where it is stored, or what obligations apply. This creates significant risk of regulatory breach (GDPR, HIPAA), inability to respond to data subject requests, and poor incident response when data is compromised.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
An informal data management approach exists. Key individuals have awareness of what data the business handles, but this is not documented or shared consistently across teams.
Evidenceany informal documentation or written record describing what data the business handles.
▼
L2
Repeatable
A documented data management process identifies: data types processed (e.g., PII, financial data, ePHI), roles and responsibilities, storage and backup locations, retention periods, and data owners. The process is applied in practice and staff are aware of it, though review may not yet follow a formally defined cycle.
Evidencedata management policy document with creation or last-modified date; data flow diagram or equivalent.
▼
L3
Defined
The process is formally documented, approved by senior management, communicated to all relevant staff, and reviewed at least annually. Regulatory requirements (e.g., GDPR Article 30 ROPA, HIPAA) are explicitly referenced. Data owners are named individuals. Annual review evidence is retained.
Evidencesigned policy with version history, named data owners per data type, ROPA or equivalent, staff communication records, and annual review sign-off.
▼
3.2
Establish and Maintain a Data Inventory
Medium
CIS 3
Does the business maintain a data inventory that captures all data it stores, processes, or transmits, including where data is held and who owns it, and keep it current through regular reviews?
Why It Matters
Without a data inventory, compliance with data subject access requests, breach notification obligations, and data minimisation principles is practically impossible. The business cannot protect data whose existence and location it does not know.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Some awareness of data holdings exists but is undocumented or informal. Staff may broadly know what systems hold key data, but there is no structured inventory.
Evidenceany informal record showing where key data types are stored, even if incomplete.
▼
L2
Repeatable
A data inventory is maintained in a centralised tool or structured document (e.g., spreadsheet, OneTrust, ServiceNow). It covers all known data types and processing activities but may not be reviewed on a defined frequency.
Evidencecompleted data inventory with data types, locations, owners, and retention periods; timestamp of last update.
▼
L3
Defined
The inventory is reviewed and updated at least annually, or whenever new systems or processing activities are introduced. Staff responsible for data management receive training on classification and cataloguing. The inventory is cross-referenced with access control lists for consistency. Targets: all data assets inventoried; last review date tracked per record.
Evidenceinventory tool with audit trail, staff training records, and annual review sign-off with named reviewer.
▼
3.3
Configure Access Control Lists
High
CIS 3
Does the business define and maintain access control lists (ACLs) based on job function and need-to-know, including third-party access, and enforce the principle of least privilege across all systems?
Why It Matters
Without access control lists, users may have unrestricted access to data across systems. This creates high risk of data exposure, insider threat, and excessive blast radius in the event of account compromise. A single compromised account gains access to everything.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Access controls exist but are applied case-by-case without a defined access model or role matrix. Least privilege is not systematically applied.
Evidenceaccess request emails or IT tickets showing access was considered and approved, even if inconsistently.
▼
L2
Repeatable
Role-based ACLs are defined and applied consistently for all user and administrator accounts. Access is granted based on job function (need-to-know) and least privilege is enforced. Third-party access is scoped appropriately.
EvidenceRBAC matrix or role definitions; IAM or directory service showing access assignments per role.
▼
L3
Defined
ACLs are formally documented in a role and permission matrix, approved and reviewed at least annually. User access reviews are conducted at least annually, with additional reviews triggered by role changes, leavers, and temporary privilege elevation. Time-limited access is enforced for elevated privileges using PAM or equivalent. Targets: 100% of accounts reviewed in last 12 months; excessive permissions identified and remediated.
Evidenceaccess review records with manager sign-off, RBAC matrix with version history, and PAM tool audit logs.
▼
3.4
Enforce Data Retention
High
CIS 3
Does the business retain data in line with its data management process and applicable regulatory requirements, with defined retention periods per data type and regular reviews to confirm data is not held beyond those periods?
Why It Matters
Retaining data beyond its lawful basis creates regulatory risk (e.g., GDPR breach), increases the volume of data in scope during a breach, and may breach legal hold obligations. Conversely, deleting data too early can create legal and operational risk.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Data deletion occurs on an ad hoc basis, typically driven by storage constraints rather than policy. Regulatory requirements have not been formally considered.
Evidenceany records of data deletion activity, even if ad hoc - e.g., IT tickets or emails confirming cleanup occurred.
▼
L2
Repeatable
A retention policy specifies retention periods for different data categories, informed by applicable regulatory requirements. The policy is applied consistently across systems but compliance is not actively audited.
Evidencedata retention schedule showing data types, retention periods, and regulatory basis; policy sign-off.
▼
L3
Defined
The retention policy is formally documented, approved, communicated, and reviewed at least annually. Retention is enforced through technical controls where possible (e.g., Microsoft Purview retention labels, S3 lifecycle policies, automated deletion workflows). Regular compliance audits confirm data is not retained beyond defined periods. Legal hold processes are documented separately. Targets: 100% of data assets with defined retention periods; zero overdue deletions.
Evidenceautomated retention policy configuration, audit reports with findings and remediation actions, and annual policy review sign-off.
▼
3.5
Securely Dispose of Data
Medium
CIS 3
Does the business securely dispose of data in accordance with its data management process, using recognised sanitisation methods and maintaining disposal records as evidence?
Why It Matters
Devices disposed of without data sanitisation are a well-documented and recurring source of data breaches. Hard drives sold on secondary markets, donated equipment, and recycled hardware have all been found to contain residual sensitive data in widely reported incidents.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Some effort is made to delete data before device disposal (e.g., factory reset, manual deletion), but this is not formalised or verified. No records are kept.
Evidenceany confirmation that data deletion was attempted before disposal - e.g., an email, verbal confirmation, or basic checklist.
▼
L2
Repeatable
A secure disposal process applies recognised sanitisation methods (NIST SP 800-88: Clear, Purge, Destroy). For sensitive data, cryptographic erasure or physical destruction is used. The process is applied consistently for all assets containing sensitive or customer data.
Evidencedisposal procedure document; records showing sanitisation method used per asset.
▼
L3
Defined
Secure disposal is formally documented, approved, communicated, and reviewed annually. A record is maintained for every disposal: asset ID, sanitisation method, date, and person responsible. For physical destruction, certificates of destruction are obtained and retained. Third-party disposal vendors are assessed before engagement. Targets: 100% of retired assets with a completed disposal record; zero unaccounted-for retired assets.
Evidencedisposal register with chain of custody, certificates of destruction, vendor assessment records, and annual policy review sign-off.
▼
3.6
Encrypt Data on End-User Devices
High
CIS 3
Does the business apply full-disk encryption to all end-user devices that store sensitive data (e.g., BitLocker, FileVault, dm-crypt), with centralised monitoring to confirm coverage and an exception process for any devices where encryption cannot be applied?
Why It Matters
A lost or stolen unencrypted laptop or mobile device provides direct, unimpeded access to all stored files, emails, and credentials. Device theft and loss is one of the most common causes of reportable data breaches and one of the easiest to prevent.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Encryption is deployed on some end-user devices (e.g., BitLocker on company laptops) but coverage is incomplete. BYOD and mobile devices may lack encryption, with no central visibility.
Evidenceconfirmation that encryption is enabled on at least some devices - e.g., BitLocker/FileVault status screenshot or MDM report showing partial coverage.
▼
L2
Repeatable
Full-disk encryption is deployed on all managed end-user devices using centrally managed tooling (e.g., BitLocker via Intune, FileVault via Jamf). Encryption status is monitored centrally and unencrypted devices are flagged for remediation. Encryption keys are escrowed centrally.
EvidenceMDM/endpoint management compliance dashboard showing encryption status across all enrolled devices; target 95%+ coverage.
▼
L3
Defined
Encryption compliance is enforced as a prerequisite for network or resource access via conditional access policies. A formal policy governs encryption requirements and includes an exception process with compensating controls. Recovery keys are escrowed in a secure, access-controlled location (e.g., Entra ID, Jamf). Targets: 100% of in-scope devices encrypted; zero unmitigated exceptions; 100% key escrow coverage.
Evidenceconditional access policy configuration, MDM encryption compliance report, exception register, key escrow audit log, and annual policy review sign-off.
▼
3.7
Encrypt Data in Transit
High
CIS 3
Does the business ensure all data in transit is encrypted using current, supported protocols, with TLS 1.2 as the minimum standard, legacy protocols (TLS 1.0, 1.1, SSL) disabled, and certificates managed through a defined lifecycle process?
Why It Matters
Data transmitted in cleartext can be intercepted by any actor with access to the network path - whether through a compromised network device, a man-in-the-middle position, or monitoring of unencrypted Wi-Fi. Internal traffic is not exempt: lateral movement following an initial compromise frequently involves intercepting unencrypted internal communications to harvest credentials and sensitive data. TLS 1.0 and 1.1 have known vulnerabilities and are deprecated by all major browser vendors and standards bodies. Expired or misconfigured certificates can be exploited to intercept traffic and cause service outages.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
HTTPS is enabled on most externally facing services, but there is no systematic approach to ensuring all traffic is encrypted. Internal traffic between systems may be unencrypted. Legacy TLS versions (1.0, 1.1) or SSL may still be enabled on some services. Certificate management is ad hoc, with certificates tracked manually or discovered only when they expire.
Evidenceconfirmation that key external services use HTTPS - e.g., SSL Labs scan results or browser padlock verification for primary web properties.
▼
L2
Repeatable
TLS 1.2 is the minimum enforced standard across all externally facing services. TLS 1.0, 1.1, and SSL are disabled. Internal traffic between critical systems (e.g., application-to-database, service-to-service, management traffic) is encrypted. A certificate inventory tracks all certificates with expiry dates, and renewals are managed proactively. HTTPS is enforced via redirection or HSTS on all web services. Email transport encryption (opportunistic TLS) is enabled for all outbound email.
EvidenceSSL/TLS configuration scan results (e.g., SSL Labs, Qualys SSL) confirming TLS 1.2+ on external services; certificate inventory with expiry tracking; HSTS configuration; mail flow TLS reports.
