IG1-IG3 control validation across all 18 CIS Controls. Prioritized findings delivered in 2 weeks.
IG1–IG3 Coverage
18 Control Families Mapped
Sub-Control Validation
Prioritized Remediation
Validate your implementation across all 18 CIS Controls. Findings mapped to your Implementation Group.
Request a QuoteNo commitment required · Response within 24 hours · 100+ MSPs tested
The CIS Critical Security Controls (formerly the SANS Top 20) are a prioritized set of 18 cybersecurity actions developed by the Center for Internet Security. Unlike compliance frameworks that define what to protect, CIS Controls prescribe how to protect it — with specific, actionable safeguards organized into three Implementation Groups (IGs) based on organizational risk profile and resources.
IG1 covers essential cyber hygiene for every organization. IG2 adds controls for organizations handling sensitive data or facing more complex threats. IG3 targets organizations managing critical infrastructure or high-value data that face advanced adversaries. Penetration testing is explicitly called out in CIS Control 18 and validates whether your implemented safeguards actually hold up against real-world attack techniques.
Findings mapped to specific CIS Controls and Sub-Controls. Clear remediation guidance, prioritized by risk.
Inventory, software management, data protection, secure config, account management, and access control for IG1.
Email/web security, malware defense, data recovery, network infra, and monitoring for IG2 orgs.
Security awareness, service provider management, app security, and incident response for mature IG3 programs.
Full pentest and red team exercises per CIS Control 18. Validates overall program effectiveness against real attacks.
Most MSPs managing client environments should target IG2 at minimum. IG2 adds controls around configuration management, access control, and network monitoring that are essential when you hold administrative access to client infrastructure. If you handle regulated data like healthcare or financial records, IG3 controls around penetration testing and incident response become relevant.
CIS Control 18 (Penetration Testing) explicitly requires organizations to test the strength of their defenses through simulated attacks. Sub-controls cover establishing a pentest program, performing periodic external and internal tests, and remediating findings. Our assessments are structured to directly satisfy Control 18 requirements while validating safeguards across all other applicable controls.
Yes — CIS provides official mappings to NIST CSF, NIST 800-53, ISO 27001, PCI DSS, and HIPAA. If you're working toward multiple compliance objectives, a CIS Controls assessment gives you a practical baseline that translates across frameworks. Our reports include cross-framework mapping so you can leverage findings for multiple audits.
You receive a full report mapping every finding to the specific CIS Control and sub-control it affects, scored by Implementation Group tier. Includes an executive summary, detailed technical findings with CVSS scores, remediation guidance prioritized by risk and IG level, and a cross-framework mapping table. Retest validation is included after remediation.