Skip to main content
Definitions Series
5 min read

CIS Controls: Where Most Organizations Fall Short

Learn how CIS Controls v8 gap assessments help organizations evaluate and systematically improve their cybersecurity posture through Implementation Groups.

CIS Controls: Where Most Organizations Fall Short

Organizations seeking to improve their cybersecurity posture need a structured approach. Not random tool purchases or reactive incident response. The CIS Critical Security Controls version 8 provides exactly that structure, and gap assessments against this framework deliver actionable roadmaps for systematic improvement.

Why CIS Controls v8?

The CIS Controls stand out among security frameworks for several key advantages:

1. Flexibility Through Implementation Groups

The framework scales with organizational size and complexity through three Implementation Groups:

  • IG1: Essential cyber hygiene for all organizations
  • IG2: Enhanced controls for organizations with greater complexity
  • IG3: Advanced controls for sensitive data management

This progression allows organizations to start where appropriate and advance systematically.

2. Prioritization Based on Impact

Controls are ordered by defensive value, helping organizations focus limited resources on highest-impact improvements first. This prioritization reflects real-world attack patterns and defensive effectiveness.

3. Industry Benchmarking Capabilities

The widespread adoption of CIS Controls enables meaningful comparison against industry peers. Benchmarking helps organizations understand where they stand relative to similar organizations.

4. Continuous Improvement Framework

The CIS Controls are built to be rerun, not filed away once. Reassessing on a cadence lets you:

  • Progress tracking over time
  • Adaptation to evolving threats
  • Measurable maturity advancement
  • Ongoing program refinement

5. Technical Specificity

Unlike high-level frameworks, CIS Controls provide actionable, concrete guidance. Recommendations include specific technical implementations, not just policy statements.

Where Most Organizations Fall Short

Here is the uncomfortable part. Most organizations that run a CIS assessment are not failing the advanced controls. They are missing IG1, the basic hygiene every organization is supposed to have.

The same handful of IG1 gaps show up again and again. No complete inventory of hardware and software, so unmanaged devices and shadow IT go unprotected (Controls 1 and 2). Accounts that outlive the people who owned them, and admin rights handed out far too widely (Controls 5 and 6). Logging that is either off or never reviewed, so an intrusion goes unnoticed (Control 8). Backups that exist on paper but have never been tested with a real restore (Control 11). Security awareness training that is a once-a-year video nobody remembers (Control 14).

None of this is advanced. It is the unglamorous foundation, and it is exactly what attackers exploit. The value of measuring against CIS is that it forces these basics into the open and orders them by how much they actually reduce risk.

A Common Mistake: Buying Tools Before Knowing the Gaps

We see the same pattern often. An organization feels behind, so it buys tools: an EDR here, a SIEM there, a new firewall. Six months later the spend is real and the posture is barely better, because the tools were bought to feel safer, not to close a known gap.

The CIS Controls invert that order. You find out which safeguards actually reduce your risk, in priority order, and only then decide what to build or buy. Sometimes the highest-impact fix is not a purchase at all: disabling unused accounts, tightening admin rights, or turning on logging you already pay for.

Implementation Groups Explained

IG1: Essential Cyber Hygiene

IG1 represents the fundamental controls every organization should implement, forming the minimum viable security program. These controls address the most common attack vectors with basic protective measures.

Organizations at IG1 have limited security expertise and resources but need protection against opportunistic attacks.

IG2: Enhanced Security Posture

IG2 builds on IG1 for organizations with:

  • Greater IT complexity
  • Dedicated security or IT staff
  • Sensitive data handling requirements
  • Regulatory compliance needs

These additional controls address more sophisticated threats while remaining practical for mid-sized organizations.

IG3: Advanced Security

IG3 provides advanced controls for organizations managing:

  • Critical infrastructure
  • Highly sensitive data
  • Significant cyber risk exposure
  • Advanced persistent threats

Few organizations require full IG3 implementation, but those that do need systematic coverage across all control areas.