▼
L3
Defined
TLS 1.3 is prioritised where supported, with TLS 1.2 as fallback. Certificate lifecycle is automated using ACME (e.g., Let's Encrypt, Venafi, DigiCert) with automated renewal and alerting for certificates approaching expiry. Internal service-to-service communication uses mutual TLS (mTLS) or equivalent for authentication and encryption. Cipher suites are reviewed and hardened (weak ciphers disabled, forward secrecy enforced). Regular external scanning validates configuration. Cloud services enforce encryption in transit via provider controls (e.g., AWS ALB policies, Azure Application Gateway, Cloudflare). Targets: zero services accepting TLS 1.1 or below; zero expired certificates; 100% of external services at A or A+ on SSL Labs; internal critical-path traffic encrypted.
Evidenceautomated certificate management tool reports, SSL/TLS scan results with ratings, cipher suite configuration, mTLS deployment records, cloud encryption policy configuration, and annual review sign-off.
▼
3.8
Establish and Govern AI Usage
High
Unmapped
Does the business maintain an AI acceptable use policy, an inventory of approved AI tools, and technical controls to prevent sensitive or classified data from being input into AI systems without appropriate safeguards?
Why It Matters
Generative AI tools (ChatGPT, Copilot, Gemini, Claude, and AI features embedded in SaaS products) create a new data leakage vector that traditional security controls do not address. Staff pasting customer data, source code, financial records, or internal documents into AI tools are sharing that data with an external service, often in ways that bypass DLP, access controls, and data classification policies. The risk is compounded by shadow AI adoption, where business units procure AI tools without IT or security visibility. Unlike traditional data exfiltration, AI-related data leakage is typically unintentional and driven by productivity rather than malice, making it harder to detect without specific controls.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
The business is aware of AI usage among staff but has no formal policy or inventory of tools in use. Individual teams may be using AI tools without central visibility. There are no technical controls preventing sensitive data from being input into AI systems.
Evidenceacknowledgement from IT or security leadership that AI tools are in use or likely in use, even if no formal assessment has been conducted.
▼
L2
Repeatable
A documented AI acceptable use policy defines which AI tools are approved for business use, what data classifications are permitted as input (referencing the data classification scheme), and what restrictions apply. An inventory of sanctioned AI tools is maintained, including details of data processing, storage, and retention by each provider. Unsanctioned AI tools are blocked or restricted via web filtering or conditional access. Staff have been made aware of the policy. AI-enabled features in existing SaaS and third-party products are identified and assessed as part of supplier review.
EvidenceAI acceptable use policy with approval date; inventory of sanctioned AI tools with data processing details; web filtering or access control configuration blocking unsanctioned tools; staff communication records; supplier AI assessment records.
▼
L3
Defined
Technical controls enforce the AI usage policy. DLP or endpoint controls (e.g., Microsoft Purview, Nightfall AI, or equivalent) monitor and restrict sensitive data being input into AI tools. AI usage is logged and auditable. AI-specific risk assessments are conducted for all new AI tool adoptions, covering: data residency, model training on input data, sub-processor usage, and regulatory compliance. The policy is reviewed at least annually and updated as the AI landscape evolves. AI usage metrics are reported to management. For businesses developing AI-enabled products, responsible AI practices (bias testing, transparency, human oversight) are integrated into the development lifecycle. Targets: 100% of AI tools inventoried and assessed; zero unapproved AI tools accessible; DLP coverage across all primary AI interaction channels.
EvidenceDLP configuration and alert logs for AI tools, AI tool inventory with completed risk assessments, AI usage audit logs, annual policy review sign-off, and management reporting on AI usage metrics.
▼
Domain 4: Secure Configuration of Enterprise Assets and Software
CIS 4
▼
4.1
Establish and Maintain Secure Configuration and Cloud Security Posture
High
CIS 4
Does the business establish and maintain secure configuration baselines for all enterprise assets (on-premises and cloud), including deployment of cloud security posture management (CSPM) or CNAPP tooling for cloud environments to continuously identify and remediate misconfigurations?
Why It Matters
Default vendor configurations frequently include default credentials, unnecessary open ports, and enabled services that are not required. These are widely known and actively exploited by attackers. In cloud environments, the risk is amplified: a single misconfiguration (a public storage bucket, an overly permissive IAM role, an exposed management API) can expose data or provide an initial foothold without any need to exploit a software vulnerability. Cloud misconfigurations are consistently among the top causes of data breaches in cloud-hosted environments.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Some hardening has been applied to key systems, but there is no formal baseline or standard. Configuration is applied inconsistently across the estate. For cloud environments, security relies on provider defaults with no systematic review of configuration against best practice. No CSPM or CNAPP tooling is in place.
Evidenceconfirmation that at least some systems have been hardened beyond defaults - e.g., screenshots of disabled services, changed default credentials, or basic cloud security settings reviewed.
▼
L2
Repeatable
Documented secure configuration baselines exist for all major asset types (servers, endpoints, network devices) referencing recognised standards (e.g., CIS Benchmarks, DISA STIGs, vendor hardening guides). Baselines are applied consistently to new deployments. For cloud environments, a CSPM or CNAPP solution (e.g., Wiz, Orca, Prisma Cloud, Microsoft Defender for Cloud, AWS Security Hub) is deployed across all cloud accounts and subscriptions, scanning for misconfigurations against a defined policy set. Critical findings are remediated within a defined SLA. Configuration baselines and cloud posture are reviewed at least annually.
Evidencedocumented baselines with review dates; CSPM/CNAPP dashboard showing coverage across cloud accounts; critical finding remediation records; annual review sign-off.
▼
L3
Defined
Configuration compliance is monitored continuously using configuration management and CSPM/CNAPP tooling. Drift from baselines triggers automated alerts. Cloud security policies enforce preventive guardrails (e.g., AWS SCPs, Azure Policy, GCP Organisation Policies) that block non-compliant deployments before they reach production. Infrastructure-as-Code templates are pre-validated against security baselines. CSPM/CNAPP findings are integrated with SIEM for centralised visibility. Targets: 100% of cloud accounts covered by CSPM; critical misconfigurations remediated within 48 hours; zero public-facing storage or databases without explicit approval.
EvidenceCSPM/CNAPP coverage and findings reports, preventive guardrail configuration, IaC security scanning records, SIEM integration, drift detection alerts, and annual process review sign-off.
▼
4.2
Establish and Maintain a Secure Configuration Process for Network Infrastructure
Medium
CIS 4
Does the business maintain a secure configuration baseline for all network devices (cloud and on-premises) that requires secure management protocols (SSH, HTTPS) and explicitly prohibits insecure protocols such as Telnet, HTTP, and FTP?
Why It Matters
Compromised network devices (routers, switches, firewalls) provide an attacker with a persistent, privileged position enabling full traffic interception and lateral movement across the entire environment. Network infrastructure is a high-value, high-impact target.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Some network devices use secure protocols (e.g., SSH instead of Telnet), but this is applied inconsistently. Configuration changes lack a formal process and default credentials may exist on some devices.
Evidenceconfirmation that secure protocols are in use on at least some network devices - e.g., device configuration extracts or administrator confirmation.
▼
L2
Repeatable
A documented secure configuration baseline for network devices is defined and applied consistently. All management access uses secure protocols only (SSH, HTTPS, SNMPv3). Insecure protocols are explicitly disabled. Configurations are version-controlled. Baselines are reviewed at least annually.
Evidencenetwork device configuration standard; configuration backup records; protocol audit confirming no insecure protocols active.
▼
L3
Defined
Network device configurations are continuously monitored using configuration management tools (e.g., Cisco DNA Center, Ansible, SolarWinds NCM). Unauthorised changes generate alerts and are investigated within a defined SLA. Cloud network infrastructure follows the same standards via IaC templates. The process is formally documented and reviewed annually. Targets: 100% compliance with baseline; unauthorised changes tracked per quarter.
Evidenceconfiguration management audit logs, change detection alerts, IaC templates with embedded security controls, and annual process review sign-off.
▼
4.3
Implement and Manage Host-Based Firewalls
High
CIS 4
Does the business deploy and manage host-based firewalls on all servers and end-user devices, with rules documented, a default-deny posture enforced, and logs monitored?
Why It Matters
Servers without host-based firewalls expose all ports and services to the network, making management ports (RDP, SSH, database) a common ransomware entry point. End-user devices without firewalls enable lateral movement if any single device is compromised. Host-based firewalls provide a critical defence-in-depth layer, particularly for devices connecting from untrusted networks.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Firewalls are enabled on some servers and end-user devices but without consistent rule sets, central management, or review. Users may be able to disable the firewall. Rules may have accumulated without justification. Logs are not monitored.
Evidenceconfirmation that a firewall is enabled on at least some servers and endpoints - e.g., OS-level firewall status or MDM status showing firewall active on sampled devices.
▼
L2
Repeatable
Host-based firewalls are enabled on all managed servers and end-user devices using centralised management (e.g., GPO, Intune security baselines, Jamf). A default-deny inbound posture is enforced. Rule sets are documented and reviewed at least annually. User configuration changes are blocked via policy on endpoints.
Evidenceendpoint management compliance report showing firewall status across servers and endpoints (target: 95%+ compliant); firewall rule documentation with review dates.
▼
L3
Defined
Firewall rules are managed centrally using policy-based tools (e.g., GPO/Intune for endpoints, cloud security groups with IaC for servers). Endpoint firewall compliance is enforced as a condition of network access via conditional access or NAC. Rule reviews are conducted at least annually with approvals documented. Logs are forwarded to a SIEM. Permitted exceptions are formally documented with annual review. Targets: 100% of managed devices and servers compliant; all rule exceptions reviewed; zero unreviewed exceptions older than 12 months.
EvidenceGPO/policy configuration reports, conditional access/NAC policy, annual rule review records, SIEM alert logs, exception register, and firewall compliance dashboard.
▼
4.5
Change Management
Medium
CIS 4
Does the business operate a change management process covering all assets and software that requires: documented impact assessments and rollback procedures, formal approvals, a full audit trail, and pre-production testing for changes to critical systems?
