The CIS Controls are the most practical 'do this' security baseline there is: 18 controls, 153 safeguards, tiered into Implementation Groups so a small business starts with the essentials. We assess where you actually sit, score you against your target group, and hand back a roadmap keyed to risk - not a 153-line checklist you'll never action.
Ready to scope CIS Gap Analysis for your business?
Every inclusion below is documented, delivered, and renewable under our standard agreement. No surprise scope. No silent exclusions.
We assess your environment against every CIS Control v8.1 - asset and software inventory, data protection, access control, logging, recovery, service-provider management, awareness training, incident response - down to the safeguard.
Scored against your target Implementation Group - IG1 'essential cyber hygiene' (56 safeguards) for most SMBs, IG2 (74) where data sensitivity or contracts demand it.
We review live configuration, not just ask you questions. Where it helps we use CIS CSAT for the controls assessment and CIS-CAT against the CIS Benchmarks for the technical config layer - you get both.
Your CIS posture mapped across to NIST CSF 2.0 and ISO 27001 controls, so one assessment answers several compliance questions at once.
The gaps ranked by risk and Implementation Group, with the 20% of work that delivers most of the uplift flagged. You keep the report and the raw data.
Knowing where a service stops matters as much as knowing what it covers. Here’s what sits outside this engagement - so there are no awkward surprises later.
The gap analysis tells you where you stand and what to fix. Closing the gaps is a separate engagement - usually the Compliance Foundation Programme - so you're free to action it yourself or with us.
CIS doesn't issue a pass/fail certificate, and we won't imply one. You get an honest score against your target Implementation Group, amber findings included.
We map your CIS posture to those frameworks, but the formal ISO or SOC audit and certificate come from an accredited certification body, which we'll scope and partner on rather than overclaim.
Every engagement runs the same four steps. You always know which one we’re in and what comes next.
We map your current state and agree exactly what's in and out, in writing, before any work or invoice. No surprise scope, no silent exclusions.
A documented plan with milestones, owners, and success criteria you can hold us to - so you know what good looks like before we start.
We do the work with change control and your sign-off at each gate. You see progress against the plan, not a black box.
Ongoing management, published performance, and a quarterly review that keeps the work honest and the roadmap current.
Auditors and insurers increasingly want both CIS Controls v8 and the Essential Eight. They overlap, but they aren't the same shape. Here's the control-by-control mapping we use - and the four CIS controls the Essential Eight quietly leaves you exposed on.
Read articleSecurity · 9 min readEvery MDR vendor's site says the same things. Here's how to actually tell them apart: the difference between an alert and a response, who's watching at 2am, and the questions that separate real 24/7 detection from a dashboard you'll never open.
Read articleRoadmap, remediation, and ongoing attestation against the CIS Critical Security Controls and the Australian Essential Eight. Frameworks that actually get implemented, not just referenced.
Learn moreVulnerability scans, Microsoft 365 audits, security posture reviews, and dark web exposure checks. Know where you stand before an attacker does - with a remediation plan you can actually act on.
Learn moreYour maturity against all eight ACSC mitigation strategies, scored to your target level, with a roadmap to close the gaps. The Australian baseline that primes, contracts, and cyber insurers increasingly ask you to prove.
Learn moreTell us what your current setup looks like. We’ll send back a quote, a transition plan, and a firm date you’d be onboarded - within 48 hours.
