CIS Controls baseline
Too small for a full ISO 27001 ISO 27001 The international standard for an information security management system. Enterprise customers, tenders and investors often ask for it. Useful when you need formal certification - overkill when you just need a working baseline. project. Still expected to give customers serious answers about security.
This path gives you a defensible baseline: the practical controls, the lightweight evidence, and a steady review rhythm. The method is CIS Controls IG1 CIS Controls IG1 A prioritised list of 18 security topics from the Centre for Internet Security. IG1 is the lightest tier - essential cyber hygiene every business should have, before pursuing bigger frameworks like ISO 27001. - essential cyber hygiene, without the paper ISMS ISMS Information Security Management System. The set of policies, controls, roles and review cycles that runs security as a business function. Required for ISO 27001 - often too heavy for a small company that just needs working controls. .
Where This Fits
Who this is for
This is you
Your company
- Usually 1-20 people
- No in-house security team
- Not yet facing formal ISO 27001 or NIS2 obligations
- Still expected to be defensible and trusted
What is pushing you
- A customer sent a security questionnaire
- A GDPR worry has surfaced
- An incident gave everyone a scare
- An investor started asking questions
How we do it
-
Instead of jumping into a full ISO 27001 project too early, we start from what you actually have today.
-
Instead of buying security tools nobody ever configures, we fix the highest-risk exposure first.
-
Instead of writing policies nobody reads or follows, we keep evidence light enough to stay current.
Where This Sits
Before ISO 27001
Many small companies jump straight into ISO 27001 because a customer asked about security. Sometimes that is necessary. Often it is too early.
This baseline gives you the practical controls and lightweight evidence first. If ISO 27001 becomes the right next step, none of this work is wasted - it becomes the foundation.
What We Fix First
The obvious gaps
Before policies, before frameworks, before anything that looks like an ISMS, we close the gaps that actually let attackers in.
- MFA MFA Multi-factor authentication. Login needs a password plus a second factor - a phone prompt or a hardware key. Stops most account takeovers and is the single highest-impact change a small company can make. everywhere
- Admin access tightened
- A password manager people use
- Endpoint protection Endpoint protection Modern anti-malware on every laptop, server and phone. Detects ransomware and intrusions early and lets you isolate a compromised device before it spreads across the business.
- Patching that actually happens
- Email and web protections
- A verified backup recovery
- Basic logging that someone reads
What Proof You Get
Evidence you walk away with
- An asset register Asset register A list of what you actually own and use: devices, cloud accounts, business-critical apps, sensitive data, suppliers. Without it you cannot say what you protect, where data lives, or what an attacker just reached. a customer can actually believe
- A short security policy that fits your company
- An access and admin review
- A supplier list with security context
- A backup recovery test you actually ran
- An incident contact plan
- Honest, defensible answers to customer security questionnaires
This is what makes the difference between "we take security seriously" and being able to prove it.
The Rhythm
First 90 days
You know what you have, and the biggest exposures are identified.
The obvious exposures are fixed. MFA and backup recovery are verified.
A lightweight evidence pack exists. You can answer a customer security questionnaire honestly.
The Roadmap
Four phases
Know what exists
Map your devices, users, cloud accounts, business-critical apps, sensitive data, suppliers, and backups. You cannot protect what you have never listed.
Fix the obvious exposure
The eight obvious-exposure fixes - MFA, admin access, password manager, endpoint protection, patching, email and web protections, backup recovery, basic logging - covered earlier on the page.
Create lightweight evidence
The evidence pack - asset register, short policy, access review, supplier list, incident contact plan, customer-questionnaire answers - covered earlier on the page.
Retainer rhythm
Quarterly risk and access review, supplier evidence updates, small technical checks, employee awareness, and roadmap upkeep so the baseline does not drift.
The Method
The CIS Controls IG1 structure
The defensible baseline is built on the CIS Critical Security Controls v8.1 - 18 control categories grouped into three Implementation Groups. For small companies we work inside IG1, essential cyber hygiene.
- 01 Inventory and Control of Enterprise Assets
- 02 Inventory and Control of Software Assets
- 03 Data Protection
- 04 Secure Configuration of Enterprise Assets and Software
- 05 Account Management
- 06 Access Control Management
- 07 Continuous Vulnerability Management
- 08 Audit Log Management
- 09 Email and Web Browser Protections
- 10 Malware Defenses
- 11 Data Recovery
- 12 Network Infrastructure Management
- 13 Network Monitoring and Defense
- 14 Security Awareness and Skills Training
- 15 Service Provider Management
- 16 Application Software Security
- 17 Incident Response Management
- 18 Penetration Testing
The Path
IG1
Essential Cyber Hygiene
Where most small companies should start - and often all they need.
ISO 27001
Formalise into an ISMS
Certification and customer assurance.
IG2
Go deeper technically
More controls, no certification.
IG3 is intended for high-sensitivity and regulated environments. It is not the target of this path.
CIS Critical Security Controls v8.1 contain 18 control categories grouped into three Implementation Groups. For small and medium-sized companies the focus is IG1, Essential Cyber Hygiene. Once IG1 is in place we decide jointly whether to formalise into an ISO 27001 information security management system, or to continue with IG2 for deeper technical defence. IG3 is intended for high-sensitivity and regulated environments and is out of scope here.
Once IG1 is in place and proven, we decide together what comes next: formalise into an ISO 27001 ISMS if certification or customer assurance is the goal, or continue with IG2 if the priority is deeper technical defence. IG3 is intended for high-sensitivity and regulated environments and is not the target of this path.
The retainer is the delivery model
This is not a fixed project. We agree on a retained partnership and move at the pace and budget you can sustain. Progress can be slow, but it stays consistent - security keeps moving forward instead of stalling between one-off pushes. There is always budget for the next step.
What is not included
This is not a full ISMS, not ISO 27001 certification, and not legal advice. I implement and advise; management owns the business risk and the final decisions.
You are not buying compliance. You are buying a defensible security baseline that customers can trust.
Get a roadmap
Start with a focused assessment. We map the CIS controls that matter most for a company your size and turn them into a roadmap you can act on.