Why It Matters
Uncontrolled changes to systems, software, and configuration significantly increase the risk of service disruption, security regressions, and inability to identify the root cause of incidents. Without change management, there is no audit trail and no rollback capability.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Change management exists informally. Some changes are communicated via email or team meetings, but there is no standard format, formal approval gate, or consistent requirement to test before deployment.
Evidenceemails, chat messages, or meeting notes showing that at least some changes were communicated before implementation.
▼
L2
Repeatable
A change management process is consistently followed. Each change is documented with: description, date, impact assessment, rollback procedure, and approval. Changes to critical systems are tested in a non-production environment. A central change log is maintained.
Evidencechange management tool records (e.g., ServiceNow, Jira) showing required fields completed; approval records; non-production test evidence.
▼
L3
Defined
The process is formally documented, approved, and reviewed annually. Changes are categorised by risk (standard, normal, emergency) with proportionate controls. A Change Advisory Board or equivalent approves high-risk changes. Emergency changes include post-implementation review. All changes are logged with full audit trail. Targets: 100% of changes following formal process; failed change rate and rollback rate tracked.
Evidencechange management policy with version history, CAB meeting records, change log exports, failed change post-mortems, and annual process review sign-off.
▼
Domain 5: Account Management
CIS 5
▼
5.1
Establish and Maintain an Inventory of Accounts
Immediate
CIS 5
Does the business maintain a complete inventory of all accounts, user and administrator, covering: full name, username, onboarding/offboarding dates, department, account creation date, access level, and location (cloud/on-premises)?
Why It Matters
Without a complete account inventory, the business cannot identify all accounts with access to its systems. Dormant accounts, orphaned accounts after staff departures, and over-privileged service accounts are among the most commonly exploited vectors in breaches.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
A partial account inventory exists (e.g., a spreadsheet of known users), but it does not include all account types - missing cloud, service, or contractor accounts - and is not regularly updated.
Evidencea directory export, HR system extract, or spreadsheet listing at least some accounts, even if incomplete.
▼
L2
Repeatable
A complete, centralised account inventory covers all user and administrator accounts across all environments. The inventory includes all seven required fields and is reviewed and reconciled at least quarterly. The inventory is compiled from multiple sources: HR system (for expected accounts), directory services (for managed accounts), SaaS admin consoles (for cloud application accounts), and local account audits (for accounts outside central directories). A single IAM or directory export is not sufficient as the sole source, as it does not capture local accounts, SaaS-only accounts, service accounts created directly in applications, or contractor accounts in third-party systems.
Evidenceaccount inventory reconciled across HR, directory, and SaaS sources; quarterly review records showing discrepancies identified and resolved.
▼
L3
Defined
Account inventory is maintained automatically through HR system integration (joiners/movers/leavers feed), directory services, cloud IAM platforms, and SaaS management tools (e.g., SaaS Security Posture Management). Terminated accounts are flagged within 24 hours of HR trigger. Reconciliation across all sources identifies discrepancies (e.g., active accounts with no HR record, SaaS accounts outside SSO, orphaned local accounts). Orphaned accounts are resolved within a defined SLA (e.g., 5 days). Targets: 100% reconciled per cycle; zero accounts with missing required fields; all account sources covered.
EvidenceHR-to-IAM integration logs, multi-source reconciliation reports, orphaned account remediation records, SaaS account audit, and quarterly review sign-offs.
▼
5.2
Use Unique Passwords
Immediate
CIS 5
Does the business require and technically enforce unique passwords for all accounts, meeting minimum complexity requirements (12 characters for standard users, 18 characters for administrator and service accounts), with enhanced controls for privileged credentials?
Why It Matters
Weak, reused, and shared passwords are a primary enabler of credential-based attacks including phishing, brute force, and credential stuffing. These are consistently among the top attack vectors in major breaches worldwide. Compromised administrator credentials provide attackers with immediate, widespread access, making enhanced password requirements for privileged accounts essential.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
A password policy exists but is not fully enforced technically. Enforcement may rely on user awareness for some systems. Some accounts may use shared or below-complexity credentials. Administrator accounts may not have differentiated password requirements.
Evidencea written password policy document, even if technical enforcement is incomplete.
▼
L2
Repeatable
Password complexity requirements are technically enforced centrally via directory services: minimum 12 characters (uppercase, number, special character) for standard users, and minimum 18 characters for administrator and service accounts (e.g., via Fine-Grained Password Policy in AD). Password history prevents reuse (minimum 10 previous passwords). Shared passwords are prohibited. Service account passwords are unique per service and changed on a defined schedule.
Evidencedirectory service password policy configuration showing standard and enhanced admin policies; service account register with rotation dates.
▼
L3
Defined
Password requirements are enforced across all systems including SaaS and cloud platforms. A password manager (e.g., 1Password, Bitwarden, Keeper) is deployed organisation-wide. NIST SP 800-63B guidance is referenced: length over complexity, screening against breached password lists (e.g., Have I Been Pwned), breach-triggered resets instead of mandatory rotation. Admin and service account credentials are managed through PAM (e.g., CyberArk, BeyondTrust, HashiCorp Vault) with automated rotation, credential vaulting, and just-in-time access. Service accounts use managed identities or certificates where possible. Targets: 100% policy-compliant passwords; 100% password manager adoption; 100% of admin accounts in PAM; zero static service account passwords.
Evidencepassword policy with version history, directory policy configuration, password manager adoption report, PAM tool configuration and rotation logs, managed identity audit, and annual policy review sign-off.
▼
5.3
Disable Dormant Accounts
Medium
CIS 5
Does the business systematically identify and disable dormant accounts, including contractor and third-party accounts, after 45 days of inactivity (or as defined by business policy), across all environments?
Why It Matters
Dormant accounts belonging to former employees, contractors, or decommissioned systems represent a significant risk. Threat actors routinely target dormant credentials in credential stuffing attacks and to establish persistence undetected.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Dormant account cleanup happens occasionally, triggered by ad hoc reviews or audit findings rather than a defined schedule. Cloud and third-party contractor accounts are often overlooked.
EvidenceIT tickets or records showing at least some dormant accounts have been disabled or reviewed.
▼
L2
Repeatable
Dormant accounts are identified and disabled systematically on a defined schedule (at least monthly). Detection covers all environments: on-premises AD, cloud (Entra ID, AWS IAM, GCP), and known SaaS platforms. Accounts inactive for 45 days are flagged and disabled within a defined window.
Evidencedirectory service last logon reports; review records showing accounts flagged and disabled with timestamps.
▼
L3
Defined
Dormant account detection is automated using identity governance tooling (e.g., Entra ID Governance, SailPoint, Saviynt). Accounts meeting the inactivity threshold are automatically disabled, with a review window before permanent deletion. A formal policy defines dormancy thresholds by account type (stricter for admin accounts) and the exception process. Compliance reporting is produced monthly. Targets: dormant accounts trending to zero; automated disablement within 24 hours of threshold breach.
Evidenceidentity governance tool reports, automated disablement logs, exception records, policy with annual review sign-off, and monthly compliance dashboard.
▼
5.4
Restrict Administrator Privileges to Dedicated Administrator Accounts
High
CIS 5
Does the business restrict administrator privileges to dedicated admin accounts, with administrators required to use a separate, non-privileged account for all general activities such as email, browsing, and productivity tasks?
Why It Matters
Administrators using their privileged account for daily activities (browsing, email) mean that any malware or phishing targeting them runs in an administrative context. This enables immediate escalation to full domain or system control, the single most critical endpoint security failure.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Dedicated admin accounts exist for most administrators, but some may still use their privileged account for daily activities such as email and browsing. Admin account usage is not monitored, and there is no formal policy requiring separation.
Evidencedirectory showing dedicated admin accounts exist for at least the majority of administrators, separate from their standard user accounts.
▼
L2
Repeatable
All administrators have dedicated privileged accounts separate from day-to-day standard accounts. Administrators use non-privileged accounts for general computing and elevate only for administrative tasks. Admin credentials are unique per individual.
EvidenceAD user account structure showing separate admin accounts per person; policy prohibiting shared admin credentials.
▼
L3
Defined
Privileged account usage is enforced via a PAW model or equivalent - privileged tasks performed from hardened workstations without internet/email access. Admin accounts are managed through PAM (e.g., CyberArk, BeyondTrust, Delinea, Microsoft PIM) with just-in-time elevation, session recording, and automatic credential rotation. Privileged access reviews are conducted quarterly. Targets: minimal privileged accounts; zero shared admin credentials; 100% of sessions recorded; quarterly review completion.
EvidencePAM tool configuration and session logs, PAW deployment records, quarterly access review sign-offs, and formal privileged account policy with annual review.
▼
5.5
Centralize Account Management
High
CIS 5
Does the business manage all accounts and critical devices through a centralised directory or identity provider (e.g., Active Directory, Entra ID, JumpCloud), with no reliance on unmanaged local accounts?
Why It Matters
Local, unmanaged accounts cannot be centrally monitored, rotated, or revoked. Terminated employees' credentials may persist on devices, and attackers who compromise any device gain locally stored credentials that are invisible to central security tooling.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
A directory service or identity provider is in place, but coverage is incomplete. Some devices still use local accounts and not all locations or cloud environments are connected.
EvidenceActive Directory or equivalent showing devices and accounts under management, even if partial.
▼
L2
Repeatable
All known critical devices and systems are joined to or managed through the centralised identity provider. Local accounts are removed or disabled on managed devices (except documented break-glass accounts). Cloud and SaaS applications use SSO where supported.
Evidencedomain join/MDM enrolment reports showing all devices managed; local account audit showing minimal exceptions.
▼
L3
Defined
Centralised account management covers 100% of in-scope devices. A formal process governs new device enrolment, local account management (break-glass accounts escrowed and audited), and SSO/SCIM integration for cloud/SaaS. Access is enforced through conditional access policies tied to device compliance and identity. Targets: 100% of devices managed centrally; zero active unmanaged local accounts (except documented break-glass); SSO coverage tracked.
Evidencedirectory device registration report, local account audit with remediation records, SSO integration list, conditional access configuration, and annual audit sign-off.
▼
Domain 6: Access Control Management
CIS 6
▼
6.1
Establish an Access Granting/Revoking Process
Immediate
CIS 6
Does the business operate a defined process, preferably automated, for granting and revoking logical and physical access upon onboarding, offboarding, and role changes, applying least privilege at all times?
