ScalePad
ControlMap

CIS v8.1 Field Guide for MSPs

CIS Controls: the foundation, made operational

The framework every MSP should run on itself first: the 18 controls and 153 safeguards, full visibility into Implementation Groups 1, 2, and 3, and the path from your own practice to a productized client offering, with a step-by-step ControlMap workflow.

The First Framework

CIS Controls at a glance: why your MSP starts here

The CIS Critical Security Controls are the community's answer to "what should we actually do first?", a prioritized, prescriptive, free set of defensive actions maintained by the Center for Internet Security and refined by thousands of practitioners against real attack data. No law mandates them and no certificate crowns them, and that's the point: CIS is the working baseline every regulated framework in this series maps back to, and the framework an MSP can adopt today without waiting for a client to ask.

Version 8.1

The shape of v8.1

18 controls and 153 safeguards, organized by activity, not by who runs it, and tiered into three Implementation Groups. Version 8.1 (2024) kept the structure of v8 and refreshed the plumbing: terminology aligned to NIST CSF 2.0, a new Govern security-function classification, and sharpened asset-class definitions, so your CIS work now speaks procurement's favorite dialect natively.

Why it works

It's attack-informed: CIS's Community Defense Model maps the safeguards against real-world attack techniques, and even the smallest tier, IG1's essential cyber hygiene, defends against roughly three-quarters of the techniques behind the most common attack types: ransomware, malware, web-app hacking, insider misuse, targeted intrusion. Maximum defense per dollar, by design.

Why This Is the MSP's First Framework: Run It on Yourself Before Any Client

Your own highest-value target

An MSP holds admin keys to dozens of businesses. Attackers know it, insurers know it, and increasingly your clients' auditors know it. CIS hardening of your own RMM, identity, and tooling is self-defense before it's anything else.

The training ground for CaaS

Your team learns assessments, evidence habits, risk registers, and the QBR rhythm on an environment where mistakes are cheap and access is total. Client zero is the curriculum. See this series' CaaS Build Guide.

The springboard to every framework

CIS cross-maps to NIST CSF, 800-171/CMMC, HIPAA, PCI DSS, FTC Safeguards, SOC 2, and ISO 27001. A CIS baseline done once pre-answers big slices of every regulated engagement you'll ever sell: the mechanic Stacks automates.

It is

A prioritized to-do list with measurable safeguards, free to download and use, with companion CIS Benchmarks that supply the hardening how-to for specific platforms and operating systems.

It isn't

A certification (no auditor, no certificate), a law, or a risk-management methodology, pair it with the governance loop the other frameworks in this series teach.

Which means

You can adopt it today, scope it yourself, and prove it with a self-assessment score: the lowest-friction starting line in security.

The credibility test you can't dodge: the first question a savvy prospect asks a compliance-selling MSP is "show me yours." An MSP pitching CaaS without its own CIS baseline, risk register, and posture score is a personal trainer who doesn't work out. This guide exists so that never happens to you, get your own house in order, then sell the blueprint.

The Operating Model

Client zero: your security team × your leadership

For this guide the shared-responsibility split runs inside your own MSP, because that's where the program starts. The same division you'll later sell to clients applies at home: the technical team operates safeguards, leadership owns scope, risk acceptance, and the budget, and the middle is where the program lives or dies. Get this split working internally and you've rehearsed every client conversation that follows.

Who runs what inside your MSP

Security/ops team runs

  • Asset & software inventories
  • Hardening & configuration
  • Identity, MFA & access admin
  • Vulnerability & patch cadence
  • Logging, EDR & monitoring
  • Backup & recovery tests
  • Evidence collection

Shared

  • The self-assessment
  • Gap prioritization
  • Policies & attestations
  • Awareness training
  • Incident response plan
  • Service-provider reviews
  • The posture scorecard

Leadership owns

  • Choosing the IG target
  • Scope & budget decisions
  • Risk acceptance calls
  • Policy approval
  • Vendor decisions
  • The quarterly review chair
  • Telling the market about it

Treat yourself like a client

A real workspace, a real assessment, real tickets, a real quarterly review with the owner in the chair. Shortcut it internally and your team will shortcut it for clients: the habits transfer either way.

