Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsStudyTraining
ProjectsChecklistsAI RankingsNewsletterStatusTagsAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Study
Training
Projects
Checklists
AI Rankings
Newsletter
Status
Tags
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

429+ Articles
114+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. HOWTOs
  3. Security Baseline Hardening: CIS Controls Implementation
Security Baseline Hardening: CIS Controls Implementation
HOWTOAdvanced

Security Baseline Hardening: CIS Controls Implementation

Implement CIS Critical Security Controls for enterprise security. Covers IG1/IG2/IG3 controls mapping, implementation priorities, and tooling recommendations.

Dylan H.

Security Engineering

February 3, 2026
17 min read

Prerequisites

  • Understanding of security fundamentals
  • Access to enterprise security tools
  • Asset inventory of systems
  • Management support for security initiatives

Overview

The CIS Critical Security Controls (formerly SANS Top 20) provide a prioritized set of cybersecurity best practices. This guide covers implementing CIS Controls v8 with a focus on practical implementation, tooling, and mapping to Implementation Groups (IG1, IG2, IG3).

Who Should Use This Guide:

  • Security architects designing security programs
  • IT administrators implementing security controls
  • Compliance teams mapping to security frameworks
  • CISOs assessing security maturity

CIS Controls v8 Overview:

Control GroupFocus AreaControls
Basic (1-6)Foundational hygieneInventory, software, data, configuration, accounts, access
Foundational (7-12)Technical controlsEmail, malware, recovery, network, logging, security
Organizational (13-18)Process & governanceAwareness, providers, network, application, incident, penetration

Implementation Groups:

GroupDescriptionOrganization Size
IG1Essential cyber hygieneSmall, limited IT resources
IG2Expanded capabilitiesMedium, dedicated IT staff
IG3Comprehensive securityLarge, security team, sensitive data

Implementation Roadmap

Phase 1: Foundation (IG1 Essential)

Target: First 90 days - Establish baseline security

┌─────────────────────────────────────────────────────────────────────┐
│                    IG1 Implementation Roadmap                        │
├─────────────────────────────────────────────────────────────────────┤
│                                                                     │
│  Month 1                Month 2                Month 3              │
│  ┌─────────────┐        ┌─────────────┐        ┌─────────────┐     │
│  │ Control 1   │        │ Control 5   │        │ Control 11  │     │
│  │ Hardware    │        │ Account     │        │ Data        │     │
│  │ Inventory   │        │ Management  │        │ Recovery    │     │
│  ├─────────────┤        ├─────────────┤        ├─────────────┤     │
│  │ Control 2   │        │ Control 6   │        │ Control 14  │     │
│  │ Software    │        │ Access      │        │ Security    │     │
│  │ Inventory   │        │ Management  │        │ Awareness   │     │
│  ├─────────────┤        ├─────────────┤        └─────────────┘     │
│  │ Control 3   │        │ Control 7   │                             │
│  │ Data        │        │ Continuous  │                             │
│  │ Protection  │        │ Vuln Mgmt   │                             │
│  ├─────────────┤        └─────────────┘                             │
│  │ Control 4   │                                                    │
│  │ Secure      │                                                    │
│  │ Config      │                                                    │
│  └─────────────┘                                                    │
│                                                                     │
└─────────────────────────────────────────────────────────────────────┘

Control 1: Inventory and Control of Enterprise Assets

IG1 Safeguards (Required):

IDSafeguardImplementation
1.1Establish asset inventoryAutomated discovery tool
1.2Address unauthorized assetsQuarantine or remediate

Implementation Steps:

1. Deploy Asset Discovery:

# Windows - Query local network for active hosts
$subnet = "192.168.1"
1..254 | ForEach-Object -Parallel {
    $ip = "$using:subnet.$_"
    if (Test-Connection -ComputerName $ip -Count 1 -Quiet) {
        [PSCustomObject]@{
            IP = $ip
            Hostname = (Resolve-DnsName $ip -ErrorAction SilentlyContinue).NameHost
            MAC = (Get-NetNeighbor -IPAddress $ip -ErrorAction SilentlyContinue).LinkLayerAddress
        }
    }
} -ThrottleLimit 50 | Export-Csv ".\asset-discovery.csv" -NoTypeInformation