Why It Matters
Without a formal access granting and revoking process, accounts belonging to ex-employees remain active, creating risk of both accidental misuse and deliberate malicious access. Inconsistent provisioning also leads to over-privileged accounts accumulating over time.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Access is granted and revoked, but reactively and ad hoc. Offboarding relies on managers remembering to notify IT. No standard request process or SLA exists.
EvidenceIT tickets or emails showing access requests and revocations have been processed, even if inconsistently.
▼
L2
Repeatable
A defined joiners, movers, and leavers (JML) process is in place. Access is granted based on role and least privilege. Offboarding triggers a defined checklist: account disablement within a defined timeframe, revocation of physical and logical access, and confirmation sign-off. Disabling rather than deleting accounts is acceptable where audit trail preservation is required. Role changes trigger access review.
EvidenceJML process document; onboarding/offboarding checklists with completion records; access request tickets with approval evidence.
▼
L3
Defined
The JML process is automated where possible, integrating HR triggers with IAM and identity governance tools (e.g., Entra ID Governance, SailPoint, Okta Lifecycle Management). Leavers have all access revoked within a defined SLA from termination (target: same business day). Access grants are workflow-driven with manager and data owner approval, scoped via RBAC. Access reviews are automated and triggered by role changes and time elapsed. Targets: revocation within 4 hours for automated; 100% of grants with documented approval.
EvidenceHR-to-IAM integration logs, automated revocation audit trail, access request approval records, quarterly access review reports, and annual process review sign-off.
▼
6.2
Require Multifactor authentication (MFA)
Immediate
CIS 6
Does the business enforce multi-factor authentication (MFA) for: all externally exposed applications, all administrator and privileged accounts, and all remote network access?
Why It Matters
Single-factor authentication provides minimal protection against credential phishing, password spraying, and credential stuffing. Compromised credentials immediately grant full account access with no additional barrier. MFA is the single most effective control against account compromise.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
MFA is enabled for all user accounts, but enforcement relies on manual configuration and periodic verification rather than technical policy. There is no conditional access or equivalent policy guaranteeing MFA is applied consistently. MFA could be disabled on individual accounts without immediate detection. The business relies on manual audits or spot checks to confirm MFA remains enabled.
EvidenceMFA enrolment report showing all users are enrolled; records of manual verification or audit confirming MFA status across accounts.
▼
L2
Repeatable
MFA is enforced for: all externally exposed applications, all administrative and privileged accounts, and all remote access. MFA is enforced via conditional access or equivalent technical policy.
Evidenceconditional access policies showing MFA enforcement scope; MFA enrolment report confirming coverage for all target groups.
▼
L3
Defined
MFA is enforced organisation-wide using phishing-resistant methods where supported (e.g., FIDO2/WebAuthn, Windows Hello for Business, or Authenticator with number matching/passwordless). SMS and voice MFA are deprecated due to SIM-swapping and SS7 risks. A formal MFA policy is documented and reviewed annually. An exception process requires management approval, compensating controls, and a remediation timeline. Targets: 100% MFA enrolment; phishing-resistant methods prioritised; zero active exceptions.
Evidenceconditional access policy configuration, MFA enrolment report per platform, exception register, and annual policy review sign-off.
▼
Domain 7: Continuous Vulnerability Management
CIS 7
▼
7.1
Establish and Maintain a Vulnerability Management Process
High
CIS 7
Does the business maintain a documented vulnerability management process that includes scheduled scanning of software, internally developed code, network devices, and other assets, with findings triaged and remediated based on risk severity?
Why It Matters
Without vulnerability management, the business has no visibility into known vulnerabilities in its software, operating systems, or devices. Threat actors routinely scan for and exploit unpatched, publicly disclosed vulnerabilities, often within hours of a CVE being published.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Vulnerability assessments are conducted occasionally, without a defined schedule, consistent scope, or structured remediation process. Remediation is reactive.
Evidenceat least one vulnerability scan report from the past 12 months - e.g., output from Nessus, Qualys, OpenVAS, or equivalent.
▼
L2
Repeatable
Automated vulnerability scans are scheduled at minimum monthly for internal assets and quarterly for external-facing systems. Results are triaged by severity (CVSS or equivalent) with defined remediation timeframes (e.g., Critical within 72 hours, High within 30 days, Medium within 90 days). Coverage extends to all in-scope assets.
Evidencescheduled scan configuration; vulnerability reports with severity-based triage; remediation tickets with target closure dates.
▼
L3
Defined
Scanning is continuous using an integrated platform (e.g., Qualys VMDR, Tenable.io, Microsoft Defender Vulnerability Management, Rapid7 InsightVM). Findings auto-correlate with asset inventory and feed a remediation workflow. Remediation SLAs are enforced with escalation for breaches. Internally developed code is subject to SAST/DAST in the CI/CD pipeline. External attack surface is monitored continuously. Targets: Critical <72hrs, High <30 days, Medium <90 days; 100% of assets scanned in last 30 days.
Evidenceautomated scan platform dashboards, SLA compliance reports, SAST/DAST pipeline integration evidence, and annual process review sign-off.
▼
7.2
Patch Management
Immediate
CIS 7
Does the business deploy and apply operating system and application patches across all assets using a centrally managed tool, with defined SLAs by severity (e.g., critical patches within 14 days)?
Why It Matters
The vast majority of successful ransomware attacks exploit vulnerabilities for which patches have been available for more than 30 days. Unpatched systems are the primary enabler of both opportunistic and targeted attacks.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Patching occurs but inconsistently. Some systems may be updated promptly while others are left unpatched. No central visibility into patch status.
Evidenceconfirmation that at least some systems have been patched recently - e.g., Windows Update history or IT records showing updates applied.
▼
L2
Repeatable
A patch management solution is deployed (e.g., Intune/SCCM, Jamf, Red Hat Satellite, AWS Systems Manager) covering all managed assets. Patches are deployed on a defined schedule (at minimum monthly). All assets are integrated into the solution. Compliance is reported centrally.
Evidencepatch management console showing all assets enrolled; monthly deployment reports; compliance percentage by asset group.
▼
L3
Defined
Patching is automated with risk-based SLAs: Critical (CVSS 9.0+) within 14 days, High (7.0-8.9) within 30 days, Medium (4.0-6.9) within 90 days. Compliance is monitored continuously and reported monthly. Non-compliant systems trigger alerts and escalation. Third-party applications are included alongside OS patches. Targets: 95%+ patch compliance within SLA; 100% of assets managed by the patching tool.
Evidenceautomated patch reports with SLA compliance tracking, escalation records for non-compliant systems, and annual process review sign-off.
▼
Domain 8: Audit Log Management
CIS 8
▼
8.1
Collect Audit Logs
Immediate
CIS 8
Does the business collect audit logs from all assets and critical systems, including: event source, timestamp, username, and source/destination addresses, with logs forwarded to a centralised store and retained in line with regulatory requirements?
Why It Matters
Without audit logs, security incidents cannot be detected, investigated, or reconstructed. The absence of logging is a compliance failure under most regulatory frameworks and a significant impediment to forensic investigation following a breach.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Logs are collected from some assets but retained locally on each system with no central aggregation, consistent format, or defined retention. Logs may be overwritten.
Evidenceconfirmation that logging is enabled on key systems - e.g., Windows Event Log settings, syslog configuration, or cloud platform logging enabled.
▼
L2
Repeatable
Logs are collected from all in-scope assets and forwarded to a centralised log store (e.g., SIEM, syslog server, Azure Monitor, AWS CloudTrail/CloudWatch). Logs include required fields: event source, timestamp, username, source/destination addresses. Retention is aligned to regulatory requirements (typically 12 months minimum, 3 months immediately accessible).
Evidencelog forwarding configuration for all in-scope systems; central log store with retention settings confirmed; sample log review confirming required fields.
▼
L3
Defined
Centralised logging is implemented using a SIEM (e.g., CrowdStrike Falcon NG-SIEM, Microsoft Sentinel, Splunk, Elastic SIEM, QRadar). Sources include endpoints, servers, network devices, cloud platforms, identity providers, and key SaaS applications. Alert rules are configured for high-priority events. Alerts are investigated within defined SLAs. Log integrity is protected (near real-time forwarding, tamper-resistant storage). Targets: 100% of in-scope systems forwarding logs; gap detection active; retention compliance confirmed.
EvidenceSIEM onboarding report, alert rule configuration, investigation records with response times, log retention policy, and annual process review sign-off.
▼
8.2
Standardize Time Synchronization
Medium
CIS 8
Does the business enforce consistent time synchronisation across all devices and systems using a centralised NTP solution, with monitoring to detect and alert on clock drift?
Why It Matters
Inconsistent timestamps across systems make log correlation during incident investigation unreliable or impossible. A 5-minute clock skew between a firewall and an endpoint log can prevent investigators from reconstructing the sequence of events in a breach.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Some devices are configured to use NTP, but the configuration is not consistent across all systems. Time drift may exist without detection.
Evidenceconfirmation that NTP is configured on at least some systems - e.g., NTP settings in device configuration or group policy.
▼
L2
Repeatable
A centralised NTP solution is deployed and all devices are configured to synchronise from approved NTP sources. Settings are enforced via group policy, MDM, or configuration management.
EvidenceNTP configuration in group policy or MDM profile; confirmation that all managed devices use approved NTP sources.
▼
L3
Defined
At least two authoritative NTP sources are configured for redundancy. Time synchronisation is monitored: devices with significant drift (e.g., >5 seconds) generate alerts and are remediated within a defined SLA. Cloud environments use provider NTP services. The process is formally documented and reviewed annually. Targets: 100% of devices within acceptable drift threshold.
EvidenceNTP configuration reports, drift monitoring alerts and remediation logs, and annual process review sign-off.
▼
Domain 9: Email and Web Browser Protections
CIS 9
▼
9.1
Ensure Use of Only Fully Supported Browsers
High
CIS 9
Does the business ensure only fully supported, up-to-date browser versions are permitted to run, with centralised enforcement and monitoring to confirm compliance across all users?