Scope honestly

Your scope is everything that touches client environments: RMM, remote access, documentation platform, identity, backup infrastructure, technician endpoints. That's the blast radius an attacker, and a client's auditor, cares about.

Bank the by-products

Everything client zero produces is reusable: the policy set becomes templates, the assessment becomes the demo, the scorecard answers insurer and client questionnaires, and the war stories become sales material.

CIS rewards finishing over starting: a fully implemented IG1 beats a half-implemented IG3 every time, in real defense (the Community Defense Model math), in audit conversations, and in sales credibility. Pick the right Implementation Group, complete it, prove it, then climb.

01

IG1 · IG2 · IG3

The Implementation Groups: the scope decision that sizes everything

The Implementation Groups are CIS's answer to "we can't do all 153 at once." Each safeguard is assigned to exactly one group, and the groups nest, IG2 contains all of IG1, IG3 contains everything. Pick the group that matches the organization's risk profile and resources, implement it completely, then climb. The IG is the scope decision that sizes the whole program.

Three Tiers, Nested

IG1, IG2, IG3: who each group is for

IG1: Essential Cyber Hygiene

The floor for everyone, designed to be achievable with commercial off-the-shelf tooling and a small team.

Included

  • Defends against general, non-targeted attacks: the ransomware and phishing that actually hit SMBs
  • Achievable without dedicated security staff
  • The base tier every other group contains

Best for

Small-to-medium organizations with limited IT/security expertise and commodity data sensitivity. Most MSP clients live here; your MSP should not.

Safeguards

56

IG2: The Operating Tier

Everything in IG1 plus 74 safeguards of depth: the natural home for an MSP.

Included

  • Adds centralized logging and SIEM-grade monitoring
  • Network management, DLP, and formalized incident response
  • Contains all of IG1: the groups nest

Best for

Organizations with dedicated IT, multiple departments or sites, sensitive client data, and some regulatory exposure, including MSPs, who hold other people's keys, and regulated SMB clients.

Safeguards

130 (IG1 + 74)

IG3: The Targeted-Attack Tier

Everything: the expert-operated layer for realistic exposure to targeted attacks.

Included

  • Application-security programs and penetration testing
  • Advanced network defense and data-flow controls
  • Contains all of IG1 and IG2

Best for

Organizations with security specialists on staff and highly sensitive or regulated data. For your client base, IG3 is the exception, reach it by graduation, not by declaration.

Safeguards

153 (everything)

Choosing the IG: Three Questions, Sixty Seconds

How sensitive is the data?

Commodity business data → IG1 territory. Client PII, PHI, financial data, or other people's credentials → IG2. Regulated-at-scale or national-security-adjacent → IG3.

Who would attack, and how?

Opportunistic spray → IG1 defends it. Attackers who'd profit from this specific organization, an MSP's supply-chain position, a defense sub's CUI → IG2/IG3.

What can the team actually run?

An IG is a commitment to operate, not install. No one to watch the SIEM means IG2's monitoring isn't real, size to sustained capacity, or to the MSP service that supplies it.

The two-IG strategy: run your MSP at IG2 (you're a high-value supply-chain target holding sensitive access) and baseline clients at IG1 (complete, provable essential hygiene) with IG2 as the documented upgrade path for the regulated ones. That asymmetry is also the sales story: "we hold ourselves to a higher tier than we ask of you."

Where the Safeguards Live

IG distribution across the 18 controls

Each bar is one control: the gold segment is its IG1 safeguards, the teal segment what IG2 and IG3 add. Read the shape, identity, training, configuration, and recovery are front-loaded into IG1, while three whole controls (13, 16, 18) don't begin until IG2+.

