CIS CSAT (CIS Controls Self-Assessment Tool) is a free web-based tool that allows organizations to assess their cybersecurity strategy and infrastructure against the Center for Internet Security’s 20 Critical Controls. The tool was developed for CIS by EthicalHat Cyber Security, and is based on AuditScripts’ popular CIS Controls Manual Assessment spreadsheet. It helps businesses easily track their documentation, implementation, automation and reporting of CIS Controls, and compare their own security performance with the industry average.
CIS Critical Controls
The 20 CIS Controls include Basic, Foundational and Organizational Controls, each of which is further subdivided into sub-controls. In the latest version of the Controls (V7.1), CIS added three Implementation Groups for easy prioritization of sub-controls. Implementation Group 1 contains the most essential sub-controls that each organization should implement, regardless of size and resources available. Implementation Group 2 contains sub-controls that apply to organizations with dedicated IT teams and higher levels of operational complexity. IG3 is for larger organizations that handle substantial amounts of sensitive data and employ cybersecurity specialists to manage different aspects of security. “Each IG builds upon the previous one. As such, IG2 includes IG1, and IG3 includes all of the CIS Sub-Controls in IG1 and IG2.”
CIS CSAT features
The first person from an organization to register on CSAT becomes the tool ‘Owner’, who can delegate questions to other team members and set deadlines. Users can also upload evidence documents for each control, create and share assessment reports, and collaborate with other organizations on shared security goals.
- Track your implementation of CIS Controls
- Collaborate with team members across platforms
- Export and share assessment reports in different formats (PowerPoint, Excel, PDF, assessment charts)
- Compare your security performance with that of industry peers and competitors
- Collaborate with other organizations on shared security goals
- Map Controls to other important cybersecurity standards (PCI DSS, NIST 800-53)
CIS Controls-based Security Gap Assessment
EthicalHat conducts both one-time and ongoing cybersecurity gap assessments for companies of all sizes, using CIS Critical Controls as the benchmark. The assessment process involves evaluating an organization’s existing security policies and practices against each control and sub-control to identify gaps in its security strategy, and coming up with actionable recommendations to close those gaps. We use CIS CSAT to streamline the assessment process.
Learn more about our CIS CSAT Security Gap Assessment.