ALL-IN-ONE GUIDE

CIS Controls v8 Guide for Service Providers

Last updated: January 23th, 2025

The Importance of CIS Controls v8

The CIS Controls are a globally recognized framework designed to help organizations prioritize and implement effective cybersecurity measures. Originally developed to address gaps in public and enterprise security, these controls have evolved into a community-driven standard, updated regularly to reflect emerging threats and align with frameworks like MITRE ATT&CK. For service providers, the CIS Controls offer a practical, cost-effective roadmap to improve security postures, protect client environments, and reduce the risk of cyberattacks. By implementing these prioritized safeguards, service providers can enhance their service offerings, meet regulatory requirements, and establish themselves as trusted advisors in cybersecurity.

cis controls protection graphic

Cybersecurity threats are evolving rapidly, and service providers must adopt robust strategies to protect client data, ensure compliance, and maintain trust. The CIS Controls Version 8 is a prioritized framework of best practices designed to strengthen defenses against real-world threats.

Adhering to these controls is critical for service providers because it:

  • Offers a structured approach to managing risks
  • Demonstrates a commitment to safeguarding sensitive data
  • Aligns with regulations like GDPR, HIPAA, and CMMC
  • Focuses on actions with the highest security impact
  • Helps mitigate vulnerabilities before they’re exploited

This guide provides practical insights into implementing all 18 CIS Controls, helping service providers understand, automate, and educate their way to a stronger cybersecurity posture.

With CIS Controls v8 and our platform, service providers can confidently secure their operations and lead in cybersecurity excellence. 

Discover How FortMesa Simplifies CIS Controls Compliance
ALL-IN-ONE GUIDE

Master Cybersecurity Standards

Learn how CIS Controls fit into the bigger picture. Explore our full guide to Cybersecurity Standards.

LEARN MORE
cybersecurity standards

1. Inventory and Control of Enterprise Assets

Maintaining an accurate inventory of enterprise assets ensures all devices, systems, and endpoints are tracked and monitored. This is foundational for identifying unauthorized or vulnerable assets that could become entry points for attackers.

Key Actions:

  • Create and maintain a detailed inventory of all devices connected to your network.
  • Identify unauthorized or unmanaged devices and immediately secure or remove them.
  • Use automated tools to track and update inventory in real time.

Clip auto-start at: 6:03 Length: 7 min (This is part of our "3 Ways You Can Charge More Tomorrow" episode.)

 

2. Inventory and Control of Software Assets

Managing software assets is crucial for mitigating risks associated with outdated, unpatched, or unauthorized software. This control ensures compliance with security policies and reduces software vulnerabilities.

Key Actions:

  • Maintain a complete inventory of authorized software
  • Regularly audit systems for unauthorized or obsolete software
  • Implement automated tools to monitor software installations and updates

Clip auto-start at: 4:01 Length: 9 min (This is part of our "Win the Cyber Sale With an Ounce of Compliance" episode.)

 

3. Data Protection

Data is one of the most valuable assets for any organization. Protecting it involves identifying, classifying, securely handling, retaining, and disposing of data in alignment with enterprise policies.

Key Actions:

  • Identify sensitive data and categorize it by risk level
  • Restrict access to authorized users and encrypt data at rest and in transit
  • Establish clear guidelines for securely retaining and disposing of data
  • Detect and manage unauthorized tools or systems storing sensitive data

Clip auto-start at: 5:46 Length: 24 min (This is part of our "Take Control of Your Client Shadow IT" episode.)

 

4. Secure Configuration of Enterprise Assets and Software

Ensuring secure configurations reduces vulnerabilities and strengthens defenses against cyber threats. Standard configurations prevent misconfigurations, a leading cause of breaches.

Key Actions:

  • Develop and enforce configuration standards for all enterprise assets
  • Continuously monitor configurations for unauthorized changes
  • Regularly update configurations based on emerging threats

Clip auto-start at: 7:17 Length: 14 min (This is part of our "Adding Cybersecurity to Your QBR" episode.)