01 · Enterprise asset inventory
2
+3
5
02 · Software asset inventory
3
+4
7
03 · Data protection
6
+8
14
04 · Secure configuration
7
+5
12
05 · Account management
4
+2
6
06 · Access control management
5
+3
8
07 · Continuous vulnerability mgmt
4
+3
7
08 · Audit log management
3
+9
12
09 · Email & browser protections
2
+5
7
10 · Malware defenses
3
+4
7
11 · Data recovery
4
+1
5
12 · Network infrastructure mgmt
1
+7
8
13 · Network monitoring & defenseIG2+ only
+11
11
14 · Awareness & skills training
8
+1
9
15 · Service provider management
1
+6
7
16 · Application software securityIG2+ only
+14
14
17 · Incident response management
3
+6
9
18 · Penetration testingIG2+ only
+5
5
IG1 safeguards (56 total)Added by IG2 + IG3 (97 more → 153)Safeguard counts from CIS Controls v8.1, verify against the current release before relying on them in client deliverables.

Reading the Shape

What the shape tells you

IG1 concentrates where breaches actually start: training (8 of 9 safeguards are IG1), configuration, identity, and recovery. That's deliberate, essential hygiene is mostly discipline on tools you already own, not new spend. If a client balks at IG1, they're not balking at cost; they're balking at discipline.

The IG2+ trio

Controls 13 (network monitoring), 16 (application security), and 18 (pen testing) have zero IG1 safeguards, CIS's acknowledgment that they need dedicated expertise to run honestly. For SMB clients these arrive as your managed services, not their internal capabilities, which is exactly the IG1 → IG2 upsell conversation.

02

Every Control, One View

The 18 controls: the whole game in one view

The controls are ordered with intent, you can't protect what you haven't inventoried, can't detect what you don't log, can't respond to what you don't detect. Read them as six moves, in sequence; then give every control its row. Each row carries an "IG1 / all" column so you can see at a glance how much of each control belongs to essential hygiene versus the higher tiers.

The Six Moves Behind the 18 Controls

Know what you have · 01–02

Enterprise and software asset inventories: the foundation every other control assumes. Unknown assets are unmanaged assets are the breach.

Protect the data · 03

Classify, encrypt, retain, dispose: the control that turns "we take security seriously" into a data map with rules.

Harden & gate · 04–07

Secure configuration, account management, access control, and continuous vulnerability management, closing the doors attackers actually use.

Watch & defend · 08–13

Logs, email/browser protection, malware defense, recovery, network management, and network monitoring, visibility, the attacks it catches, and the comeback.

People & vendors · 14–15

Awareness training and service-provider management: the human layer and the supply chain. Control 15 is literally about managing you.

Build & respond · 16–18

Application security, incident response, and penetration testing: the mature-tier trio where IG2/IG3 lives and managed services shine.

Foundations, Hardening & First Defenses

Controls 1–9

Building an IG1 program? Work the gold numbers. Building your own IG2 MSP program? The whole row is yours.

ControlWhat it demandsMSP translationIG1 / all
01 · Inventory & control of enterprise assetsKnow every device, managed and unmanaged, on-prem, remote, cloud, with an actively maintained inventory and a process for unauthorized assets.RMM agent coverage reconciled against network discovery; the "what's on the network that we don't manage?" sweep.2 / 5
02 · Inventory & control of software assetsAuthorized-software inventory; unauthorized software addressed; only supported, licensed software runs (allowlisting at higher IGs).RMM software inventory + unsupported-software report; application control where the stack allows.3 / 7
03 · Data protectionClassify data, map where it lives and flows, encrypt at rest and in transit, retain on schedule, dispose securely, control access by classification (DLP at IG2+).Data map + classification policy; disk/SaaS encryption posture; retention and purge jobs; DLP for IG2 clients.6 / 14
04 · Secure configuration of assets & softwareHardened baselines for endpoints, servers, network gear, and cloud, CIS Benchmarks are the companion how-to, with drift managed and defaults (passwords, ports, services) eliminated.Golden images + baseline policies; firewall/router config standards; session-lock, secure DNS, and the long tail of defaults.7 / 12
05 · Account managementInventory every account (user, admin, service); unique passwords; dormant accounts disabled; admin privileges restricted to dedicated admin accounts.Identity-platform account audit; separate admin identities for techs; quarterly dormant-account sweep.4 / 6
06 · Access control managementGranting/revoking process, MFA for external apps, remote access, and admin access, role-based access, and (IG2+) centralized SSO and access-review cadence.The JML workflow; MFA enforcement reports; conditional access; documented access reviews.5 / 8
07 · Continuous vulnerability managementA vulnerability-management process with automated internal/external scanning, risk-ranked remediation on cadence, and automated OS + application patching.Patch automation + monthly scan cycle; remediation SLAs by severity; the finding-to-fix loop with tickets.4 / 7
08 · Audit log managementLogging on across the estate, time-synced, retained, and (IG2+) centralized with review, DNS, command-line, and URL logging at the higher tiers.Log retention settings everywhere at IG1; SIEM/log platform with triage runbook for IG2.3 / 12
09 · Email & web browser protectionsSupported browsers/clients only, DNS filtering (IG1!), then DMARC, attachment sandboxing, and browser-extension control at IG2+.DNS-filter rollout; email security gateway; DMARC/SPF/DKIM enforcement: the phishing kill-chain controls.2 / 7