Why It Matters
Browser vulnerabilities are a primary initial access vector. Drive-by downloads, malicious scripts, and zero-day exploits routinely target outdated browsers. Chromium-based browsers receive critical security updates every 2-4 weeks; falling behind creates exploitable exposure.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Supported browsers are in use, but no monitoring or enforcement confirms all users are running up-to-date versions. Updates are left to individual users.
Evidenceconfirmation that a current, supported browser is installed as the organisational default - e.g., software inventory showing browser name and version on sampled devices.
▼
L2
Repeatable
Browser version compliance is enforced through MDM auto-update policies, conditional access blocking outdated versions, or centralised application packaging. Non-compliant devices are flagged for remediation within a defined SLA.
EvidenceMDM or endpoint management browser compliance report; auto-update policy configuration.
▼
L3
Defined
Browser management is fully automated: browsers auto-update silently on all managed devices. Non-compliant devices are blocked from accessing corporate resources until updated. A formal policy covers approved browsers, version lifecycle, and the exception process. Browser extensions are controlled via policy. Targets: 100% of devices running a supported version; updates applied within 48 hours of critical release.
EvidenceMDM browser compliance dashboard, auto-update policy configuration, extension control policy, exception register, and annual policy review sign-off.
▼
9.2
Implement Web Filtering Services
Medium
CIS 9
Does the business deploy web filtering services across all assets, including remote and mobile users, to block access to known malicious sites and high-risk content categories, with rules reviewed regularly?
Why It Matters
Web-based threats are a primary delivery mechanism for malware, ransomware, and credential harvesting. Without web filtering, users can access known malware distribution sites, phishing pages, and command-and-control infrastructure from any device.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
A web filtering solution is deployed (e.g., DNS filter, proxy, or secure web gateway) with default vendor categories and minimal customisation. No monitoring or alerting is configured and remote users may not be covered.
Evidenceconfirmation that a web filtering product is deployed and active - e.g., vendor dashboard screenshot or IT confirmation.
▼
L2
Repeatable
Web filtering blocks: known malicious sites, phishing and credential harvesting sites, malware distribution categories, and other high-risk categories aligned to acceptable use policy. The solution covers all users including remote workers. Filtering policies are reviewed at least annually.
Evidencefiltering policy configuration with categories blocked; coverage report confirming remote users included; last policy review date.
▼
L3
Defined
Web filtering is provided by a cloud-delivered secure web gateway (e.g., Zscaler, Cisco Umbrella, Netskope, Microsoft Defender Web Content Filtering) covering all users regardless of location. SSL/TLS inspection is enabled. Threat intelligence feeds are updated in real-time. Filtering events are logged and integrated into SIEM. Policy is reviewed quarterly. Targets: 100% of users covered; policy reviewed within last 90 days.
Evidencesecure web gateway configuration, SSL inspection policy, user coverage report, SIEM integration evidence, and annual policy review sign-off.
▼
9.3
Email spoofing protection
High
CIS 9
Does the business implement SPF, DKIM, and DMARC across all active and parked domains to prevent email spoofing, with DMARC set to at least quarantine and DMARC reports monitored for misalignment?
Why It Matters
Without DMARC, the organisation's email domain can be freely spoofed by anyone. Attackers can send emails that appear to come from the organisation's own domain, enabling phishing, Business Email Compromise (BEC), and supply chain fraud, some of the highest-cost attack types.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
SPF and DKIM records are configured for the primary sending domain. However, no DMARC record exists or DMARC is set to p=none, meaning no enforcement against spoofed emails. Parked or legacy domains may be unprotected.
EvidenceDNS record lookup confirming SPF and DKIM are present for the primary domain - e.g., output from MXToolbox or equivalent.
▼
L2
Repeatable
SPF, DKIM, and DMARC are configured for all active sending domains. DMARC is set to p=quarantine or p=reject. DMARC reports (RUA/RUF) are received and reviewed.
EvidenceDNS record exports confirming SPF, DKIM, and DMARC for all active domains; DMARC reporting inbox or aggregation tool showing reports received.
▼
L3
Defined
DMARC is set to p=reject for all active and parked domains. DMARC reports are processed using a dedicated tool (e.g., Dmarcian, Valimail, Postmark) with automated alerting for alignment failures. A formal process governs SPF changes and DKIM key rotation (keys rotated at least annually). Targets: 100% of domains at p=reject; alignment failures trending to zero; DKIM keys <12 months old; 100% parked domain protection.
EvidenceDNS record exports for all domains, DMARC reporting tool dashboard, DKIM key rotation records, and annual process review sign-off.
▼
9.4
Deploy Dedicated Email Security
Immediate
CIS 9
Does the business deploy a dedicated, third-party email security solution external to the native email platform, providing anti-malware, anti-phishing, attachment scanning, and sandboxing, with active monitoring and regular configuration reviews?
Why It Matters
Email is consistently the primary initial access vector in ransomware, BEC, and credential phishing attacks. Without anti-malware and spam protection, malicious attachments, links, and payloads are delivered directly to user inboxes.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Email protection relies solely on the native capabilities of the email platform (e.g., Exchange Online Protection, Google Workspace default spam filters) with default settings. No dedicated third-party email security layer is in place. There is no additional threat intelligence, sandboxing, or active management of the configuration.
Evidenceconfirmation that native email filtering is active - e.g., Exchange Online Protection settings or Google Workspace security dashboard.
▼
L2
Repeatable
A dedicated email security solution external to the native email platform is deployed and fully configured (e.g., KnowBe4 Egress, Mimecast, Proofpoint, Abnormal Security). The solution sits in front of or integrates with the email platform to provide an independent layer of protection beyond native capabilities. Configuration includes URL scanning, attachment scanning, impersonation protection, and tuned spam filtering. Email authentication (SPF, DKIM, DMARC) is integrated. The solution is reviewed at least annually.
Evidencethird-party email security platform configuration showing deployment external to the native email system; a recent review or configuration audit record.
▼
L3
Defined
Advanced protection includes: attachment sandboxing, zero-hour auto-purge (ZAP), time-of-click URL protection, and AI-based BEC/impersonation detection. The solution provides protection independent of the native email platform, ensuring defence-in-depth. Logs are forwarded to SIEM. High-confidence alerts are investigated within a defined SLA. Configuration is reviewed quarterly. Targets: detection investigated within 4 hours for high-confidence; configuration reviewed quarterly.
Evidenceemail security platform dashboards, SIEM integration logs, alert investigation records with response times, and annual process review sign-off.
▼
Domain 10: Malware Defences
CIS 10
▼
10.1
Deploy and Maintain Managed Detection and Response
Immediate
CIS 10
Does the business deploy a centrally managed EDR solution with 24/7 managed detection and response (MDR) capability across all assets, with confirmed coverage, automated updates, and defined response SLAs?
Why It Matters
Endpoints are the primary target for malware delivery, ransomware deployment, and initial compromise. An EDR agent provides visibility into endpoint activity and generates alerts, but without a managed detection and response (MDR) service monitoring those alerts 24/7, threats that occur outside business hours - which is when the majority of ransomware is deployed - go undetected until the damage is done. An unmonitored EDR is a camera with nobody watching the monitors.
▼
L0
Not in Place
No EDR or MDR capability is in place.
▼
L1
Ad Hoc
An EDR agent and MDR service are in place, but the business cannot demonstrate full coverage across all assets. Some devices may lack an agent, the MDR service may not cover all asset types, or onboarding to the MDR provider is incomplete. Coverage gaps exist and are not fully quantified.
EvidenceEDR console showing partial deployment; MDR service contract confirming the service is active, even if onboarding is ongoing.
▼
L2
Repeatable
A centrally managed EDR solution (e.g., CrowdStrike Falcon, SentinelOne, or equivalent) is deployed on all managed assets (target: 95%+ coverage) with an MDR service providing 24/7 monitoring, triage, and escalation. The MDR provider or internal SOC investigates alerts and escalates confirmed threats within defined SLAs. Signatures and behavioural detections are updated automatically. Newly provisioned devices receive the agent before network access. Coverage and agent health are reported centrally.
EvidenceEDR management console showing coverage percentage and agent health; MDR service contract with defined SLAs; escalation records showing alerts triaged and actioned; provisioning checklist confirming agent deployment pre-network access.
▼
L3
Defined
The MDR service provides full threat hunting, automated containment, and integrated incident response alongside 24/7 monitoring. The EDR solution (e.g., CrowdStrike Falcon, SentinelOne) provides behavioural detection, automated remediation, and SIEM/SOAR integration. Agent absence triggers alerts and blocks network access via conditional access or NAC. High-severity alerts are contained automatically or triaged within 1 hour. The MDR provider delivers regular threat reporting and participates in incident response exercises. Targets: 100% agent coverage; all agents updated within 24 hours; high-severity detection-to-containment within 1 hour; MDR threat reports reviewed monthly.
EvidenceEDR console coverage and alert reports, MDR service SLA performance reports, automated containment records, threat hunting reports, SIEM integration evidence, incident response exercise participation records, and annual process review sign-off.
▼
10.2
Disable Removable Media
Medium
CIS 10
Does the business disable autorun/autoplay for removable media, restrict removable media use across all assets, and configure anti-malware to scan any permitted removable media automatically?
Why It Matters
Removable media is a well-established malware delivery vector and a significant data exfiltration channel. It is exploited by both insider threats and external attackers with physical access. The Stuxnet attack demonstrated the potential impact.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Some attempt has been made to restrict removable media - e.g., autorun is disabled on some systems or a policy exists - but controls are not consistently enforced.
Evidenceconfirmation that autorun is disabled on at least some systems - e.g., a group policy setting or IT confirmation, or a written policy.
▼
L2
Repeatable
Autorun/autoplay is disabled on all managed devices via group policy or MDM. Removable media use is centrally restricted: devices are blocked by default, with exceptions only for approved devices and users. Anti-malware scans all connected removable media.
Evidencegroup policy or MDM configuration showing autorun disabled and media restrictions enforced; anti-malware scan policy for removable media.