2. Recommended Tools:

ToolTypeBest For
LansweeperCommercialSMB, comprehensive
Snipe-ITOpen SourceHardware tracking
NetBoxOpen SourceDCIM/IPAM
NinjaOneRMMMSP environments
Microsoft IntuneCloudM365 environments

3. Asset Classification:

Asset Categories:
├── Endpoints
│   ├── Workstations (Windows, macOS)
│   ├── Mobile (iOS, Android)
│   └── Virtual Desktops
├── Servers
│   ├── Physical
│   ├── Virtual (VMware, Hyper-V)
│   └── Cloud (Azure VMs, AWS EC2)
├── Network
│   ├── Routers/Switches
│   ├── Firewalls
│   └── Wireless APs
└── IoT/OT
    ├── Printers
    ├── Cameras
    └── Industrial devices

Verification:

  • All IP-connected devices discovered
  • Asset inventory updated weekly
  • Unauthorized assets identified and addressed
  • Asset owners assigned

Control 2: Inventory and Control of Software Assets

IG1 Safeguards:

IDSafeguardImplementation
2.1Establish software inventoryAutomated collection
2.2Ensure authorized software installedAllowlisting/review
2.3Address unauthorized softwareRemove or document exception

Implementation:

1. Collect Software Inventory:

# Windows - Get installed software
$software = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*,
    HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |
    Where-Object { $_.DisplayName } |
    Select-Object DisplayName, DisplayVersion, Publisher, InstallDate
 
$software | Export-Csv ".\software-inventory.csv" -NoTypeInformation
 
# Get running processes (may indicate uninstalled software)
Get-Process | Select-Object Name, Path, Company |
Where-Object { $_.Path } |
Sort-Object Name -Unique |
Export-Csv ".\running-software.csv" -NoTypeInformation

2. Application Allowlisting (Windows):

# Windows Defender Application Control (WDAC)
# Create policy from golden image
$policyPath = "C:\Policies\BasePolicy.xml"
New-CIPolicy -FilePath $policyPath -Level Publisher -UserPEs -MultiplePolicyFormat
 
# Audit mode first
Set-RuleOption -FilePath $policyPath -Option 3  # Enable Audit Mode
 
# Convert to binary
ConvertFrom-CIPolicy -XmlFilePath $policyPath -BinaryFilePath "C:\Policies\BasePolicy.cip"

3. Unauthorized Software Detection:

# Compare current inventory to approved list
$approved = Import-Csv ".\approved-software.csv"
$current = Import-Csv ".\software-inventory.csv"
 
$unauthorized = $current | Where-Object {
    $_.DisplayName -notin $approved.DisplayName
}
 
$unauthorized | Export-Csv ".\unauthorized-software.csv" -NoTypeInformation
 
if ($unauthorized) {
    Write-Warning "Unauthorized software found: $($unauthorized.Count) items"
}

Control 3: Data Protection

IG1 Safeguards:

IDSafeguardImplementation
3.1Establish data management processPolicies and classification
3.2Establish data inventoryDiscover sensitive data
3.3Configure data access controlRBAC and least privilege
3.4Enforce data retentionAutomated retention policies
3.6Encrypt data on end-user devicesBitLocker/FileVault

Implementation:

1. Data Classification Framework:

Classification Levels:
┌────────────────────────────────────────────────────────────┐
│ Level 4: RESTRICTED                                        │
│ - PII, PHI, PCI data                                       │
│ - Trade secrets                                            │
│ - Encryption required at rest and transit                  │
├────────────────────────────────────────────────────────────┤
│ Level 3: CONFIDENTIAL                                      │
│ - Internal business data                                   │
│ - Employee information                                     │
│ - Encryption required at rest                              │
├────────────────────────────────────────────────────────────┤
│ Level 2: INTERNAL                                          │
│ - Day-to-day business operations                           │
│ - Not for public release                                   │
│ - Standard access controls                                 │
├────────────────────────────────────────────────────────────┤
│ Level 1: PUBLIC                                            │
│ - Marketing materials                                      │
│ - Public website content                                   │
│ - No special handling required                             │
└────────────────────────────────────────────────────────────┘