Where client-zero programs stall: control 1 (the unmanaged-device blind spot, lab gear, technicians' personal kit, that one switch nobody owns), control 5 (techs running daily-driver accounts with standing admin), and control 4 (baselines that exist as tribal knowledge, not documents). All three are discipline fixes, not purchases, knock them out in month one.

Resilience, People & the Mature Tier

Controls 10–18

ControlWhat it demandsMSP translationIG1 / all
10 · Malware defensesAnti-malware deployed and centrally managed, signatures current, autorun disabled; behavior-based EDR and script controls at IG2+.EDR everywhere with central console: the control your stack already nails; evidence it.3 / 7
11 · Data recoveryAutomated backups, isolated/offline copies, protected backup data, and recovery actually tested (IG2).Backup platform with immutability; quarterly restore tests with results filed.4 / 5
12 · Network infrastructure managementNetwork gear current and supported (the lone IG1 safeguard), then secure architecture, segmentation, and centralized AAA at IG2+.Lifecycle the switches and firewalls; segmentation projects; admin-network isolation.1 / 8
13 · Network monitoring & defenseIG2+ onlyCentralized alerting, IDS/IPS, traffic filtering between segments, NAC, and (IG3) application-layer filtering: the watch-floor control.Your SOC/MDR service productized, this is what SMBs buy from you rather than build.0 / 11
14 · Security awareness & skills trainingA program with onboarding + annual training across phishing, data handling, incident reporting, and (IG2+) role-specific depth, 8 of its 9 safeguards are IG1.Awareness platform + phishing sims with completion exports; the cheapest control with the broadest IG1 footprint.8 / 9
15 · Service provider managementInventory providers, classify them, and (IG2+) require security in contracts, assess them, and monitor, decommissioning access when they go.The vendor register, with your MSP as every client's row one. Arrive with your own CIS scorecard and this control sells itself.1 / 7
16 · Application software securityIG2+ onlySecure SDLC for in-house software: vulnerability handling, dependency management, secure coding, testing, and (IG3) pen testing of applications.Relevant for dev-shop clients, their engineers execute, you supply the framework and evidence pipeline.0 / 14
17 · Incident response managementNamed contacts, a reporting process, and (IG2+) a written IR plan, defined roles, exercises, and post-incident reviews.IR plan from template + annual tabletop; the breach-clock workflows from this series' regulated guides plug in here.3 / 9
18 · Penetration testingIG2+ onlyA pen-test program: external tests (IG2), then internal tests and validation of remediation (IG3), informed by everything controls 1–17 built.Annual third-party pen test as a packaged add-on; findings feed control 7's remediation loop.0 / 5

The stack already covers more than you think: controls 1, 2, 4, 5, 7, 10, and 11 map almost one-to-one onto the standard MSP stack, RMM, identity, patching, EDR, backup. For your own practice most of the tooling already exists; the gap is safeguard-level discipline and evidence. That's the honest starting score, and it climbs fast.

