CIS Controls: Where Most Organizations Fall Short
Learn how CIS Controls v8 gap assessments help organizations evaluate and systematically improve their cybersecurity posture through Implementation Groups.
Organizations seeking to improve their cybersecurity posture need a structured approach. Not random tool purchases or reactive incident response. The CIS Critical Security Controls version 8 provides exactly that structure, and gap assessments against this framework deliver actionable roadmaps for systematic improvement.
Why CIS Controls v8?
The CIS Controls stand out among security frameworks for several key advantages:
1. Flexibility Through Implementation Groups
The framework scales with organizational size and complexity through three Implementation Groups:
- IG1: Essential cyber hygiene for all organizations
- IG2: Enhanced controls for organizations with greater complexity
- IG3: Advanced controls for sensitive data management
This progression allows organizations to start where appropriate and advance systematically.
2. Prioritization Based on Impact
Controls are ordered by defensive value, helping organizations focus limited resources on highest-impact improvements first. This prioritization reflects real-world attack patterns and defensive effectiveness.
3. Industry Benchmarking Capabilities
The widespread adoption of CIS Controls enables meaningful comparison against industry peers. Benchmarking helps organizations understand where they stand relative to similar organizations.
4. Continuous Improvement Framework
The CIS Controls are built to be rerun, not filed away once. Reassessing on a cadence lets you:
- Progress tracking over time
- Adaptation to evolving threats
- Measurable maturity advancement
- Ongoing program refinement
5. Technical Specificity
Unlike high-level frameworks, CIS Controls provide actionable, concrete guidance. Recommendations include specific technical implementations, not just policy statements.
Where Most Organizations Fall Short
Here is the uncomfortable part. Most organizations that run a CIS assessment are not failing the advanced controls. They are missing IG1, the basic hygiene every organization is supposed to have.
The same handful of IG1 gaps show up again and again. No complete inventory of hardware and software, so unmanaged devices and shadow IT go unprotected (Controls 1 and 2). Accounts that outlive the people who owned them, and admin rights handed out far too widely (Controls 5 and 6). Logging that is either off or never reviewed, so an intrusion goes unnoticed (Control 8). Backups that exist on paper but have never been tested with a real restore (Control 11). Security awareness training that is a once-a-year video nobody remembers (Control 14).
None of this is advanced. It is the unglamorous foundation, and it is exactly what attackers exploit. The value of measuring against CIS is that it forces these basics into the open and orders them by how much they actually reduce risk.
A Common Mistake: Buying Tools Before Knowing the Gaps
We see the same pattern often. An organization feels behind, so it buys tools: an EDR here, a SIEM there, a new firewall. Six months later the spend is real and the posture is barely better, because the tools were bought to feel safer, not to close a known gap.
The CIS Controls invert that order. You find out which safeguards actually reduce your risk, in priority order, and only then decide what to build or buy. Sometimes the highest-impact fix is not a purchase at all: disabling unused accounts, tightening admin rights, or turning on logging you already pay for.
Implementation Groups Explained
IG1: Essential Cyber Hygiene
IG1 represents the fundamental controls every organization should implement, forming the minimum viable security program. These controls address the most common attack vectors with basic protective measures.
Organizations at IG1 have limited security expertise and resources but need protection against opportunistic attacks.
IG2: Enhanced Security Posture
IG2 builds on IG1 for organizations with:
- Greater IT complexity
- Dedicated security or IT staff
- Sensitive data handling requirements
- Regulatory compliance needs
These additional controls address more sophisticated threats while remaining practical for mid-sized organizations.
IG3: Advanced Security
IG3 provides advanced controls for organizations managing:
- Critical infrastructure
- Highly sensitive data
- Significant cyber risk exposure
- Advanced persistent threats
Few organizations require full IG3 implementation, but those that do need systematic coverage across all control areas.
Breach Craft’s Assessment Approach
Our CIS gap assessment follows a structured five-step methodology:
Step 1: Baseline Evaluation
We document current security practices, policies, and technical implementations before assessing against the framework. Understanding where you are precedes determining where you need to go.
Step 2: Implementation Group Selection
Based on organizational size, complexity, data sensitivity, and regulatory requirements, we recommend the appropriate Implementation Group as your target maturity level.
Step 3: Detailed Control Evaluation
Each applicable control receives detailed assessment:
- Current implementation status
- Evidence of control effectiveness
- Gap identification and documentation
- Risk implications of gaps
Step 4: Realistic Recommendations
Gap remediation recommendations account for:
- Resource constraints and budget limitations
- Operational requirements and business priorities
- Technical debt and existing infrastructure
- Organizational change capacity
Step 5: Roadmap Creation
The final deliverable includes a phased implementation roadmap prioritizing:
- Highest-risk gaps first
- Quick wins for momentum
- Logical implementation sequences
- Realistic timeline expectations
Beyond the Assessment
A gap assessment is a starting point, not a destination. Because the CIS Controls are scored, you can rerun the assessment later and watch the maturity numbers move, which turns “are we more secure than last year?” from a gut feeling into a measurement. The framework stays current too: the CIS community revises it as attacker behavior shifts, so the bar you measure against does not go stale. And the findings rarely live alone. They feed straight into penetration testing, vulnerability management, and incident response planning, so the assessment becomes the spine of the wider program instead of a one-off report.
Ongoing Support
For organizations needing continuous guidance, Virtual CISO services support implementation, monitoring, and ongoing program maturation. The gap assessment provides the roadmap; vCISO services help you drive it.
Ready to understand your security posture? Contact Breach Craft for a CIS Controls gap assessment tailored to your organization.