CIS Critical Security Controls v8
Everyone has a list. Almost no one has the order
Useful when the business needs a fix-first order and a cleaner answer to 'what should we tighten next?' rather than another abstract security debate.
This page helps when
- The board wants to know what gets tightened first and what can wait
- An insurer, customer, or board member wants a clearer answer than 'we're working on it'
- You need visible control progress without building an enterprise security function first
Best next move
Start with Baseline.
Use the scorecard for a fast benchmark, then move into a working session when this requirement is already affecting customers, insurers, procurement, or internal accountability.
Where This Starts To Hurt
The buyer moment that makes this rule urgent
Usually lands when an insurer, buyer, or cyber-readiness checklist asks for evidence against the CIS v8 Implementation Group 1 baseline
CIS Controls become useful when the business knows it needs to improve but does not want another vague answer. A customer, insurer, or board member asks what is actually being fixed first. Owners and directors want to know what matters now versus later. The Controls help because they were designed to turn that uncertainty into an ordered list of work.
That makes them especially helpful for organisations with limited bandwidth. Instead of trying to do everything at once, the Controls break the work into implementation groups. IG1 covers the essential foundations, IG2 adds depth for more complex organisations, and IG3 is aimed at environments facing heavier risk or handling more sensitive information.
For New Zealand businesses, they often become the bridge between policy talk and practical action. They help answer which gaps matter first, what can wait, and how to show visible improvement to insurers, customers, or leadership without pretending the business needs an enterprise-scale security function on day one.
What Starts Breaking
What stalls: deals, audits, or insurer renewals
CIS Controls matter because they stop the business flailing. If leadership knows security needs attention but does not know where to start, the Controls give a priority list concrete enough to act on instead of another broad statement about risk.
They also line up well with outside scrutiny. Cyber insurers frequently reference CIS-aligned controls. Buyers and auditors like them because progress can be shown through named control areas rather than vague claims about being secure. Owners and directors like them because the sequencing is easier to defend: what is essential now, what can wait, and what each next step actually reduces.
For smaller or mid-sized organisations, that practicality matters. CIS Controls help create visible momentum without turning the work into a giant transformation project before the basics are even under control.
What You Will Need To Prove
The first controls, owners, and evidence to put in place
IG1 is the affordable starting point — asset inventory, MFA, data protection, and audit logging usually carry the first insurer question
See the main requirements
Inventory and Control of Enterprise Assets
Actively manage all enterprise assets connected to the network so that only authorised assets are given access, and unauthorised and unmanaged assets are found and prevented from gaining access.
Inventory and Control of Software Assets
Actively manage all software on the network so that only authorised software is installed and can execute, and that unauthorised and unmanaged software is found and prevented from installation or execution.
Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data in accordance with business requirements and applicable regulations.
Secure Configuration of Assets and Software
Establish and maintain the secure configuration of enterprise assets and software. Apply secure baseline configurations and manage changes to prevent attackers from exploiting vulnerable services and settings.
Account Management
Use processes and tools to assign and manage authorisation to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
Continuous Vulnerability Management
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets, in order to fix vulnerabilities and minimise the window of opportunity for attackers.
Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
How We Help You Answer It
When the business usually calls us
We usually get called when the IG1 baseline is needed for an insurance renewal or a prime-contractor pre-qualification in the next 90 days
Stop Guessing When A Buyer Asks How Secure You Are
Our baseline assessment evaluates your current security position against the CIS Controls, scoring each control and identifying gaps across the relevant Implementation Group. This gives you a clear, prioritised view of where you stand and where to focus first.
Stop Rebuilding The Same Evidence For Every Standard
We map CIS Controls to your other compliance obligations — ISO 27001, NZISM, Privacy Act, and customer-specific requirements — so that every control implementation counts across multiple frameworks, eliminating duplicate effort.
See what an auditor will ask for before they ask
We continuously track your alignment to the CIS Controls, providing scored assessments that support cyber insurance applications, customer due diligence responses, and executive reporting on control coverage and priority gaps.
See What Information Runs The Business
CIS Controls 1 and 2 require complete asset and software inventories. Our information asset register service builds and maintains these inventories as the foundation for your CIS Controls implementation.
Track The Suppliers That Could Expose The Business
Our vendor risk register tracks third-party security positions and maps them to your CIS Controls requirements, supporting supply chain risk management and so your vendors meet your security expectations.
Make Awareness Change What Staff Actually Do
CIS Control 14 requires a security awareness and skills training programme that actually changes staff behaviour. We build the plan around the business's real attack surface — phishing patterns, accounts payable fraud, admin-privilege misuse — rather than a generic annual video.
If You Need The Detail
Related reading for the implementation detail
Related reading on mapping CIS v8 to NZISM and ISO 27001 so one baseline answers multiple buyer questions
Insight
5 things your cyber insurer will ask you
Cyber insurance applications are getting harder. Here are the five questions every NZ insurer asks and how to prepare.
Read article
Insight
Three controls that get cyber insurance declined
MFA, backup testing, and incident response plans — the three controls NZ insurers check first. Here is what they expect and where businesses fail.
Read article
Questions Before A Decision
The questions that come up before the contract
What are the CIS Controls Implementation Groups? +
Implementation Groups (IGs) provide a tiered approach to the CIS Controls. IG1 defines essential cyber hygiene — the minimum controls every organisation should implement regardless of size. IG2 builds on IG1 for organisations managing more risk and operational complexity. IG3 encompasses all controls for organisations handling sensitive data or facing sophisticated threats. Good Security helps you determine the right IG for your organisation and build a roadmap to reach it without overcommitting too early.
How do CIS Controls relate to ISO 27001? +
The CIS Controls and ISO 27001 are complementary frameworks. ISO 27001 provides a management system framework for information security governance, while the CIS Controls provide specific, actionable technical and operational controls. There is significant overlap — roughly 80% of CIS Controls map to ISO 27001 Annex A controls. Good Security's cross-framework mapping means that implementing one framework accelerates progress toward the other.
Do cyber insurers care about CIS Controls? +
Yes. Many cyber insurance underwriters reference the CIS Controls — particularly IG1 — when assessing an organisation's security position during policy applications and renewals. Demonstrating alignment with the CIS Controls typically supports more favourable terms, faster underwriting, and smoother claims processes. Good Security's cyber insurance readiness service includes CIS Controls alignment as a core component.
Where should a business start with CIS Controls? +
Start with Implementation Group 1. IG1 consists of the most fundamental controls that defend against the most common attacks — including asset inventory, secure configuration, access management, vulnerability management, and audit logging. These controls provide the greatest risk reduction for the least effort and form the foundation for all subsequent security improvements. Good Security helps you implement IG1 efficiently and build momentum toward IG2.
Need a clearer answer on CIS Critical Security Controls?
A working session scopes the IG1 baseline, identifies the 6-to-8-week-closeable Safeguards, and leaves the business with one evidence pack it can reuse