2. Enable BitLocker (Windows):

# Check BitLocker status
Get-BitLockerVolume
 
# Enable BitLocker with TPM
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
 
# Add recovery password
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
 
# Backup to Azure AD (Intune managed)
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId (
    (Get-BitLockerVolume -MountPoint "C:").KeyProtector |
    Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
).KeyProtectorId

3. Data Discovery (PowerShell):

# Find files with potential sensitive data
$patterns = @(
    '\b\d{3}-\d{2}-\d{4}\b',      # SSN
    '\b\d{16}\b',                  # Credit card
    '\b[A-Z]{2}\d{6}[A-Z]\b'       # Passport
)
 
$sensitiveFiles = Get-ChildItem -Path "C:\Users" -Recurse -Include "*.xlsx", "*.csv", "*.docx" -ErrorAction SilentlyContinue |
ForEach-Object {
    $content = Get-Content $_.FullName -Raw -ErrorAction SilentlyContinue
    foreach ($pattern in $patterns) {
        if ($content -match $pattern) {
            [PSCustomObject]@{
                File = $_.FullName
                Pattern = $pattern
                Modified = $_.LastWriteTime
            }
        }
    }
}
 
$sensitiveFiles | Export-Csv ".\sensitive-data-scan.csv" -NoTypeInformation

Control 4: Secure Configuration of Enterprise Assets

IG1 Safeguards:

IDSafeguardImplementation
4.1Establish secure configuration processBaselines and hardening guides
4.2Establish secure configuration for network devicesFirewall/switch hardening
4.7Manage default accountsDisable or rename defaults

Implementation:

1. Windows Security Baseline (Intune):

# Key Security Baseline Settings
Password Policy:
  - Minimum Length: 14 characters
  - Complexity: Required
  - History: 24 passwords
  - Maximum Age: 90 days
 
Account Lockout:
  - Threshold: 5 invalid attempts
  - Duration: 30 minutes
  - Reset Counter: 30 minutes
 
User Rights:
  - Deny log on locally: Guests
  - Deny access from network: Guests, Anonymous
 
Security Options:
  - UAC: Enabled (Prompt for consent)
  - Guest account: Disabled
  - Rename administrator account: Yes
  - Blank passwords: Disabled

2. Apply CIS Benchmark (PowerShell):

# Example CIS hardening script excerpts
 
# 2.3.1.1 - Accounts: Administrator account status
Disable-LocalUser -Name "Administrator"
 
# 2.3.1.3 - Rename administrator account
Rename-LocalUser -Name "Administrator" -NewName "IT-Admin-$((Get-Random -Maximum 9999))"
 
# 2.3.7.3 - Interactive logon: Machine inactivity limit
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "InactivityTimeoutSecs" -Value 900
 
# 18.4.3 - MSS: Enable ICMP redirects
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "EnableICMPRedirect" -Value 0
 
# 18.5.4.1 - Turn off multicast name resolution (LLMNR)
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Value 0
 
# 18.9.102.1 - Configure Windows Defender SmartScreen
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "EnableSmartScreen" -Value 1

3. Network Device Hardening (FortiGate):

# Disable unused services
config system global
    set admin-https-redirect enable
    set admin-telnet disable
    set admin-ssh-port 22
    set admin-ssh-grace-time 60
    set admin-ssh-password enable
    set admintimeout 10
    set timezone 12
end
 
# Configure admin password policy
config system password-policy
    set status enable
    set min-length 14
    set min-lower-case-letter 1
    set min-upper-case-letter 1
    set min-number 1
    set min-non-alphanumeric 1
    set expire-status enable
    set expire-day 90
end
 
# Restrict admin access by IP
config system admin
    edit "admin"
        set trusthost1 10.0.0.0 255.0.0.0
        set trusthost2 192.168.1.0 255.255.255.0
    next
end

Control 5: Account Management

IG1 Safeguards:

IDSafeguardImplementation
5.1Establish account inventoryList all accounts
5.2Use unique passwordsPassword manager, policies
5.3Disable dormant accounts45-day inactivity disable
5.4Restrict admin privilegesLeast privilege principle

Implementation:

1. Account Inventory:

# Active Directory - Get all user accounts
Get-ADUser -Filter * -Properties LastLogonDate, Enabled, PasswordLastSet, MemberOf |
Select-Object SamAccountName, DisplayName, Enabled, LastLogonDate, PasswordLastSet,
    @{N='Groups'; E={($_.MemberOf | ForEach-Object { (Get-ADGroup $_).Name }) -join '; '}} |
Export-Csv ".\ad-user-inventory.csv" -NoTypeInformation
 
# Find stale accounts (no logon in 45 days)
$staleDate = (Get-Date).AddDays(-45)
Get-ADUser -Filter { LastLogonDate -lt $staleDate -and Enabled -eq $true } -Properties LastLogonDate |
Select-Object SamAccountName, LastLogonDate |
Export-Csv ".\stale-accounts.csv" -NoTypeInformation

2. Disable Dormant Accounts:

# Automatically disable accounts inactive for 45 days
$staleDate = (Get-Date).AddDays(-45)
$staleUsers = Get-ADUser -Filter { LastLogonDate -lt $staleDate -and Enabled -eq $true } -Properties LastLogonDate
 
foreach ($user in $staleUsers) {
    Disable-ADAccount -Identity $user.SamAccountName
    Set-ADUser -Identity $user.SamAccountName -Description "Disabled by automation - Inactive since $($user.LastLogonDate)"
    Write-Output "Disabled: $($user.SamAccountName) - Last logon: $($user.LastLogonDate)"
}

3. Privileged Account Audit:

# Find all privileged group members
$privGroups = @("Domain Admins", "Enterprise Admins", "Schema Admins", "Administrators", "Account Operators", "Backup Operators")
 
$privAccounts = foreach ($group in $privGroups) {
    Get-ADGroupMember -Identity $group -Recursive | ForEach-Object {
        [PSCustomObject]@{
            Group = $group
            SamAccountName = $_.SamAccountName
            ObjectClass = $_.objectClass
        }
    }
}
 
$privAccounts | Export-Csv ".\privileged-accounts.csv" -NoTypeInformation
Write-Output "Found $($privAccounts.Count) privileged account memberships"

Control 6: Access Control Management

IG1 Safeguards:

IDSafeguardImplementation
6.1Establish access granting processRequest/approval workflow
6.2Establish access revoking processTermination procedures
6.3Require MFA for external applicationsConditional Access
6.4Require MFA for remote accessVPN, RDP with MFA
6.5Require MFA for admin accessAll admin actions

Implementation:

1. MFA Implementation Priority:

MFA Rollout Order:
┌────────────────────────────────────────────────────────────┐
│ Phase 1 (Immediate): Privileged Accounts                   │
│ - Domain Admins, Global Admins                             │
│ - Service desk with elevated privileges                    │
│ - Cloud admin accounts                                     │
├────────────────────────────────────────────────────────────┤
│ Phase 2 (Week 2): Remote Access                            │
│ - VPN users                                                │
│ - Remote desktop users                                     │
│ - Cloud application access                                 │
├────────────────────────────────────────────────────────────┤
│ Phase 3 (Week 4): All External Applications                │
│ - Microsoft 365                                            │
│ - SaaS applications                                        │
│ - Customer-facing portals                                  │
├────────────────────────────────────────────────────────────┤
│ Phase 4 (Month 2): All Users                               │
│ - Complete MFA rollout                                     │
│ - Phishing-resistant MFA for sensitive roles               │
└────────────────────────────────────────────────────────────┘

2. Entra ID Conditional Access (Reference):

See our Conditional Access Zero Trust guide for detailed implementation.

Control 7: Continuous Vulnerability Management

IG1 Safeguards:

IDSafeguardImplementation
7.1Establish vulnerability management processPolicy and procedures
7.2Establish remediation processSLAs by severity
7.3Perform automated OS patchingWSUS, Intune, Autopatch
7.4Perform automated application patchingThird-party patching

Implementation:

1. Vulnerability Remediation SLAs:

SeverityCVSS ScoreRemediation SLA
Critical9.0 - 10.07 days
High7.0 - 8.930 days
Medium4.0 - 6.990 days
Low0.1 - 3.9180 days