Who Does What

When you deliver CIS to a client

Typical allocation when the controls run as a client service. For your own MSP as client zero, all three bars are you.

Inventories, hardening, patching, EDR, backup1–2, 4, 7, 10–11
MSP
Shared
Client
Identity, access & logging5, 6, 8
MSP
Shared
Client
Data protection & email/web3, 9
MSP
Shared
Client
Network mgmt, monitoring & pen testing12, 13, 18
MSP
Shared
Client
Training, vendors & incident decisions14, 15, 17
MSP
Shared
Client
Application security16, dev-shop clients
MSP
Shared
Client
MSP leadsSharedClient leadsProportions from the source guide: the split shifts per engagement; capture the real allocation in the service agreement.

03

Client Zero Playbook

Run it: you first: the client-zero playbook

Turn the controls into a running program on your own MSP, assessed, scored, remediated, and reviewed on a cadence; then clone the machinery for clients. The whole arc is a quarter of disciplined work, and every artifact it produces gets reused commercially.

Your First 90 Days on Yourself

The client-zero arc

  1. 1

    Scope & commit

    Leadership picks the IG (IG2 for an MSP) · scope is everything touching client environments · an owner chairs the program.

  2. 2

    Self-assess

    Score every in-scope safeguard honestly, policy defined? implemented? automated? reported?, for the baseline number.

  3. 3

    Close the gaps

    Discipline fixes first (admin accounts, baselines, inventories), then tooling gaps · policies published with attestations.

  4. 4

    Operationalize

    Every recurring safeguard becomes a ticketed cadence with an owner and evidence: the program survives turnover.

  5. 5

    Review & tell

    Quarterly internal review with the score trend · publish the posture summary, insurers, clients, and prospects all ask.

Scoring that means something

Score each safeguard on a maturity scale, not implemented → policy defined → implemented → automated → reported, and roll up per control and per IG. Two numbers run the program: IG1 completion % (are the essentials done?) and overall maturity trend (is the loop turning?). The same scoring later becomes every client's QBR scorecard.

Honesty is the asset

A 61% baseline scored honestly beats a 95% scored generously, because the number's only job is to move. The before/after trend is your best sales chart, and clients can smell an inflated self-score the moment your engineer hesitates in a meeting.

From Practice to Product

From your practice to your clients: productize and cross-map

With client zero running, the machinery clones. CIS becomes both your entry-level offering: the baseline assessment every client should buy, and your delivery backbone, the control set every regulated framework draws from. The CaaS Build Guide in this series holds the packaging and pricing detail; here's how CIS slots in.

The Offer Arc

The CIS baseline assessment

The universal paid entry engagement: score the client against IG1's 56 safeguards, deliver the posture score plus a top-risks findings deck and phased roadmap. Converts to remediation projects and the Good/Better tier with quarterly re-scoring.

Why IG1: defensible scope, fast delivery, Stacks pre-answers most of it from their stack, and a score that motivates rather than overwhelms.

The managed CIS program

The ongoing tier: safeguard cadences run as tickets, evidence collected continuously, score re-baselined quarterly, and the IG1 → IG2 upgrade path documented for clients whose risk grows. Controls 13, 16, and 18 arrive as your managed add-ons, MDR, application-security support, the pen-test program: the built-in upsell.

The QBR line that renews it: "Your score went 58% → 81% this year, here's the chart, and here's what IG2 would add."

The compliance springboard

When a CIS client gets regulated, new contract, new vertical, audit notice: the baseline pre-answers the new framework via cross-mapping, and the engagement prices as an increment, not a restart. This is the 40–60% second-framework pricing mechanic from the CaaS guide, made concrete.

The pitch: "You're already 60% of the way to HIPAA, here's exactly what's left."

