CIS Launches New Free Self-Assessment Tool for the CIS Controls

Free Web Application Tracks and Prioritizes Implementation

East Greenbush, N.Y.

January 29, 2019

CIS® (Center for Internet Security, Inc.) today announced the launch of the CIS Controls™ Self-Assessment Tool, or CIS CSAT, to enable security leaders to track and prioritize their implementation of the CIS Controls.

“CIS CSAT helps organizations regardless of size or resources, improve their security posture. With multiple reporting formats, collaboration functionality, and cross-mappings, it’s a powerful place to start understanding and implementing the CIS Controls”, said Tony Sager, CIS Senior Vice President and Chief Evangelist. “Cybersecurity is a team sport. This tool will help others join us on our quest to make their enterprise, and the connected world, a safer place,” he added.

How It Works

Once launched, the first person to register from your organization in CIS CSAT will be designated the “Owner.” Owners can then add additional team members to the platform, so you can work on an implementation of the CIS Controls together. Owners using CIS CSAT can also:

  • Delegate questions to other team members
  • Set deadlines for each CIS Control and Sub-Control
  • Collect documentation related to your findings
  • Capture team discussion about each assessment question

The CIS CSAT platform is based on the generous contribution of intellectual property that was donated to CIS by Chirag Arora, an established cybersecurity professional and CIS Controls supporter in August 2018 ( The CIS CSAT platform is now maintained by CIS.

CIS CSAT’s questions are based off the popular AuditScripts Critical Security Manual Assessment Tool ( Microsoft Excel document.

The CIS Controls are a community-built set of prioritized cybersecurity guidance. They have been growing in popularity over the past 10 years. They have been downloaded more than 150,000 times to date. Thousands of cybersecurity experts around the globe use and help develop them.

CIS CSAT Data Can Be Shared Easily

Data is most useful if you can access it – which is why CIS made it easy to share reports from CIS CSAT. Organizations can leverage their results with automatic reporting features, historical tracking, and access to raw data formats. They can also export assessment charts and other results directly into Microsoft PowerPoint, MS Excel, and Adobe PDF.

Assessment results from CIS CSAT can be exported per department or organizational unit, or enterprises can take a more holistic view of the entire organization’s security. With cross-mappings to additional security frameworks like National Institute of Standards and Technology (NIST) SP800-53 ( and PCI DSS (, you can also track your alignment between other best practices and the CIS Controls. In addition, you can anonymously compare your enterprises’ results to the averages of your industry or other peer group to help drive the direction of your security program.

Getting Started

If you have not downloaded the CIS Controls yet, start here:

Access CIS CSAT:

If you would like to see other features, alert our CIS Controls team at

About CIS

CIS (Center for Internet Security, Inc.) is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats. The CIS Controls and CIS Benchmarks™ are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continuously refined and verified by a volunteer, global community of experienced IT professionals. Our CIS Hardened Images™ are virtual machine emulations preconfigured to provide secure, on-demand, and scalable computing environments in the cloud. CIS is home to both the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the go-to resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities, and the Elections Infrastructure Information Sharing and Analysis Center™ (EI-ISAC®), which supports the cybersecurity needs of U.S. State, Local and Territorial elections offices. To learn more, visit or follow us on Twitter: @CISecurity.