Assessing Risk and Security Posture with CIS Controls Tools

By Sean Atkinson, Chief Information Security Officer, and Phil Langlois, CIS Controls Technical Product Manager

The CIS Controls are used by organizations around the world to defend against common cyber threats. By measuring the implementation of the CIS Controls, you can better understand your organization’s security posture.

CIS recently introduced the CIS Controls Self-Assessment Tool (CIS CSAT). This tool enables users to perform a CIS Control V7 self-assessment and record the output within the tool. CIS CSAT helps organizations track their implementation of the CIS Controls cybersecurity best practices. When combined with CIS Risk Assessment Method (CIS RAM), these free resources can seriously help your organization improve its cyber defenses and prepare for security audits.

Measuring security posture

When compared to manually monitoring and tracking CIS Controls implementation, CIS CSAT provides the following advantages:

  • Continuously assess: No more “one-and-done” programs that don’t monitor security over time. CIS CSAT introduces continuous assessment and improvement. Watch your score change as your security control program matures.
  • Incorporate the feedback of others: There are 20 CIS Controls and 171 Sub-Controls, so implementing these best practices often involves multiple people within an organization. CIS CSAT allows you to collect and share implementation details from multiple stakeholders across departments. Owners can assign and manage the questions as needed across the organization, with the utility of getting buy-in from multiple stakeholders and creating a complete, comprehensive security report.
  • Rely on tried-and-true scoring methods: CIS CSAT utilizes the same scoring criteria as the popular AuditScripts Critical Security Manual Assessment Tool, a popular spreadsheet for tracking CIS Controls implementation.
  • Conveniently export reports: CIS CSAT reports demonstrate your organization’s adherence to the CIS Controls over time and can be exported in PowerPoint, Excel, and PDF. Watch your conformance improve as you implement more of the CIS Controls and Sub-Controls.
  • Align with other security frameworks:Cross-mappingg is included in CIS CSAT for NIST 800-53 and PCI-DSS V3.
  • Compare to others: The tool allows anonymous comparison of your results to industry averages of peer organizations. See how you stack up!

As the next evolution in CIS Controls assessment technology, CIS CSAT helps provide insight across businesses and industries. Access the tool for free today: Access CIS CSAT

Understanding the risks

In combination with CIS CSAT, CIS RAM (Risk Assessment Method) helps organizations account for risk when implementing the CIS Controls. CIS RAM can utilize assessments from CIS CSAT to monitor risks.  Consider implementing CIS CSAT and CIS RAM in a two-phased approach by using the reports to:

  1. Help your organization prioritize your implementation of specific CIS Controls.
  2. Understand and document if your current implementation is reasonable given your risk.

As you answer the questions associated with CIS CSAT, you will find that, for a myriad of reasons, some Sub-Controls may be not appropriate for you to implement. What you can do is use CIS RAM to determine the balance between the risks posed by not implementing the CIS Control and the associated burden of implementing said Control. If you find that implementing a specific CIS Control or Sub-Control would have a higher impact to your organization’s mission, objectives, and obligations than the risk it is seeking to mitigate, you may want to identify that CIS Control as “not-applicable.”

Download CIS RAM

The path ahead

Here’s a five-step process to bolster your organization’s security with CIS CSAT and CIS RAM:


As your organization continues to grow and evolve, you may want to review any “not-applicable” CIS Controls to ensure that conditions haven’t changed that would impact the risk. We look forward to learning how organizations can leverage CIS RAM and CIS CSAT to measure and improve their cybersecurity posture.