▼
L3
Defined
Removable media controls are enforced using endpoint management tooling (e.g., Intune device restriction policies, CrowdStrike Device Control, Symantec DLP). Only explicitly approved, encrypted devices (identified by device ID) are permitted with documented business justification. All connections and transfers are logged and forwarded to SIEM. A formal policy is documented and reviewed annually. Targets: 100% autorun disabled; all exceptions approved and logged.
Evidenceendpoint device control configuration, SIEM removable media event logs, exception register with approvals, DLP alert reports, and annual policy review sign-off.
▼
Domain 11: Data Recovery
CIS 11
▼
11.1
Establish and Maintain a Disaster Recovery and Business Continuity Plan
High
CIS 11
Does the business maintain a documented disaster recovery and business continuity process covering: recovery scope (informed by a BIA), RTOs and RPOs, backup security measures, and defined roles and responsibilities?
Why It Matters
Without a DR/BCP, recovery from a significant incident (ransomware, data centre failure, critical system loss) will be slow, chaotic, and significantly more costly. There is no plan for what to recover first, in what order, or who is responsible.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Some basic DR/BCP documentation exists, but it has not been tested, reviewed, or updated recently. RTOs and RPOs may not be defined or validated.
Evidenceany DR or BCP document, however basic or outdated, showing recovery planning has been considered.
▼
L2
Repeatable
A documented DR/BCP addresses all four required elements: scope informed by a BIA, RTOs and RPOs per system, security controls for backup data, and defined roles and responsibilities. The plan is reviewed at least annually. Key staff are familiar with their roles.
Evidencecurrent BCP/DR document with BIA, RTO/RPO table, and named roles; annual review sign-off.
▼
L3
Defined
RTOs and RPOs are formally defined for all critical systems based on a current BIA and validated through regular testing (at least annual DR exercises or tabletops). Test results identify gaps and drive plan improvements. Cyber incident response is integrated with DR/BCP, including ransomware-specific recovery scenarios. Targets: RTO/RPO validated in last test; zero open action items from testing older than 30 days.
Evidencecurrent BIA, RTO/RPO register, DR test reports with gap analysis, post-test action plans, and annual review sign-off.
▼
11.2
Perform Automated Backups
Immediate
CIS 11
Does the business perform automated backups of all in-scope assets and configurations on a defined schedule, with monitoring and alerting to detect backup failures?
Why It Matters
Without automated backups, data recovery following ransomware, accidental deletion, or hardware failure may be impossible or rely on outdated manual copies. Ransomware actors specifically target backup systems as a first step to prevent recovery.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Backups are performed but are not fully automated. Some critical systems may be backed up on a schedule, but others rely on manual processes or ad hoc copies. The business cannot confirm that all in-scope assets are consistently backed up. Backup success is not monitored centrally.
Evidencebackup logs or records showing at least some backups are completing, with acknowledgement that the process is not fully automated or comprehensive.
▼
L2
Repeatable
All in-scope assets are backed up automatically using a backup solution (e.g., Azure Backup, AWS Backup, Veeam, Cohesity, Commvault). Frequency is defined per asset tier. All assets and configurations are included.
Evidencebackup solution console showing all in-scope assets with scheduled job configurations and last successful backup timestamps.
▼
L3
Defined
Backups are automated with frequency and retention aligned to RTO/RPO requirements. Backup failures generate immediate alerts and are resolved within a defined SLA (e.g., 4 hours). Configuration backups are included alongside data. Cloud-native assets use provider backup capabilities with equivalent monitoring. Targets: 99%+ backup success rate; 100% of assets backed up within last RPO window.
Evidenceautomated backup console with success/failure logs, alert configuration, remediation records for failed backups, and annual process review sign-off.
▼
11.3
Protect Recovery Data
High
CIS 11
Does the business apply security controls to all recovery data equivalent to those on source systems, including encryption and access restrictions, consistently across all backup locations?
Why It Matters
Backup data without security controls (encryption, access restriction) can be reached by the same user accounts or ransomware that compromised production data. This pattern, encrypting both production and backup, is observed in the majority of sophisticated ransomware incidents.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Some security controls are applied to backups (e.g., a backup volume has restricted access), but the approach is inconsistent across types and locations.
Evidenceconfirmation that at least some security controls are applied to backup storage - e.g., access control settings or encryption confirmation.
▼
L2
Repeatable
Security controls equivalent to production data are consistently applied: encryption at rest and in transit, access restricted to dedicated backup service accounts, and no direct user access. Controls are applied uniformly across all backup instances.
Evidencebackup solution encryption configuration; access control configuration showing restricted permissions; confirmation all backup instances are included.
▼
L3
Defined
Backup encryption uses strong algorithms (AES-256 or equivalent). Encryption keys are managed separately from backup data (KMS or HSM). Access is limited to dedicated backup accounts via least privilege. Immutability (WORM) is enforced where supported (e.g., Azure Blob immutable storage, S3 Object Lock, Veeam Hardened Repository). Backup security is reviewed annually against production equivalence. Targets: 100% encrypted; 100% WORM coverage on off-site backups; minimal dedicated backup accounts only.
Evidenceencryption configuration audit, access control report, WORM policy configuration, key management records, and annual review sign-off.
▼
11.4
Establish and Maintain an Isolated Instance of Recovery Data
Immediate
CIS 11
Does the business maintain at least one isolated instance of recovery data (e.g., off-site, offline, or immutable cloud storage) that is not directly accessible from the production environment?
Why It Matters
Without isolated backup copies, a ransomware attack or site-wide disaster destroys both production data and all backups simultaneously. Recovery from ransomware is effectively impossible without at least one isolated, immutable copy of backup data.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Some data is backed up to a separate location (e.g., external drive, separate NAS, or cloud bucket), but coverage is partial and isolation may be insufficient.
Evidenceconfirmation that at least some backup data is stored separately from production - e.g., cloud storage details, offsite drive location, or backup tool configuration.
▼
L2
Repeatable
All critical backups are stored off-site in an isolated location (e.g., secondary data centre, separate cloud region, or cloud cold storage). Isolated copies are not directly accessible from the production environment - separate credentials or network path required.
Evidencebackup location confirmation showing off-site/isolated storage; access configuration showing separate credentials or network isolation.
▼
L3
Defined
Backup isolation follows a 3-2-1-1-0 or equivalent strategy: 3 copies, 2 media types, 1 off-site, 1 air-gapped or immutable, 0 verified errors. Air-gapped or immutable copies use WORM storage, offline tape, or cloud immutable storage. Isolated backups are included in recovery testing (at minimum annually). Separate access credentials are managed through PAM. Targets: 100% of critical systems with isolated copies; last restore test from isolated copy documented.
Evidencebackup strategy document, off-site backup records, WORM/immutability configuration, separate credential management evidence, and recovery test records.
▼
11.5
Test Data Recovery
High
CIS 11
Does the business test backup recovery at least quarterly, document results, and use findings to validate RTOs/RPOs and address any gaps in recoverability?
Why It Matters
Untested backups fail at a significantly higher rate than expected. Common failure modes include corrupted files, incomplete backup sets, changed restore procedures, and encryption key loss. Discovering this during an actual recovery event dramatically extends downtime and cost.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Backup restoration has been tested on an ad hoc basis - e.g., following a recovery incident or management request - but not on a defined schedule. Results may not be formally documented.
Evidenceany record of a successful restore test - e.g., IT ticket, email, or note confirming data was recovered from backup.
▼
L2
Repeatable
Backup restoration is tested on a defined schedule (at least quarterly for critical systems). A process defines which systems are tested, restore procedures, success criteria, and documentation requirements.
Evidencequarterly restore test records showing system tested, restore time, success/failure, and sign-off.
▼
L3
Defined
A comprehensive testing programme covers all critical systems on a defined rotation, with each system tested at a frequency aligned to its RTO/RPO. Tests validate: data integrity, restore time (actual vs target RTO), application functionality, and procedure accuracy. Failures trigger immediate investigation. Results feed back into the DR plan. Targets: 100% of critical systems tested in last 12 months; zero open remediation items older than 30 days.
Evidencerestore test records with timing and success/failure data, post-test remediation records, DR plan updates, and annual test programme review sign-off.
▼
Domain 12: Network Infrastructure Management
CIS 12
▼
12.1
Manage and Secure Network Infrastructure
Immediate
CIS 12
Does the business ensure all network infrastructure (routers, switches, firewalls, wireless access points, load balancers, and cloud-managed network appliances) runs current, supported firmware, with perimeter and internal firewall rule bases documented, reviewed, and monitored?
Why It Matters
Network infrastructure is a high-value, high-impact target. A compromised router or firewall provides an attacker with persistent, privileged access enabling full traffic interception and lateral movement across the entire environment. Perimeter firewalls with unreviewed rule bases accumulate excessive permissions over time, creating exploitable gaps. Network devices running end-of-life firmware have known, publicly disclosed vulnerabilities that will never be patched.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Firmware updates are applied reactively, typically following vendor advisories or incidents. No defined schedule or systematic approach exists and some devices may have been missed. A perimeter firewall is in place but the rule base has not been formally reviewed. There is no documented network segmentation approach. Firewall logs may not be monitored.
Evidenceconfirmation that at least some network devices have been updated; confirmation a perimeter firewall is in place - e.g., device configuration showing current firmware version, or firewall management console access.
▼
L2
Repeatable
Network devices are updated on a defined schedule (at minimum annually, or as critical vulnerabilities are disclosed). A register tracks current firmware version vs latest available. Updates follow the change management process. Perimeter and internal firewall rule bases are documented, follow a default-deny approach, and are reviewed at least annually with unused or overly permissive rules removed. Network segmentation separates critical systems (e.g., production, management, user networks) into distinct zones. Firewall logs are forwarded to a central log store or SIEM.
Evidencenetwork device firmware register; firewall rule documentation with annual review dates and approvals; network diagram showing segmentation; SIEM or log store confirming firewall log ingestion.
