Quality, Expert-Derived Cybersecurity Documentation To Keep Organizations Secure, Compliant & Resilient - No AI Slop!
Secure Controls Framework
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Cart
Start Here
Products
Bundles
Updates
Reasons To Buy
Certification Options

CIS Critical Security Controls (CSC)

ComplianceForge currently offers one (1) product that offers comprehensive-enough coverage to address the controls found in the Center for Internet Security (CIS) v8 Critical Security Controls (CSC). This product is the Security, Compliance & Resilience Program (SCRP). The SCRP is the most comprehensive document we’ve made and it is targeted for enterprise-class organizations that have a need to align to the following frameworks. It is “best in class” hybrid that leverages numerous leading frameworks to create a comprehensive security program for your organization! Our products offer coverage to over 200 laws, regulations and industry standards, including the CIS CSC:  

  • NIST 800-53
  • NIST 800-171
  • NIST Cybersecurity Framework (CSF)
  • National Industrial Security Program Operating Manual (NISPOM)
  • Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012)
  • Federal Acquisition Regulation (FAR 52.204-21)
  • FedRAMP
  • Fair & Accurate Credit Transactions Act (FACTA)
  • Financial Industry Regulatory Authority (FINRA)
  • Oregon Identity Theft Protection Act (ORS 646A)
  • ISO 27002
  • ISO 27018
  • Generally Accepted Privacy Principles (GAPP)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Control Objectives for Information and Related Technology (COBIT 5)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Sarbanes Oxley Act (SOX)
  • Gramm Leach Bliley Act (GLBA)
  • NY DFS 23 NYCCRR 500
  • American Institute of CPAs (AICPA) Service Organization Control (SOC2)
  • Center for Internet Security Critical Security Controls (CIS CSC)
  • Cloud Security Alliance Cloud Controls Matrix (CSA CCM)
  • European Union Agency for Network and Information Security (ENISA)
  • European Union General Data Protection Regulation (EU GDPR)
  • United Kingdom Data Protection Act (UK DPA)
  • Massachusetts 201 CMR 17.00
Key Takeaways - CIS Critical Security Controls (CSC)
  • CIS Critical Security Controls (CSC), formerly SANS Top 20, are a prioritized, actionable set of cybersecurity practices maintained by the Center for Internet Security.
  • Organized into three Implementation Groups (IGs). IG1 (essential cyber hygiene), IG2 (plus operational complexity), IG3 (sophisticated adversaries).
  • 18 controls with 153 safeguards across the current version, focused on the highest-impact defensive actions first.
  • Particularly popular with mid-market organizations looking for practical, actionable controls without the complexity of NIST 800-53.
  • ComplianceForge documentation maps CIS CSC to NIST CSF, NIST 800-53, ISO 27001 and 200 plus frameworks through the SCF.
Safety Component

Taking ICS, OT and IOT Into Account

For years, the “CIA Triad” stood as the foundation for what a security program was designed to address – the Confidentiality, Integrity and Availability of both systems and data. That has now changed, since there are real-world safety considerations from Operational Technology (OT) and the Internet of Things (IoT). This has caused the evolution of the CIA Triad into the Confidentiality, Integrity, Availability and Safety (CIAS) model.

The SCRP is designed around the CIAS model by adopting the best of leading security frameworks.

Import-Ready For GRC Tools

The SCRP Comes In Both Microsoft Word & Excel Formats 

The DSP is ready to import into your Governance, Risk & Compliance (GRC) solution, since it comes in both Microsoft Word and Excel formats. This makes the import from Excel easy. For many GRC tools, this provides you the ability to perform your customization and collaboration directly from your GRC portal.

If you do not currently have a GRC tool, but want to deploy the DSP from a user-friendly internal website, we can help with that. We offer a fixed-cost service to convert the DSP into an internal website using GRAV, a Content Management System (CMS). If that interests you, please contact us at support@compianceforge.com and we can provide you with more details on that option.

The Excel version of the DSP comes with the following content so it is easy to import into a GRC solution (e.g., ZenGRC, MetricStream, Ostendio, Archer, RSAM, MetricStream, etc.):

Policy statements
Control objectives
Standards
Guidance
Controls
Metrics (KPIs & KRIs)
Indicators of Compromise (IoC)
Indicators of Exposure (IoC)
Target Audience Applicability
Scoping - Basic or Enhanced Requirement
Recommended roles / teams with responsibility for each standard