Compliance
CIS Critical Security Controls
A prioritised set of defensive actions that provide a practical, actionable framework for improving organisational cyber defence.
What is really being asked of the business
What this requirement is trying to protect in the real world
A good compliance programme starts by understanding the business purpose behind the requirement rather than treating it like a checklist.
The CIS Critical Security Controls (CIS Controls) are a prioritised set of cybersecurity best practices developed by the Center for Internet Security (CIS). Now in version 8, the Controls provide a practical, consensus-driven framework that organisations of any size can use to defend against the most common and damaging cyber attacks. Unlike compliance-oriented frameworks, the CIS Controls are action-oriented — they tell you what to do, in what order, to achieve the greatest risk reduction with the least effort.
The framework organises 18 Controls into three Implementation Groups (IGs) based on organisational maturity and resources. Implementation Group 1 (IG1) defines essential cyber hygiene — the minimum standard every organisation should meet. IG2 adds controls for organisations with moderate complexity, and IG3 addresses advanced threats relevant to organisations handling sensitive data or operating in high-risk environments. This tiered approach makes the CIS Controls particularly well-suited to New Zealand businesses, which can start with IG1 and progressively strengthen their security position over time.
For New Zealand organisations, the CIS Controls provide an excellent companion to frameworks like NZISM and ISO 27001. Many cyber insurance underwriters reference the CIS Controls when assessing an organisation's security position, and the framework's practical, implementation-focused approach helps bridge the gap between policy and action. Good Security maps CIS Controls to your existing compliance obligations, so that every control you implement counts across multiple frameworks.
Why It Matters
Why business owners, customers, and boards pay attention to it.
The CIS Controls are widely regarded as one of the most effective frameworks for reducing cyber risk in practice. They are developed by a global community of security practitioners and updated regularly to reflect the current threat landscape. For New Zealand businesses, the CIS Controls offer a pragmatic starting point — particularly Implementation Group 1, which focuses on the foundational controls that defend against the vast majority of common attacks.
Cyber insurance providers increasingly reference the CIS Controls when assessing policy applications. Organisations that can demonstrate alignment with IG1 or IG2 typically receive more favourable terms and faster underwriting decisions. The framework's clear, measurable controls make it straightforward to demonstrate your security position to insurers, auditors, and business partners.
The CIS Controls also serve as an excellent bridge between technical implementation and executive communication. Each control maps to specific, measurable outcomes that can be tracked and reported to leadership. This makes it easier to demonstrate security programme progress, justify investment decisions, and maintain board-level visibility into your organisation's cyber risk position.
Key Requirements
The obligations most businesses need translated into operating reality.
This is where the framework turns into documented controls, ownership, evidence, and review cycles.
See key requirements
Inventory and Control of Enterprise Assets
Actively manage all enterprise assets connected to the network so that only authorised assets are given access, and unauthorised and unmanaged assets are found and prevented from gaining access.
Inventory and Control of Software Assets
Actively manage all software on the network so that only authorised software is installed and can execute, and that unauthorised and unmanaged software is found and prevented from installation or execution.
Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data in accordance with business requirements and applicable regulations.
Secure Configuration of Assets and Software
Establish and maintain the secure configuration of enterprise assets and software. Apply secure baseline configurations and manage changes to prevent attackers from exploiting vulnerable services and settings.
Account Management
Use processes and tools to assign and manage authorisation to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
Continuous Vulnerability Management
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets, in order to fix vulnerabilities and minimise the window of opportunity for attackers.
Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
How Good Security Helps
Where businesses usually need practical support.
This is about building the policies, registers, evidence, and governance needed to stand up to scrutiny.
Security Baseline Assessment
Our baseline assessment evaluates your current security position against the CIS Controls, scoring each control and identifying gaps across the relevant Implementation Group. This gives you a clear, prioritised view of where you stand and where to focus first.
Multi-Standard Compliance Mapping
We map CIS Controls to your other compliance obligations — ISO 27001, NZISM, Privacy Act, and customer-specific requirements — so that every control implementation counts across multiple frameworks, eliminating duplicate effort.
Audit Readiness Score & Evidence Compiler
We continuously track your alignment to the CIS Controls, providing scored assessments that support cyber insurance applications, customer due diligence responses, and executive reporting on security programme maturity.
Information Asset Register
CIS Controls 1 and 2 require complete asset and software inventories. Our information asset register service builds and maintains these inventories as the foundation for your CIS Controls implementation.
Third-Party / Vendor Risk Register
Our vendor risk register tracks third-party security positions and maps them to your CIS Controls requirements, supporting supply chain risk management and so your vendors meet your security expectations.
Further Reading
Related guidance for teams that need the detail.
These articles go deeper into the surrounding decisions, timelines, and implementation issues.
FAQ
Common commercial questions.
What are the CIS Controls Implementation Groups? +
Implementation Groups (IGs) provide a tiered approach to the CIS Controls. IG1 defines essential cyber hygiene — the minimum controls every organisation should implement regardless of size. IG2 builds on IG1 for organisations managing moderate risk and complexity. IG3 encompasses all controls for organisations handling sensitive data or facing sophisticated threats. Good Security helps you determine the right IG for your organisation and builds a roadmap to achieve it.
How do CIS Controls relate to ISO 27001? +
The CIS Controls and ISO 27001 are complementary frameworks. ISO 27001 provides a management system framework for information security governance, while the CIS Controls provide specific, actionable technical and operational controls. There is significant overlap — roughly 80% of CIS Controls map to ISO 27001 Annex A controls. Good Security's cross-framework mapping means that implementing one framework accelerates progress toward the other.
Do cyber insurers care about CIS Controls? +
Yes. Many cyber insurance underwriters reference the CIS Controls — particularly IG1 — when assessing an organisation's security position during policy applications and renewals. Demonstrating alignment with the CIS Controls typically supports more favourable terms, faster underwriting, and smoother claims processes. Good Security's cyber insurance readiness service includes CIS Controls alignment as a core component.
Where should a business start with CIS Controls? +
Start with Implementation Group 1. IG1 consists of the most fundamental controls that defend against the most common attacks — including asset inventory, secure configuration, access management, vulnerability management, and audit logging. These controls provide the greatest risk reduction for the least effort and form the foundation for all subsequent security improvements. Good Security's structured approach helps you implement IG1 efficiently and build momentum toward IG2.
Most businesses managing CIS Critical Security Controls v8 obligations start with Assurance.
If you are weighing up fit, scope, or urgency, start with the scorecard for a fast benchmark and book a consultation when you need a practical next-step plan.