▼
L3
Defined
Firmware and software currency is monitored continuously using network management tooling (e.g., Cisco DNA Center, SolarWinds NPM, PRTG). Alerts flag devices behind available versions or at end-of-support. Firewall rule bases are managed through a formal change process with named owners per rule. Rule reviews are conducted at least annually with sign-off. Network segmentation is enforced and validated through regular testing (e.g., penetration testing, segmentation validation scans). Firewall logs are monitored in a SIEM with alert rules for anomalous traffic. Cloud-managed infrastructure (e.g., AWS Security Groups, Azure NSGs) follows equivalent standards via IaC. A contractual responsibility matrix is reviewed annually for any MSP-managed infrastructure. Targets: 100% of devices running current firmware; all firewall rules reviewed within last 12 months; segmentation validated at least annually; zero critical devices with firmware older than 12 months.
Evidencenetwork management tool firmware reports, firewall rule review records with approvals, segmentation validation test results, SIEM alert configuration and logs, IaC templates with security controls, cloud/MSP responsibility matrix, and annual review sign-off.
▼
Domain 13: Network Monitoring and Defence
CIS 13
▼
13.1
Manage Access Control for Remote Assets
Medium
CIS 13
Does the business verify device compliance before granting remote access, confirming anti-malware is current, the device meets secure configuration requirements, and the OS and applications are up to date?
This applies to all staff including part-time employees and third parties.
Why It Matters
A compromised home or personal device connecting to the corporate network via VPN is a primary ransomware entry pathway. Without device compliance checks, attackers can move laterally from the remote device into core infrastructure unimpeded.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Remote access is provided, but no automated device compliance checks are performed. Policies may exist but are not technically enforced.
Evidenceconfirmation that remote access is in place - e.g., VPN configuration - alongside any written guidance issued to remote users about device security.
▼
L2
Repeatable
Device compliance is verified before remote access is granted using VPN pre-connect checks, MDM conditional access, or NAC. Non-compliant devices are denied or placed in a restricted zone. Checks cover all remote users including contractors.
EvidenceVPN or conditional access configuration showing compliance requirements; compliance check logs confirming devices verified before access.
▼
L3
Defined
Remote access uses a ZTNA or conditional access framework (e.g., Entra Conditional Access, Zscaler Private Access, Cloudflare Access) with continuous verification - not just at connection time. Checks include device compliance, user identity (MFA), and network posture. Non-corporate devices are directed to isolated, limited-privilege access. Remote access permissions are reviewed quarterly. Targets: 100% of connections verified compliant; quarterly access review completed.
EvidenceZTNA/conditional access policy configuration, compliance enforcement logs, blocked connection records, quarterly access review sign-offs, and annual process review.
▼
Domain 14: Security Awareness and Skills Training
CIS 14
▼
14.1
Establish and Maintain a Security Awareness Program
High
CIS 14
Does the business operate a security awareness programme that delivers training to all new joiners at onboarding and to all staff at least annually, with a named owner responsible for delivery and completion tracked?
Why It Matters
Human error and social engineering account for the majority of initial compromise events in reported breaches. Without security training, staff cannot recognise phishing, social engineering, or unsafe behaviours that represent the primary cause of security incidents.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Ad hoc security awareness activities occur (e.g., occasional email reminders or a one-time presentation), but there is no structured programme or consistent delivery. New joiners may receive no security training.
Evidencerecords of at least one awareness activity - e.g., presentation deck, email to staff, or attendance records.
▼
L2
Repeatable
A defined programme delivers training to new joiners at onboarding and all staff at least annually. A designated owner is responsible. Completion is tracked and reported. Training is delivered through an LMS or equivalent.
Evidenceprogramme document with curriculum and delivery schedule; completion tracking report showing all staff trained within the last 12 months.
▼
L3
Defined
The programme is delivered via a dedicated platform (e.g., KnowBe4, Proofpoint Security Awareness, Mimecast, Hoxhunt) with role-tailored content. Content is reviewed and updated at least annually. Completion is tracked with automated reminders; non-completion triggers management escalation. Effectiveness is measured via phishing simulation click rates and repeat offender tracking. Targets: 95%+ completion within 30 days of due date; phishing click rate below 5% and trending down.
EvidenceLMS completion reports, phishing simulation results with trend data, content review records, and annual programme review sign-off.
▼
14.2
Train Workforce Members to Survive in Current Threat Landscape
High
CIS 14
Does the business security awareness programme cover, at minimum: social engineering and phishing recognition, authentication best practices, preventing data exposure, incident reporting, software update hygiene, and risks of unsecured networks?
Why It Matters
Staff who cannot identify a phishing email, do not know how to report an incident, and unknowingly engage in high-risk behaviours (reusing passwords, connecting to public Wi-Fi, clicking unsolicited links) are the primary enabler of the majority of reported security incidents.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Some training is provided but does not cover all required topics consistently. Coverage may be weighted towards one area (e.g., phishing) while others receive little attention.
Evidenceany training materials or records showing at least some required topics have been covered for staff.
▼
L2
Repeatable
The curriculum explicitly covers all six required topics for all staff: social engineering, authentication best practices, preventing data exposure, incident reporting, software patch hygiene, and risks of unsecured networks. Training is completed at least annually.
Evidencecurriculum document showing all six topics; completion records confirming all staff trained.
▼
L3
Defined
Training is reinforced through scenario-based learning. Phishing simulations test recognition skills with automatic follow-up training for users who click. Data handling scenarios test classification behaviours. Metrics are tracked per topic. Content is updated at least annually and following major incidents. Targets: phishing click rate <5%; 95%+ completion per topic; incident reporting rate trending up; 90%+ awareness quiz pass rate.
Evidenceper-topic completion records, phishing simulation reports with trend data, incident reporting volume trend, content review records, and annual programme review sign-off.
▼
14.3
Conduct Role-Specific Security Awareness and Skills Training
Medium
CIS 14
Does the business provide role-specific security training to staff in high-risk roles (e.g., IT administrators, developers, finance staff, executives) on a defined frequency, with content reviewed at least annually?
Why It Matters
Generic security training does not address the specialised threats facing different roles. IT administrators managing privileged access, developers writing code, executives targeted by whaling attacks, and finance staff targeted by payment fraud all require tailored training.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Role-specific training is planned for some roles (e.g., a one-off secure coding session for developers), but not conducted on a regular schedule. Coverage is inconsistent.
Evidencerecords of at least one role-specific session - e.g., attendance records, completion certificate, or calendar invites.
▼
L2
Repeatable
Role-specific training is formally defined for all high-risk roles (at minimum: IT administrators, developers, finance staff, executives, HR). Each role has a relevant curriculum conducted at least annually. Completion is tracked by role.
Evidencerole-based training matrix showing roles, curriculum, and frequency; completion tracking report by role.
▼
L3
Defined
Training is delivered through specialised content aligned to industry standards: developers attend OWASP Top 10/secure coding training with hands-on exercises (e.g., Secure Code Warrior, Snyk Learn); IT administrators complete privileged access and hardening training; executives receive BEC/whaling awareness with realistic simulations; finance staff complete payment fraud training. Content is reviewed annually. Non-completion is escalated. Targets: 95%+ completion per role; developer assessment scores improving; executive simulation participation tracked.
Evidencerole-specific training records, curriculum review logs, developer assessment scores, executive simulation results, and annual programme review sign-off.
▼
Domain 15: Service Provider Management
CIS 15
▼
15.1
Establish and Maintain an Inventory of Service Providers
Medium
CIS 15
Does the business maintain a complete inventory of IT service providers that includes, at minimum: provider name, risk classification (high/medium/low), and a designated contact, with the inventory reviewed and updated regularly?
Why It Matters
Third-party suppliers represent a significant and often underestimated attack surface. The SolarWinds, Kaseya, and MOVEit incidents demonstrated that a compromise of a single supplier can cascade across thousands of organisations simultaneously.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
A basic list of some known service providers exists, assembled informally by IT or procurement. Risk classifications are not assigned and no designated contacts are recorded.
Evidenceany list of IT service providers, even if incomplete and held in a spreadsheet.
▼
L2
Repeatable
A complete, centralised inventory includes: provider name, services provided, risk classification (high/medium/low based on data access, criticality, and integration depth), and a designated contact. The inventory is reviewed and updated at least quarterly.
Evidenceservice provider register with all required fields; quarterly review records confirming updates.
▼
L3
Defined
The inventory is integrated with vendor management and procurement - new suppliers cannot be onboarded without being added and assessed. Risk classification follows a formal methodology. High-risk providers are subject to annual security assessments (SOC 2 Type II, ISO 27001, or equivalent). Medium-risk providers are reviewed every two years. Low-risk at renewal. Targets: 100% of known IT suppliers inventoried; 100% of high-risk suppliers with current assessment; zero suppliers with overdue review.
Evidenceservice provider register with classification methodology, assessment records per high-risk supplier, onboarding documentation, and annual process review sign-off.
▼
Domain 16: Application Software Security
CIS 16
▼
16.1
Establish and Maintain a Secure Application DevelopmentĀ Process
High
CIS 16
Does the business maintain a Secure Software Development Lifecycle (SSDLC) process applied consistently to all development activity, covering: secure design standards, secure coding practices, developer training, third-party code evaluation, and application security testing?
Why It Matters
Internally developed applications frequently introduce vulnerabilities that would be identified by basic security testing. Web application vulnerabilities (OWASP Top 10) are among the most commonly exploited in targeted attacks, and without an SSDLC, these can remain unpatched indefinitely.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
A basic SSDLC document exists and some elements are followed, but not consistently - e.g., followed for new projects but not urgent fixes or contractor work.
Evidencean SSDLC document alongside evidence of application to at least one recent project - e.g., security review record, test report, or developer sign-off.
▼
L2
Repeatable
A documented SSDLC covering all five required areas is applied consistently to all development activities, including minor changes. The document is reviewed at least annually. Developers receive secure coding training.
Evidencecurrent SSDLC document with review history; developer training records; evidence of SSDLC application to recent changes.
▼
L3
Defined
Security is integrated throughout the CI/CD pipeline: SAST (e.g., SonarQube, Checkmarx, Semgrep, Snyk Code) and DAST (e.g., OWASP ZAP, Burp Suite) run on every commit or build. Issues must be resolved or formally accepted before production promotion. Dependency scanning (SCA) identifies vulnerable third-party libraries automatically. External-facing applications are pen-tested at least annually. Targets: 100% of commits scanned; critical/high vulnerabilities resolved before release; penetration test findings remediated.