 

5. Account Management

Effective account management minimizes risks associated with unused, default, or over-privileged accounts. This control ensures that user access is appropriately restricted.

Key Actions:

  • Establish policies for creating, managing, and deleting accounts
  • Regularly audit accounts to identify and remove unused or unnecessary access
  • Implement multi-factor authentication (MFA) for all accounts

Clip auto-start at: 8:09 Length: 14 min (This is part of our "Cyber Wins vs Shiny Objects" episode.)

 

6. Access Control Management

Restricting access to critical systems and data is key to reducing the attack surface. Access control ensures that users only have permissions necessary for their roles.

Key Actions:

  • Implement role-based access control (RBAC)
  • Enforce the principle of least privilege
  • Regularly review and update access controls based on changes in roles or responsibilities

Clip auto-start at: 6:44 Length: 32 min (This is part of our "Conquer Zero Trust" episode.)

7. Continuous Vulnerability Management

CIS Control 7 focuses on identifying and managing vulnerabilities across an organization’s systems and software to reduce security risks. It outlines a structured process for detecting, evaluating, and fixing vulnerabilities continuously, ensuring that systems remain secure and resilient against threats.

Key Actions:

  • Define roles, responsibilities, and timelines for identifying and addressing vulnerabilities
  • Set up a clear process for fixing vulnerabilities, including patching and addressing exceptions
  • Use automated tools for operating system and application patching, and continuously scan for vulnerabilities
  • Quickly address vulnerabilities, prioritizing high-risk issues to minimize the window of exposure

Clip auto-start at: 20:32 Length: 11 min (This is part of our "MSP New Year's Resolutions for Success in 2024" episode.)

 

8. Audit Log Management

Audit logs provide critical visibility into system activities, helping detect unauthorized access or malicious activity. Proper management ensures compliance and security.

Key Actions:

  • Define logging requirements for all enterprise assets
  • Regularly review logs for anomalies or suspicious activity
  • Securely store logs for analysis and compliance purposes

Clip auto-start at: 3:29 Length: 22 min (This is part of our "Protect Yourself From APTs" episode.)

9. Email and Web Browser Protections

Email and web browsers are primary vectors for cyberattacks, including phishing and malware delivery. Implementing protective measures ensures these tools remain secure while in use.

Key Actions:

  • Use secure email gateways to filter malicious emails
  • Block access to untrusted or harmful websites through DNS filtering
  • Regularly update and patch email clients and web browsers to eliminate vulnerabilities

Clip auto-start at: 8:36 Length: 19 min (This is part of our "Staying Secure During the Holiday Shopping Season" episode.)

10. Malware Defenses

Malware defenses prevent the execution of malicious software that could compromise systems and data. Proactive defenses are essential to mitigating ransomware, spyware, and other threats.

Key Actions:

  • Deploy endpoint detection and response (EDR) tools to monitor for malicious activity
  • Use automated malware scanning and sandboxing to analyze suspicious files
  • Train employees to recognize malware indicators and avoid unsafe downloads

 

Clip auto-start at: 7:40 Length: 10 min (This is part of our "MoveIT Vuln 90' Days Later" episode.)

11. Data Recovery

Data recovery ensures that organizations can quickly restore critical information after a breach or system failure. This control minimizes downtime and data loss.

Key Actions:

  • Perform regular backups of critical systems and data
  • Test data recovery processes periodically to ensure they function effectively
  • Securely store backups in isolated locations to prevent compromise during an attack

Clip auto-start at: 5:31 Length: 13 min (This is part of our "Disaster Recovery Planning" episode.)

 

12. Network Infrastructure Management

Proper management of network infrastructure minimizes risks associated with misconfigurations, outdated equipment, and unprotected network segments.

Key Actions:

  • Segregate networks based on their roles and sensitivity (e.g., guest, production, or management)
  • Monitor and update network device firmware and configurations regularly
  • Implement least-privilege access for network administration

Clip auto-start at: 3:23 Length: 21 min (This is part of our "Securing the MSP vs Securing the Client" episode.)

