The CIS 18 Critical Security Controls (CIS Controls) provide a prioritised set of actions to defend against cyber attacks, while also helping an organisation to prioritise its cyber security maturity-improvement program of work.
The CIS Critical Security Controls (v8.1) are a set of 18 cyber security controls, each of which contain between 5 and 14 safeguards or defensive actions. The safeguards are categorised into one of three Implementation Groups (IGs) which are intended to allow an organisation to prioritise its cybersecurity maturity improvement program or work.
DotSec performs independent CIS 18 maturity assessments across all three Implementation Groups. Our assessments identify how well your organisation meets the CIS safeguards, which risks remain, and which improvements will deliver the most meaningful reduction in risk.
CIS 18 Implementation Group summary. Copyright © Centre for Internet Security.
DotSec uses the CIS Controls v8 framework to assess your organization against the three Implementation Groups (IGs):
Evaluation against the CIS Controls establishes a clear baseline for stakeholders. Your organization will benefit from an authoritative and evidence-based view of your security posture, supporting planning, budgeting, and compliance decisions.
Sure, that’s an option. Several automated tools scan for CIS compliance, primarily focusing on technical configuration settings (CIS Benchmarks) that map to the CIS 18 Controls. In fact, here are some of the most common tools:
dotSec will often use a scanning tool as part of any assessment and while these tools are excellent for checking settings (e.g., “Is password complexity enforced?” or “Is RDP disabled?”), they cannot assess the majority of the CIS 18 requirements because many are procedural or human-based, not technical.
In summary, when an assessor doesn’t understand the maturity model and just coughs up the results of a scan, they’re likely to miss quite a few things:
In short: A scanning tool might give you a “passing” grade on technical settings, your organisation may remain vulnerable due to missing processes, untrained staff, or lack of oversight. And yes, these are the very gaps that only a expert-led assessment (like one of DotSec’s!) can catch
Baseline Maturity Assessment (Levels Zero to Three)
dotSec begins by understanding your organisation’s security goals, particularly as regards your current risk identification, prioritisation and management plans, and your goals as regards the desired Implementation Group (IG).
Not all organisations identify, prioritise and manage risk in the same way, and in principle, it is just as valid for an organisation to aspire to IG1 as it is to aspire to IG3; it is a matter for the business to decide.
Once the desired IG has been confirmed, dotSec will establish the baseline from which improvements will be undertaken. Baseline establishment involves undertaking one or more evidence reviews, interviews, configuration sampling and technical analysis across selected systems, cloud services and user devices..
Your baseline report provides a clear, factual and defensible view of current maturity that can be shared with IT, leadership and external stakeholders.
Control Effectiveness Verification
Once the baseline is established, dotSec verifies how effectively the in-scope controls operate day to day. This includes reviewing configuration consistency, analysing operational processes, checking evidence of repeatability, and validating that implemented controls genuinely meet the intent of the CIS 18 Safeguards that are associated with the target IG controls that were established in the preceding “Baseline” step.
This step highlights the difference between “controls exist on paper” and “controls operate as designed”. It also identifies systemic issues such as configuration drift, dependency on manual workarounds or gaps that automated scanning tools simply cannot detect.
Your verification report provides practical insights into which controls deliver real protection and which require redesign or improvement to reach higher maturity levels.
Targeted Uplift Roadmap and Implementation Support
DotSec delivers a prioritized and actionable improvement roadmap that aligns with the CIS Controls, your operational constraints, and your risk profile. Recommendations are structured to support rapid uplift where it has the greatest effect and strategic changes where deeper improvements are required.
The roadmap outlines the steps needed to progress from your current state to your desired Implementation Group (IG1, IG2, or IG3). This can include improved inventory management, data protection strategies, audit log maintenance, and malware defenses.
DotSec can continue to assist by validating uplift progress, advising on control redesign, and supporting ongoing improvement toward sustained CIS maturity.
DotSec delivers CIS 18 assessment and uplift services that are practical and evidence-driven. We stand out for several reasons:
Answer: The first step is to understand your organisation’s requirements and Implementation Group (maturity level) aspirations. There is no need to aspire to IG3 for its own sake; the decision as to which IG your organisation aspires to will be influenced by its current maturity level, the way in which your organisation identifies, prioritises and manages risk, and constraints including available expertise, time and budget. If we being the maturity-improvement journey on the requirements-based and risk-driven approach, you can be vastly more confident of a timely and cost effective outcome. evaluate your environment against the ASD Essential Eight maturity model. This initial evaluation shows how closely your controls map to the expected behaviours and outcomes at each maturity level, from Zero to Three. Once that’s done, you have a line in the sand, and you are better positioned to prioritise your uplift journey.
Reference: The 18 CIS Critical Security Controls
Answer: The next step is to establish a baseline of your organisation’s level of cyber security maturity, by evaluating your organisation’s in-scope environment against the relevant IG controls. This baseline evaluation shows how closely your controls map to the expected behaviours and outcomes at the desired maturity level (IG), from Zero to Three. If your organisation has not done this before, then it’s likely we’ll start with the “essential cyber hygiene” controls; the 56 basic safeguards that are intended to thwart common attacks, and that comprise IG1. Whatever, the case, once the baseline is done, you have a line in the sand, and you are better positioned to prioritise your uplift journey.
Reference: More about Implementation Groups
Answer: While the Essential Eight focuses on 8 specific mitigation strategies prioritized by the Australian Government, the CIS Controls cover a broader spectrum of 18 domains (including physical security, data protection, and service provider management). The CIS Controls are a “whole-of-security” framework, whereas Essential Eight is a targeted anti-malware and system hardening standard, and is focused heavily on a Microsoft Windows on-prem environment.
References: CIS mapping of the CIS 18 to the ACSC Essential Eight
Answer: Formalising your organisation’s approach to security-maturity brings many benefits including:
First up, evaluation of your organisation’s maturity level will help to identify and prioritise practical improvement opportunities. Our assessors highlight areas where the implementation of a mitigation strategy does not meet the intended maturity outcomes. Recommendations are tailored to uplift your posture in a way that makes operational and business sense.
Secondly, a formal exercise allows your organisation to prioritise cyber-risk reduction. The CIS 18 is designed to reduce risk across the entire organisation, with reference to each of the three Implementation Groups. dotSec highlights the improvements that will reduce risk quickly and effectively while preparing you for higher maturity levels.
And lastly, evaluation against the CIS 18 establishes a clear baseline for stakeholders and, if needed, provides you with a reference point for subsequent maturity improvements. This supports planning, budgeting and decision-making at all levels.
Reference: “Hey nice business… be a shame if something happened to it”
The CIS 18 Critical Security Controls (v8.1) are a set of 18 cyber security controls, each of which contain between 5 and 14 safeguards or defensive actions.
dotSec can help your organisation to understand the CIS controls and safeguards, and to map out a time and cost-effective path that will help you to understand and use the Implementation Groups (IGs), to prioritise its cybersecurity maturity improvement program or work
Contact us to schedule a discovery discussion and begin your CIS 18 uplift.