2. Windows Update Configuration:

# Configure Windows Update via PowerShell
$WUSettings = @{
    'AcceptTrustedPublisherCerts' = 1
    'DisableWindowsUpdateAccess' = 0
    'ElevateNonAdmins' = 0
    'AUOptions' = 4  # Auto download and schedule install
    'ScheduledInstallDay' = 0  # Every day
    'ScheduledInstallTime' = 3  # 3 AM
    'NoAutoRebootWithLoggedOnUsers' = 0
}
 
$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
if (-not (Test-Path $regPath)) {
    New-Item -Path $regPath -Force
}
 
foreach ($setting in $WUSettings.GetEnumerator()) {
    Set-ItemProperty -Path $regPath -Name $setting.Key -Value $setting.Value
}

3. Vulnerability Scanning Tools:

ToolTypeBest For
NessusCommercialEnterprise scanning
OpenVASOpen SourceBudget-conscious
QualysCloudLarge enterprises
Microsoft Defender Vuln MgmtBuilt-inM365 E5 customers
Rapid7 InsightVMCommercialDevSecOps integration

Control 11: Data Recovery

IG1 Safeguards:

IDSafeguardImplementation
11.1Establish data recovery processBackup procedures
11.2Perform automated backupsDaily/weekly schedules
11.3Protect recovery dataEncryption, access control
11.4Establish isolated recovery environmentAir-gapped or immutable
11.5Test backup recoveryQuarterly restore tests

Implementation:

1. 3-2-1 Backup Strategy:

3-2-1 Backup Rule:
┌─────────────────────────────────────────────────────────────┐
│                                                             │
│  3 Copies of Data                                           │
│  ├── Production (Original)                                  │
│  ├── On-site backup (NAS, SAN, local server)               │
│  └── Off-site backup (Cloud, remote DC, tape)               │
│                                                             │
│  2 Different Media Types                                    │
│  ├── Disk-based (fast recovery)                            │
│  └── Cloud/Tape (ransomware protection)                    │
│                                                             │
│  1 Off-site Copy                                            │
│  └── Geographically separated (disaster recovery)          │
│                                                             │
│  BONUS: 1 Immutable/Air-gapped Copy                         │
│  └── Cannot be modified or deleted by ransomware           │
│                                                             │
└─────────────────────────────────────────────────────────────┘

2. Backup Verification Script:

# Test backup integrity
function Test-BackupIntegrity {
    param(
        [string]$BackupPath,
        [string]$TestRestorePath = "C:\BackupTest"
    )
 
    # Create test restore directory
    New-Item -ItemType Directory -Path $TestRestorePath -Force
 
    # Attempt to restore sample files
    try {
        # Example: Veeam restore
        # Start-VBRRestoreSession -BackupSession $session
 
        # Verify file integrity
        $testFile = Get-ChildItem $TestRestorePath -Recurse | Select-Object -First 1
        if ($testFile -and (Test-Path $testFile.FullName)) {
            Write-Output "Backup verification: SUCCESS"
            return $true
        }
    } catch {
        Write-Error "Backup verification: FAILED - $_"
        return $false
    } finally {
        # Cleanup
        Remove-Item -Path $TestRestorePath -Recurse -Force -ErrorAction SilentlyContinue
    }
}

Control 14: Security Awareness Training

IG1 Safeguards:

IDSafeguardImplementation
14.1Establish security awareness programTraining curriculum
14.2Train workforce on secure authenticationPassword, MFA training
14.3Train workforce on data handlingClassification training
14.4Train workforce on social engineeringPhishing awareness
14.5Train workforce on malware dangersSafe computing

Implementation:

1. Annual Training Topics:

TopicFrequencyTarget Audience
Security Awareness BasicsAnnually + new hireAll employees
Phishing RecognitionQuarterly simulationsAll employees
Password/MFA Best PracticesAnnuallyAll employees
Data HandlingAnnuallyData handlers
Secure Remote WorkAnnuallyRemote workers
Privileged User SecurityAnnuallyIT/Admins
Incident ReportingAnnuallyAll employees

