CIS Controls Gap Analysis

The “Top 20” controls

Effective cyber defense

The Center for Internet Security (CIS) Controls for Effective Cyber Defense, is a tactical security standard, developed by security professionals and adopted from a standard known as the SANS Top 20. It is recommended by the California Secretary of State as a reference standard, and widely used across multiple industries as a prioritized approach framework to building security programs. There are twenty key (20) focus areas.

All gap analysis engagements are performed via interviews and team discussions. These are not intended to be audits. Claims will not be verified or independently tested. The goal of a gap analysis is to partner with the organization to assess how closely their security program aligns with the standard or framework and to determine which policies, processes, or controls are outstanding for the organization to achieve compliance.

The CIS Controls

  • CSC 1: Inventory of Authorized and Unauthorized Devices
  • CSC 2: Inventory of Authorized and Unauthorized Software
  • CSC 3: Secure Configurations for Hardware and Software
  • CSC 4: Continuous Vulnerability Assessment and Remediation
  • CSC 5: Controlled Use of Administrative Privileges
  • CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
  • CSC 7: Email and Web Browser Protections
  • CSC 8: Malware Defenses
  • CSC 9: Limitation and Control of Network Ports
  • CSC 10: Data Recovery Capability
  • CSC 11: Secure Configurations for Network Devices
  • CSC 12: Boundary Defense
  • CSC 13: Data Protection
  • CSC 14: Controlled Access Based on the Need to Know
  • CSC 15: Wireless Access Control
  • CSC 16: Account Monitoring and Control
  • CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
  • CSC 18: Application Software Security
  • CSC 19: Incident Response and Management
  • CSC 20: Penetration Tests and Red Team Exercises


Truvantis’ report will measure security operations against each of the controls and make recommendations based on its significance to the operation’s risk posture.

There is no attestation or formal certification available for this standard.

Start typing and press Enter to search