The Springboard, Framework by Framework

What the CIS baseline already covers

When the client needs…Your CIS baseline already covers…What's genuinely new
HIPAAhealthcareMost Security Rule technical and administrative safeguards: access control, audit logs, integrity, training, contingency planning.Privacy Rule, BAAs, breach-notification clocks, designated officials.
PCI DSScardsLarge parts of requirements 1–11: configuration, accounts, access, logging, vulnerability management, monitoring.CDE scoping and segmentation, SAQ selection, ASV scans, validation paperwork.
CMMC / 800-171defenseSubstantial coverage across the 14 families, especially access, audit, configuration, and system protection.CUI scoping, SSP/POA&M/SPRS machinery, assessment-grade evidence, C3PAO.
FTC Safeguardsauto / tax / financeNearly all eight technical safeguards of §314.4(c) plus the testing cadence.Qualified Individual designation, the written program, FTC breach reporting.
SOC 2 / ISO 27001attestation / certificateThe operational control layer behind CC6–CC9 and most of Annex A.8.The governance loop: risk methodology, SoA and system description, audits, management review.

The pattern worth internalizing: every row says the same thing, CIS supplies the controls; the regulated frameworks add scoping, paperwork, and governance. That's why the foundation comes first, and why an MSP that runs CIS on itself can walk into any framework conversation in this series already most of the way home.

ControlMap by ScalePad

CIS is Stacks' native language: the platform's best work

ControlMap is ScalePad's multi-tenant GRC platform built for MSPs, and Stacks maps hundreds of vendor products directly to CIS Controls. Declare a stack, and the safeguards those tools satisfy answer themselves. No framework in this series gets more leverage from the platform than this one.

The Five-Step ControlMap Workflow for CIS: Starting With Yourself

  1. 1

    Stand up client zero

    Adopt CIS Controls v8.1 in your own MSP's workspace, set the IG target (IG2 for an MSP), and record the scope: RMM, identity, remote access, documentation, backup infrastructure, technician endpoints. This workspace becomes the master template every client tenant clones.

  2. 2

    Declare the stack

    Select your EDR, identity platform, backup, email security, RMM, and the rest from Stacks' library of hundreds of vendor products pre-mapped to CIS safeguards, and watch the assessment pre-populate with the safeguards those tools satisfy, mapping included as justification. Your analyst verifies and works the gaps.

  3. 3

    Score, prioritize, close: IG1 first

    Work the safeguard list by IG: complete IG1 before chasing higher-tier items, track gap → in progress → implemented per safeguard, and seed the risk register from the misses. The dashboard's posture score is the number leadership reviews quarterly, and the chart that later sells the client offering.

  4. 4

    Publish policies, run the cadences

    Draft the policy set from the template library, tailor, approve, and push for staff e-attestation; then turn every recurring safeguard, access reviews, restore tests, scan cycles, training campaigns, into recurring tasks with owners and evidence attached as it happens, automated where integrations allow.

  5. 5

    Clone the tenant, go to market

    Tenant cloning turns your finished client-zero workspace into the master template: new client, cloned tenant, their stack declared, Stacks pre-answers, your analyst tailors, onboarding in days, not weeks. Cross-mapping then banks every CIS safeguard toward HIPAA, PCI, CMMC, SOC 2, or ISO when obligations grow.

Package it as a service

Productize the arc: CIS Baseline Assessment (paid entry, IG1-scoped) → Remediate (quoted projects) → Managed CIS Program (the Good/Better tier with quarterly re-scoring) → IG2 add-ons (MDR for control 13, the pen-test program for 18). The CaaS Build Guide holds the pricing rails.

Make the QBR land

One chart carries the meeting: the posture score trend with this quarter's closed safeguards beneath it. Always show movement, and when the score plateaus near the IG1 ceiling, that's not stagnation, that's the IG2 conversation arriving on schedule.

Keep it alive

CIS revises on its own clock (v8 → v8.1; a v9 will come) and your stack changes monthly. Re-declare Stacks when tools change, re-baseline on version updates, and make "what's new in the environment?" the standing first question of every review.

Take Action

Map the platform, run the first 90 days, work the checklist

Where each part of the CIS program lives in ControlMap and the records that prove it; a realistic first-90-days arc for your own MSP as client zero; and the ten-point quick-start checklist to put the whole guide in motion.