2. Phishing Simulation Program:

Phishing Campaign Schedule:
┌────────────────────────────────────────────────────────────┐
│ Quarter 1: Basic Phishing                                   │
│ - Generic phishing email (obvious)                         │
│ - Training for all who click                               │
├────────────────────────────────────────────────────────────┤
│ Quarter 2: Credential Harvesting                            │
│ - Fake login page (Microsoft branded)                      │
│ - Focus on those who clicked in Q1                         │
├────────────────────────────────────────────────────────────┤
│ Quarter 3: Business Email Compromise                        │
│ - CEO fraud / invoice scam                                 │
│ - Target finance and executives                            │
├────────────────────────────────────────────────────────────┤
│ Quarter 4: Spear Phishing                                   │
│ - Personalized attacks                                     │
│ - Based on OSINT                                           │
└────────────────────────────────────────────────────────────┘

Implementation Tracking

IG1 Compliance Scorecard

Control Assessment Scoring:
┌────────────────────────────────────────────────────────────────────┐
│ Score │ Description                                                │
├────────────────────────────────────────────────────────────────────┤
│   0   │ Not Implemented - No safeguards in place                   │
│   1   │ Initial - Ad-hoc implementation, not documented            │
│   2   │ Developing - Partially implemented, some documentation     │
│   3   │ Defined - Fully implemented, documented, not validated     │
│   4   │ Managed - Implemented, documented, measured, reviewed      │
│   5   │ Optimized - Continuous improvement, automated, audited     │
└────────────────────────────────────────────────────────────────────┘

Assessment Template

ControlSafeguardCurrent ScoreTarget ScoreGapOwnerDue Date
1.1Asset Inventory242IT OpsQ1
1.2Unauthorized Assets132IT OpsQ1
2.1Software Inventory242IT OpsQ1
3.6Device Encryption341SecurityQ2
5.3Dormant Accounts143IAMQ1
6.5Admin MFA451IAMQ1
11.2Automated Backups341IT OpsQ2
14.4Phishing Training242SecurityQ2

Tooling Recommendations

Control-to-Tool Mapping

ControlRecommended Tools
1 - Asset InventoryLansweeper, Snipe-IT, NinjaOne, Intune
2 - Software InventorySCCM, Intune, PDQ Inventory
3 - Data ProtectionMicrosoft Purview, BitLocker, FileVault
4 - Secure ConfigCIS-CAT, Microsoft Security Baselines
5 - Account MgmtActive Directory, Entra ID
6 - Access ControlEntra ID Conditional Access, Duo
7 - Vuln ManagementNessus, Qualys, Rapid7, Defender
8 - Audit LogsSplunk, Microsoft Sentinel, Elastic
10 - Malware DefenseDefender for Endpoint, SentinelOne
11 - Data RecoveryVeeam, Azure Backup, Cove
14 - Security TrainingKnowBe4, Proofpoint, Infosec IQ

Verification Checklist

IG1 Implementation Complete:

  • Control 1: Asset inventory established and maintained
  • Control 2: Software inventory with unauthorized detection
  • Control 3: Data classification and encryption deployed
  • Control 4: Security baselines applied to all systems
  • Control 5: Account inventory with dormant account process
  • Control 6: MFA enforced for remote and admin access
  • Control 7: Vulnerability management with patching SLAs
  • Control 11: Backup strategy with tested recovery
  • Control 14: Security awareness program active

Next Steps

After achieving IG1 compliance:

  1. Assess for IG2 - Plan extended control implementation
  2. Continuous Monitoring - Automate compliance checking
  3. Integrate with Risk Management - Map controls to business risks
  4. External Validation - Consider CIS Controls certification

References

  • CIS Controls v8
  • CIS Benchmarks
  • CIS Controls Self-Assessment Tool (CSAT)
  • NIST Cybersecurity Framework Mapping

Last Updated: February 2026

#CIS Controls#Security Baseline#Compliance#Hardening#Cyber Security#Risk Management

Related Articles

Windows Security Baseline Audit: CIS Benchmark Compliance

Automate Windows security baseline checks using PowerShell. Validate configurations against CIS benchmarks for password policies, audit settings, and...

9 min read

Domain Controller Hardening: Securing Active Directory

Comprehensive DC hardening guide covering tier model implementation, LDAP signing, NTLM restrictions, Kerberos hardening, AdminSDHolder, DSRM security,...

46 min read

FortiGate Security Hardening: Best Practices for Enterprise

Complete FortiGate hardening guide covering admin access lockdown, firmware management, interface hardening, DNS/NTP security, certificate management,...

31 min read
Back to all HOWTOs