EvidenceCI/CD SAST/DAST configuration, scan reports with remediation records, penetration test reports, developer training records, and annual SSDLC review sign-off.
▼
16.2
Establish and Maintain an Inventory of Third-Party Software Components
High
CIS 16
Does the business maintain an up-to-date software bill of materials (SBOM) for all third-party components used in development, with identified risks, regular reviews, and a defined process for evaluating new components before use?
Why It Matters
The Log4Shell vulnerability (CVE-2021-44228) demonstrated the impact of untracked open-source dependencies. Organisations without an SBOM could not identify whether they were affected for days or weeks. Visibility into third-party components is essential for rapid response.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Some awareness of key third-party dependencies exists - developers may know major frameworks - but this is not systematically documented. No formal inventory or risk assessment exists.
Evidenceany informal record of components in use - e.g., project README, package.json, requirements.txt, or developer-maintained list.
▼
L2
Repeatable
A comprehensive SBOM lists all third-party components across the software portfolio. Components are sourced from trusted repositories and verified for integrity before use.
EvidenceSBOM document or tool output showing all dependencies; sourcing policy confirming trusted repositories only.
▼
L3
Defined
SBOM generation is automated via SCA tooling in the CI/CD pipeline (e.g., Snyk, Dependabot, OWASP Dependency-Check, BlackDuck). The tool identifies all dependencies (direct and transitive), versions, updates, and known CVEs. Alerts are generated for newly published vulnerabilities. New components require a security evaluation before approval. The SBOM is reviewed at least monthly. Targets: 100% of applications with current SBOM; zero critical/high CVEs in use without exception; remediation aligned to severity SLAs.
EvidenceSCA tool reports, pipeline integration configuration, new component evaluation records, and monthly SBOM review sign-off.
▼
16.3
Separate Production and Non-Production Systems
Medium
CIS 16
Does the business maintain fully isolated production and non-production environments, with separate networks, credentials, and access, and conduct annual reviews to confirm no cross-environment access exists?
Why It Matters
Without environment separation, developers and CI/CD pipelines have direct access to production systems. This introduces risk of accidental data modification, exposure of production credentials, and deployment of untested or vulnerable code to live systems.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Some separation exists in principle (e.g., separate named environments), but credentials, network access, or infrastructure may be shared between environments.
Evidenceconfirmation that separate environments exist - e.g., separate server names, cloud labels, or deployment configuration showing distinct targets.
▼
L2
Repeatable
Production and non-production are fully isolated: separate network segments (or VPCs/subscriptions), separate credentials, and dedicated resources. No developer has standing access to production. Production deployments require change management.
Evidencenetwork architecture showing isolation; IAM showing separate accounts; change management records for production deployments.
▼
L3
Defined
Isolation is enforced via automated controls: separate cloud accounts/subscriptions with no cross-environment network paths. Identity controls prevent any single account from accessing both environments simultaneously. Production access is just-in-time via PAM. Annual reviews confirm isolation integrity. Production data is not used in non-production (synthetic/anonymised data used). Targets: zero accounts with cross-environment access; 100% of deployments via approved pipeline.
EvidenceIaC/cloud account structure, IAM cross-environment access report, PAM production access logs, synthetic data confirmation, and annual isolation review sign-off.
▼
Domain 17: Incident Response Management
CIS 17
▼
17.1
Designate Personnel to Manage Incident Handling
Medium
CIS 17
Does the business have a defined incident response process with formally assigned roles and responsibilities, tested at least annually through exercises or simulations?
Why It Matters
Organisations with mature incident response processes contain breaches faster and at lower cost. Without assigned roles and a structured process, response is reactive, uncoordinated, and significantly slower, leading to longer dwell times, poor containment, and regulatory reporting failures.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
Incident handling responsibility is informally understood by key individuals, but roles are not formally defined or documented. No structured process exists.
Evidenceany written record identifying who is responsible for handling security incidents - e.g., an email, org chart annotation, or informal note.
▼
L2
Repeatable
Specific personnel are formally assigned incident response roles. A basic process defines: how incidents are declared, who leads, how decisions are escalated, and how activities are documented.
Evidenceincident response policy or plan with named role assignments; records of incidents handled following the process.
▼
L3
Defined
A formal IR plan is documented, approved, communicated, and reviewed annually. It covers: role assignments (Incident Commander, technical lead, legal/comms, executive sponsor), escalation thresholds, decision frameworks, communication templates, and regulatory notification obligations. The plan is tested at least annually through tabletop exercises. Contact information is maintained offline (accessible during system outages). Targets: last test within 12 months; zero open action items from testing older than 60 days.
Evidencecurrent IR plan with named roles, tabletop exercise records and post-exercise action plans, offline contact list, and annual plan review sign-off.
▼
17.2
Establish and Maintain Contact Information for Reporting Security Incidents
Medium
CIS 17
Does the business maintain an up-to-date contact list for all parties to be notified in the event of a security incident, including internal responders, Vela contacts, the portfolio lead, and legal contacts, with escalation paths defined by severity?
Why It Matters
In the event of a significant incident, the business must quickly identify who to notify internally and externally, including regulators, legal counsel, insurers, and Vela. Delays in notification can result in regulatory penalties (e.g., GDPR requires notification within 72 hours), legal liability, and reputational damage.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
A basic contact list exists for major incidents, but may be incomplete, out of date, or stored only in systems that could be inaccessible during an incident.
Evidenceany contact list identifying at least the key internal people to contact in the event of a security incident.
▼
L2
Repeatable
A defined incident contact list includes all required parties: internal IR team, Vela contacts (including portfolio lead), business unit legal, and applicable regulator contacts. The list is reviewed at least annually.
Evidencecurrent contact list with all required parties; annual review sign-off confirming contacts verified.
▼
L3
Defined
The contact list is part of the formal IR plan, maintained in multiple formats including an offline printed copy stored securely. It includes escalation paths by severity (e.g., Severity 1 triggers executive notification within 1 hour). Contacts include: cyber insurer (policy number and hotline), external forensic IR retainer, legal counsel, and regulators. Contacts are confirmed at least bi-annually and after organisational changes. Targets: 100% of contacts with confirmed current details; offline copy updated within last 6 months.
Evidencecontact list with bi-annual verification records, offline copy confirmation, insurer and retainer details, and review sign-off.
▼
17.3
Establish and Maintain a Process for Reporting Incidents
High
CIS 17
Does the business maintain a documented incident reporting process covering: reporting timeframes, who to notify, the reporting mechanism, minimum required information, roles and responsibilities, regulatory obligations, and a channel for staff to report suspected incidents?
Why It Matters
The majority of breaches that result in regulatory penalties involve a failure to report within required timeframes. Without a reporting process, incidents go unreported or are reported too late, preventing timely detection, containment, and regulatory compliance.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
An incident reporting process exists in some form, but is not communicated to staff, not reviewed regularly, and covers only some required elements.
Evidenceany process document or written guidance describing how staff should report a security incident.
▼
L2
Repeatable
A documented process covers all seven required elements: reporting timeframes, who to report to, reporting mechanism, minimum information, roles and responsibilities, compliance requirements, and the employee reporting channel. All staff receive training. The process is accessible to all staff.
Evidenceprocess document covering all seven elements; staff training completion records; process accessibility evidence.
▼
L3
Defined
The process is communicated through multiple channels: onboarding, annual refresher, and periodic reminders. A low-friction reporting mechanism is provided (e.g., dedicated email, email client button, ticketing system). Regulatory obligations are explicitly mapped (e.g., GDPR 72-hour notification, PCI DSS requirements). Post-incident reviews are conducted for all significant incidents. Targets: incident reporting rate increasing; 95%+ reported within internal timeframe; 100% of significant incidents reviewed within 30 days.
Evidencereporting training records, reporting mechanism usage data, regulatory notification records, post-incident review reports, and annual process review sign-off.
▼
Domain 18: Penetration Testing
CIS 18
▼
18.1
Conduct Regular Penetration Testing
High
CIS 18
Does the business conduct independent penetration testing of its external and internal environments at least annually, with findings remediated within defined timelines and remediations validated through retesting?
Why It Matters
Penetration testing provides an independent, adversarial validation of the business's security posture that no other control delivers. Vulnerability scanning identifies known CVEs; penetration testing identifies exploitable weaknesses in configuration, architecture, and logic that scanners miss. It is a specific requirement under PCI DSS, DORA, and many cyber insurance policies, and is routinely expected by regulators and auditors. Without regular penetration testing, the business relies entirely on its own assessment of its defences, with no external challenge.
▼
L0
Not in Place
No process, control, or capability is in place.
▼
L1
Ad Hoc
At least one penetration test has been conducted in the last 24 months, but testing is ad hoc rather than scheduled. Scope may have been limited (e.g., a single application or external perimeter only). Findings may not have been formally tracked or fully remediated.
Evidencea penetration test report from a qualified provider within the last 24 months, even if scope was limited or remediation is incomplete.
▼
L2
Repeatable
External penetration testing is conducted at least annually by a qualified, independent provider (e.g., CREST, CHECK, or OSCP-certified). Scope covers all externally exposed assets and services. Findings are formally tracked with remediation timelines aligned to severity: critical within 14 days, high within 30 days, medium within 90 days. Remediation status is reported to management. Internal penetration testing is conducted at least annually, covering lateral movement and privilege escalation scenarios.
Evidenceannual external and internal penetration test reports from an independent provider; findings tracker showing severity, remediation owner, deadline, and current status; management reporting.
▼
L3
Defined
Penetration testing is integrated into the vulnerability management programme. Testing includes: external perimeter, internal network, web applications, cloud environments, and social engineering where appropriate. Remediation SLAs are enforced and validated through retesting - critical and high findings are retested to confirm closure. Results inform risk register updates and security improvement roadmaps. Testing frequency increases for high-risk or recently changed environments (e.g., post-major release, post-acquisition). Red team or assumed-breach exercises are conducted periodically. Targets: 100% of critical and high findings remediated within SLA; all remediations retested; zero critical findings open beyond 30 days.
Evidencepenetration test reports covering all scope areas, retesting confirmation for critical/high findings, risk register updates referencing test findings, red team exercise reports (where conducted), and annual programme review sign-off.