YOU DO NOT COPY PROFESSIONALISM. YOU ALIGN WITH IT.
NEWORDER Tactical Managed Cyber Protection horizontal wordmark logo with biohazard skull symbol for tactical cyber security operations across Africa, Europe, and the Middle East
GET ASSESSED
HOME / SERVICES / CIS CONTROLS

CIS TOP-18 CONTROLS

Gap assessments and implementation services aligned to the CIS Controls v8.1 framework for measurable, operational, and continuously optimised cyber security maturity. NEWORDER helps organisations across Africa, Europe, and the Middle East build defensible security postures grounded in the world’s most widely adopted best-practice framework.

SECURITY FRAMEWORKS

A FRAMEWORK FOR GLOBAL ENTERPRISES

In today’s threat landscape, organisations across every industry face the challenge of managing a constantly expanding digital footprint. Attackers look for the weakest entry points, and without a structured, prioritised approach to security, those vulnerabilities remain unnoticed until it is too late. Generic compliance checklists do not stop breaches. What organisations need is a practical, prioritised framework that tells them exactly what to protect, in what order, and how to measure progress.

The CIS Critical Security Controls, maintained by the Center for Internet Security, are precisely that framework. Originally developed in 2008 as the SANS Critical Security Controls and refined over nearly two decades based on real-world attack data and practitioner input from government, industry, and academia, the CIS Controls represent the global gold standard for actionable cyber security best practice.

The current version, CIS Controls v8.1 (released June 2024), contains 18 Controls and 153 Safeguards designed for modern environments including cloud, hybrid, remote workforces, and complex supply chains. The v8.1 update introduced revised asset classes, expanded glossary definitions, and alignment with the NIST Cybersecurity Framework 2.0 “Governance” security function, making it the most comprehensive and current version ever released.

The Controls are numbered by priority, not alphabetically. Control 1 (asset inventory) comes first because you cannot secure what you do not know exists. Control 18 (penetration testing) comes last because it validates everything else. This priority-based structure means organisations focus effort where it delivers the greatest risk reduction first, not where it is easiest or most convenient.

At NEWORDER, we deliver professional CIS Controls gap assessments and implementation services designed to align your cyber security posture with this framework. Our experts measure your current state against each Control, identify the gaps that represent genuine risk, and provide hands-on implementation services to embed the Controls into your daily operations. This is not a compliance exercise that produces a report and leaves. It is tactical execution that builds measurable, lasting security maturity.

CORE CAPABILITIES

  • Actionable Maturity — Measurable improvement with clear, prioritised controls
  • Reduced Breach Risk — Significant reduction in breach likelihood
  • Regulatory Alignment — Maps to POPIA, GDPR, ISO 27001, PCI DSS
  • ASM Integration — Real-time exposure identification with CIS-aligned remediation

Attacker-Perspective Assessment

Most CIS gap assessments are conducted as compliance audits. NEWORDER assesses Controls from the attacker’s perspective, evaluating not just whether a Control exists but whether it would actually stop a determined adversary. This produces findings that are grounded in real-world risk, not theoretical compliance.

Hands-On Implementation

We do not deliver a gap report and walk away. NEWORDER’s operators work alongside your team to configure tools, harden systems, build processes, and embed the Controls into your daily operations. Implementation is delivered in structured waves with validation at every stage.

Integration With Offensive Services

CIS Controls do not exist in isolation. NEWORDER integrates Controls assessment with our penetration testing (Control 18), EASM and CTEM (Control 7), application security testing (Control 16), and managed security services (Controls 8, 13) to deliver a unified, validated security programme.

Regulatory Cross-Mapping

The CIS Controls map to every major regulatory framework your organisation must comply with. NEWORDER maps your assessment findings to POPIA, GDPR, ISO 27001, NIST CSF 2.0, PCI DSS v4.0, SOC 2, and NCA

Measurable Maturity

Every engagement includes baseline scoring, target state definition, and progress tracking with concrete KPIs: Control coverage percentage, mean time to detect, patch cadence, training completion rates, and risk reduction metrics. You can demonstrate measurable improvement to your board, auditors, and regulators.

OTHER SERVICES

EXEC CYBER RISK
PENETRATION TESTING
APP SECURITY
ATTACK SURFACE MGMT
RED TEAM
CORPORATE ASSESSMENTS
RISK MANAGEMENT
CYBER WARFARE CENTER
CYBER RISK REVIEW
FREQUENTLY ASKED QUESTIONS

FAQ

Version 8 reduced the Controls from 20 to 18, restructured them for modern cloud, hybrid, and remote environments, and introduced Implementation Groups for scalable adoption. Version 8.1 (June 2024) added the “Governance” security function aligned to NIST CSF 2.0, revised asset classes, and expanded glossary definitions. NEWORDER assesses and implements against v8.1 exclusively.

Most organisations start with IG1 (56 Safeguards), which represents essential cyber hygiene and guards against the most common attacks. Organisations with operational complexity, multiple regulatory obligations, or concerns about data breach impact should target IG2 (130 Safeguards). Organisations handling sensitive data or critical infrastructure should target IG3 (all 153 Safeguards). NEWORDER helps you determine the correct IG during the initial scoping conversation.

A typical gap assessment takes 2 to 4 weeks depending on the size and complexity of your environment and the target Implementation Group. NEWORDER provides a detailed timeline during scoping. The assessment is designed to minimise disruption to your team’s daily operations.

No. The CIS Controls are designed for phased implementation, prioritised by the risk reduction each Control delivers. NEWORDER builds a roadmap that starts with the highest-impact Controls for your specific risk profile and progresses through structured waves. Most organisations achieve meaningful security improvement within the first 90 days.

The CIS Controls and ISO 27001 are complementary. ISO 27001 provides a management system framework for information security governance, while CIS Controls provide the specific, actionable Safeguards that implement the technical requirements. NEWORDER maps CIS Controls findings to ISO 27001 Annex A controls, so your CIS implementation directly supports ISO 27001 certification or surveillance audit readiness.

Yes. Multiple CIS Controls directly address POPIA requirements, including data protection (Control 3), access control (Control 6), audit logging (Control 8), and incident response (Control 17). NEWORDER maps every finding to POPIA obligations so your team can demonstrate compliance to the Information Regulator.

NEWORDER validates Controls through multiple methods including technical testing, configuration review, and integration with our offensive security services. Control 18 (penetration testing) is the ultimate validation, confirming whether your entire security posture can withstand a real-world attack. We also integrate CIS Controls assessment with our EASM and CTEM services for continuous validation of Controls 1, 2, 7, and 12.

TAKE ACTION

BUILD MEASURABLE CYBER MATURITY

Start with a CIS Controls gap assessment to understand where you stand today. NEWORDER delivers the assessment, the implementation, and the ongoing optimisation to build a defensible, measurable security posture.

CONTACT US
ALL SERVICES