Breach Craft’s Assessment Approach

Our CIS gap assessment follows a structured five-step methodology:

Step 1: Baseline Evaluation

We document current security practices, policies, and technical implementations before assessing against the framework. Understanding where you are precedes determining where you need to go.

Step 2: Implementation Group Selection

Based on organizational size, complexity, data sensitivity, and regulatory requirements, we recommend the appropriate Implementation Group as your target maturity level.

Step 3: Detailed Control Evaluation

Each applicable control receives detailed assessment:

  • Current implementation status
  • Evidence of control effectiveness
  • Gap identification and documentation
  • Risk implications of gaps

Step 4: Realistic Recommendations

Gap remediation recommendations account for:

  • Resource constraints and budget limitations
  • Operational requirements and business priorities
  • Technical debt and existing infrastructure
  • Organizational change capacity

Step 5: Roadmap Creation

The final deliverable includes a phased implementation roadmap prioritizing:

  • Highest-risk gaps first
  • Quick wins for momentum
  • Logical implementation sequences
  • Realistic timeline expectations

Beyond the Assessment

A gap assessment is a starting point, not a destination. Because the CIS Controls are scored, you can rerun the assessment later and watch the maturity numbers move, which turns “are we more secure than last year?” from a gut feeling into a measurement. The framework stays current too: the CIS community revises it as attacker behavior shifts, so the bar you measure against does not go stale. And the findings rarely live alone. They feed straight into penetration testing, vulnerability management, and incident response planning, so the assessment becomes the spine of the wider program instead of a one-off report.

Ongoing Support

For organizations needing continuous guidance, Virtual CISO services support implementation, monitoring, and ongoing program maturation. The gap assessment provides the roadmap; vCISO services help you drive it.

Ready to understand your security posture? Contact Breach Craft for a CIS Controls gap assessment tailored to your organization.

Frequently Asked Questions

What is the difference between the CIS Controls and the CIS Benchmarks?

The CIS Controls are 18 prioritized security actions for an organization: what to do. The CIS Benchmarks are detailed configuration-hardening guides for specific products like Windows, Linux, or AWS: how to configure a system. A gap assessment measures your program against the Controls; the Benchmarks are one of the tools you use to close technical gaps once you find them.

Which Implementation Group should we target?

Every organization should meet IG1, the essential hygiene that blocks opportunistic attacks. IG2 fits organizations with dedicated IT or security staff, sensitive data, and regulatory obligations. IG3 is for critical infrastructure and high-sensitivity environments facing advanced threats. We recommend a target based on your size, data, and risk, and most clients close IG1 completely before reaching higher.

How do the CIS Controls relate to NIST CSF and ISO 27001?

They complement each other. NIST CSF and ISO 27001 are broad management frameworks; the CIS Controls are the prioritized, technical playbook for the safeguards underneath them, and CIS publishes mappings to both. If you already report against NIST or ISO, a CIS assessment tells you concretely which technical safeguards to implement first. See what a gap assessment is for how the frameworks fit together.

How long does a CIS gap assessment take?

Most assessments run two to four weeks, depending on your size, your target Implementation Group, and how much documentation already exists. The work is interviews, documentation review, and technical validation, followed by the gap analysis and a prioritized roadmap.

What do we do after the assessment?

The assessment is a roadmap, not a fix. You work the prioritized gaps, starting with the highest-risk items and the quick wins. Many organizations pair the roadmap with virtual CISO support to keep it moving between reassessments, and use penetration testing to confirm the controls they implemented actually hold.

Is a CIS gap assessment the same as a compliance audit?

No. An audit checks whether you meet a fixed bar and produces a pass or fail. A gap assessment is diagnostic: it shows where you stand against the CIS Controls, how big each gap is, and the order to fix them in. It is a planning tool, not a certificate. Many organizations run a gap assessment before an audit so there are no surprises.

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Or call us directly at (445) 273-2873