Our Mission: Achieve CIS Controls IG1 Compliance in 90 Days
π¦ Scope:
56 Safeguards across 18 CIS Controls (IG1 subset)
No IG2/IG3 components
On-prem, cloud, or hybrid environments
π§ Roles Involved
| Role | Responsibility | Source |
|---|---|---|
| Project Manager (PM) | Timeline, coordination, reporting | BizCare |
| Compliance Officer (CO) | Interpretation of controls, policy lead | BizCare |
| IT Administrator (ITA) | Infra configuration, patching, endpoint control | BizCare |
| Security Engineer (SE) | Technical safeguards, logging, alerting |
BizCare |
| Help Desk Lead (HDL) | User support and access management |
BizCare |
| Internal Auditor (IA) | Validates implementation & evidence | Client |
| Executive Sponsor (ES) | Authorizes decisions, allocates resources | Client |
𧱠Work Breakdown Structure by Phase (Days 1β90)
Phase 1: Project Planning & Scoping (Days 1β5)
| Task | Role | Description |
|---|---|---|
| Define scope: business units, infra, users | PM, CO | Whatβs covered under IG1 |
| Assign control ownership | PM | RACI for each safeguard |
| Schedule milestone reviews | PM | Week 3, 6, 9 checkpoints |
| Identify tools to use | CO, SE | EDR, AV, logging, etc. |
Phase 2: Asset & Software Inventory (Days 6β15)
CIS Control 01 & 02
| Task | Role | Description |
|---|---|---|
| Create asset inventory (hardware) | ITA | CMDB or spreadsheet |
| Document authorized software list | ITA, CO | Whitelist of approved apps |
| Deploy inventory tool | SE | Agent or network-based scanner |
| Verify asset/software coverage | IA | Sampling for gaps |
Phase 3: Access & Identity Management (Days 10β25)
CIS Control 04 & 05
| Task | Role | Description |
|---|---|---|
| Enforce MFA for remote users | SE, ITA | VPN, email, cloud apps |
| Remove unused user accounts | ITA | Monthly review baseline |
| Document roles and access policies | CO | RBAC standardization |
| Centralize user provisioning | ITA, HDL | Admin controls documented |
Phase 4: Vulnerability & Patch Management (Days 15β30)
CIS Control 07, 08, 10
| Task | Role | Description |
|---|---|---|
| Schedule vulnerability scans | SE | Monthly minimum |
| Enable automatic patching | ITA | OS + critical software |
| Patch all critical vulnerabilities within 30 days | ITA, CO | Evidence for audit |
| Document patching process | CO | SOPs and approvals |
Phase 5: Data Protection & Backups (Days 20β35)
CIS Control 03 & 11
| Task | Role | Description |
|---|---|---|
| Encrypt sensitive data in transit | SE | SSL/TLS enforcement |
| Establish automated backups | ITA | Cloud/local hybrid if needed |
| Test backup recovery | ITA | Monthly test simulation |
| Write backup policy | CO | Include RTO/RPO targets |
Phase 6: Secure Configuration & App Controls (Days 25β45)
CIS Control 04, 06, 14
| Task | Role | Description |
|---|---|---|
| Harden baseline system images | SE | Based on CIS benchmarks |
| Disable unused ports/services | ITA | Firewall & endpoint configs |
| Restrict admin privileges | ITA, CO | Least privilege applied |
| Deploy application allowlisting | SE | Where feasible for IG1 |
Phase 7: Incident Response & Monitoring (Days 40β60)
CIS Control 09, 12, 17
| Task | Role | Description |
|---|---|---|
| Create an IR Plan | CO | Simple playbook, contact tree |
| Enable log collection | SE | From servers, endpoints, critical apps |
| Configure alerts for key events | SE | Unauthorized access, malware detection |
| Train staff on IR procedures | HDL, CO | Email phishing, escalation, etc. |
Phase 8: Security Awareness & Training (Days 45β65)
CIS Control 14 & 17
| Task | Role | Description |
|---|---|---|
| Launch cybersecurity training | CO | For all users, testable format |
| Phishing simulations (optional IG1+) | SE | Gauge readiness |
| Track and report participation | PM | Evidence for audit |
Phase 9: Final Audit & Documentation (Days 60β80)
| Task | Role | Description |
|---|---|---|
| Gather evidence for all controls | IA, CO | Screenshots, logs, policies |
| Perform internal audit | IA | Validate against IG1 checklist |
| Remediate any late gaps | SE, ITA | High-priority fixes only |
| Document exceptions (if any) | CO | Risk-accepted deviations |
Phase 10: Executive Review & Certification (Days 80β90)
| Task | Role | Description |
|---|---|---|
| Present compliance report | PM, CO | Summary of safeguards implemented |
| Approve compliance status | ES | Sign-off or defer to future |
| Finalize policy & procedure documents | CO | Archive for audits |
| Define plan for continuous compliance | PM, CO | Post-90 day roadmap |
π§Ύ Key Deliverables by Day 90:
β CIS IG1 Implementation Matrix
β Asset & Software Inventories
β Patch Logs & Scanning Reports
β Policies (Access, Backup, IR, Training)
β IR Plan & Training Records
β Executive Sign-Off Sheet