ControlMap in Action

Mapping ControlMap to the CIS program

AreaDo this in ControlMapRecords you'll bank
The IGsSet the IG target per tenant (your MSP at IG2, clients baselined at IG1); track IG1 completion % as the headline metric; document the IG2 upgrade path for clients whose risk profile grows.IG decision record · IG1 completion trend · upgrade-path roadmaps per client
The 18 controlsRun all in-scope safeguards as owned, scheduled controls; let Stacks supply the tool-to-safeguard mapping; attach evidence on cadence, inventories, baseline configs, MFA reports, scan results, restore tests, training exports.Safeguard status history · Stacks mapping justifications · the evidence library, organized per control
The programQuarterly re-assessment with score trend; risk register fed by gaps and incidents; posture report generated for the leadership review (yours) or the QBR (clients); annual IR tabletop and pen-test findings looped into control 7 remediation.Quarterly scorecards · risk register with treatments · review minutes · tabletop and pen-test closure records
The springboardWhen a framework lands, HIPAA, PCI, CMMC, SOC 2, ISO, adopt it in the same tenant and let cross-mapping pre-fill everything the CIS baseline already satisfies; quote only the genuine delta.Cross-map coverage reports · per-framework gap lists · the "you're already 60% there" sales artifact

Your Own MSP as Client Zero

A realistic first-90-days arc

  1. W1-2

    Commit & baseline

    IG2 target set · scope documented · workspace live · stack declared in Stacks · baseline self-assessment scored.

  2. W3-6

    Close discipline gaps

    Discipline gaps closed, admin accounts, baselines, inventories · policy set published with attestations.

  3. W7-10

    Complete IG1

    IG1 complete and evidenced · IG2 items in flight · cadences running as recurring tasks · score visibly climbing.

  4. W11-13

    Review & clone

    First quarterly review chaired by the owner · posture summary published · tenant cloned as the client template · first pilot client scoped.

Take Action

Your 10-point CIS Controls quick-start checklist

1

Make the leadership decision

Download the controls free from the Center for Internet Security and make the leadership decision: your MSP runs this first, at IG2.

2

Scope client zero honestly

Everything that touches client environments: RMM, identity, remote access, documentation, backup, technician endpoints.

3

Declare your stack

Declare your stack in ControlMap and let Stacks pre-answer the assessment; then score the rest honestly; the number's job is to move.

4

Complete IG1 first

Complete IG1's 56 safeguards before chasing higher tiers, a finished IG1 beats a half-finished IG3 in defense, audits, and sales.

5

Fix the discipline gaps first

Dedicated admin accounts, documented baselines, reconciled inventories, month-one wins that cost nothing.

6

Ticket every cadence

Turn every recurring safeguard into a ticketed cadence with an owner and evidence, access reviews, restore tests, scans, training.

7

Run the quarterly review

With the owner in the chair, score trend, closed gaps, risks, next quarter, and publish the posture summary.

8

Clone the master template

Clone the finished tenant as your master client template; then launch the CIS Baseline Assessment as your paid entry offering.

9

Sell the IG ladder

Clients baselined at IG1, IG2 as the documented upgrade, with controls 13, 16, and 18 arriving as your managed add-ons.

10

Cross-map before you quote

Use the baseline as the springboard: when HIPAA, PCI, CMMC, SOC 2, or ISO lands, cross-map first and quote only the genuine delta.

This guide is provided for general educational purposes and reflects CIS Critical Security Controls v8.1 as commonly understood at time of publication. The CIS Controls are developed and maintained by the Center for Internet Security and are free to download from cisecurity.org, consult the official publication for authoritative safeguard text and Implementation Group assignments, and verify counts against the current release before relying on them in client deliverables. Companion guides in this series: HIPAA, PCI DSS, CMMC, FTC Safeguards (GLBA), SOC 2, ISO/IEC 27001, and the CaaS Build Guide.

ControlMap

ControlMap by ScalePad

Build your foundation on ControlMap

CIS is Stacks' native framework, see how MSPs run client zero, clone the tenant, and scale the baseline assessment across their whole client list.