13. Network Monitoring and Defense

Continuous monitoring and defense of networks ensure that anomalies, threats, and intrusions are detected and neutralized swiftly.

Key Actions:

  • Deploy intrusion detection and prevention systems (IDPS) to monitor for suspicious traffic
  • Use security information and event management (SIEM) tools to correlate and analyze network logs
  • Establish a 24/7 monitoring process, either in-house or via a managed security service provider (MSSP)

Clip auto-start at: 5:46 Length: 22 min (This is part of our "Security Triaging With Your PSA" episode.)

 

14. Security Awareness and Skills Training

Employees are often the first line of defense against cyber threats. Regular training empowers them to recognize and mitigate risks.

Key Actions:

  • Conduct phishing simulations to test employee response to fraudulent emails
  • Provide regular training sessions on recognizing cyber threats and proper response protocols
  • Tailor training based on employee roles and access levels

Clip auto-start at: 5:58 Length: 8 min (This is part of our "Conquering Cyber Price Objections" episode.)

15. Service Provider Management

Service providers must align with your organization’s cybersecurity policies to prevent third-party risks. This control focuses on defining and enforcing security requirements in provider agreements.

Key Actions:

  • Include security requirements, such as breach notification and encryption standards, in provider contracts
  • Conduct regular security assessments of providers to ensure compliance
  • Review and update contracts annually or as enterprise needs evolve

Clip auto-start at: 5:04 Length: 12 min (This is part of our "Finding Comfort With Target Customers and Business models" episode.)

 

16. Application Software Security

Applications are frequent targets for attackers. Secure development practices ensure software is resistant to vulnerabilities and exploits.

Key Actions:

  • Incorporate security testing into the software development lifecycle (SDLC)
  • Regularly patch and update application software
  • Use automated tools to scan for vulnerabilities in application code

Clip auto-start at: 5:12 Length: 16 min (This is part of our "Key KPI's for a Growing MSP" episode.)

 

17. Incident Response Management

Preparing for and managing incidents ensures swift action to minimize damage and downtime during a cybersecurity event.

Key Actions:

  • Develop and document an incident response plan (IRP) that includes key roles and responsibilities
  • Conduct tabletop exercises to test the effectiveness of the IRP
  • Create a communication strategy for internal teams and external stakeholders

Clip auto-start at: 4:24 Length: 14 min (This is part of our "MDR vs XDR & WTH w/MGM" episode.)

18. Penetration Testing

Penetration testing identifies weaknesses in systems and applications by simulating real-world attacks. This proactive approach helps address vulnerabilities before they can be exploited.

Key Actions:

  • Schedule regular penetration tests with qualified professionals
  • Prioritize remediation of vulnerabilities discovered during testing
  • Integrate penetration testing results into your broader risk management strategy

Clip auto-start at: 7:45 Length: 13 min (This is part of our "Vulnerability Management vs Penetration Testing" episode.)

 

Strengthen Cybersecurity, Compliance, and Client Trust

For service providers, adopting the CIS Controls is not just about compliance or best practices; it's about delivering measurable value to clients while safeguarding their own operations. The framework's emphasis on cost-effectiveness, adaptability to different organizational sizes, and alignment with real-world threat data makes it an essential tool in mitigating risk and optimizing security investments.

To stay up-to-date with the latest developments in the CIS Controls framework, read What's new in CIS Controls V8.1?. By leveraging these updates, service providers can stay ahead of attackers, demonstrate a commitment to security excellence, and build stronger, more resilient relationships with their clients.

 

LIVESTREAM

Conquering Cyber Price Objections

Demonstrating cybersecurity value amid budget constraints

LIVESTREAM

MoveIT Vuln 90 Days Later

Lessons learned from the MoveIT vulnerability (CVE-2023-34362)

WEB GUIDE

Teambuilding 101

Ingredients of an Effective Security Team

LIVESTREAM

Finding Comfort with Target Customers and Business Models

The journey to an Ideal MSP Customer Profile and a comfortable Predominant Business Model

Cybersecurity made simple, for humans.

Get Started