Our Mission: Achieve CIS Controls IG1 Compliance in 90 Days
π¦ Scope:
56 Safeguards across 18 CIS Controls (IG1 subset)
No IG2/IG3 components
On-prem, cloud, or hybrid environments
π§ Roles Involved
Role | Responsibility | Source |
---|---|---|
Project Manager (PM) | Timeline, coordination, reporting | BizCare |
Compliance Officer (CO) | Interpretation of controls, policy lead | BizCare |
IT Administrator (ITA) | Infra configuration, patching, endpoint control | BizCare |
Security Engineer (SE) | Technical safeguards, logging, alerting |
BizCare |
Help Desk Lead (HDL) | User support and access management |
BizCare |
Internal Auditor (IA) | Validates implementation & evidence | Client |
Executive Sponsor (ES) | Authorizes decisions, allocates resources | Client |
𧱠Work Breakdown Structure by Phase (Days 1β90)
Phase 1: Project Planning & Scoping (Days 1β5)
Task | Role | Description |
---|---|---|
Define scope: business units, infra, users | PM, CO | Whatβs covered under IG1 |
Assign control ownership | PM | RACI for each safeguard |
Schedule milestone reviews | PM | Week 3, 6, 9 checkpoints |
Identify tools to use | CO, SE | EDR, AV, logging, etc. |
Phase 2: Asset & Software Inventory (Days 6β15)
CIS Control 01 & 02
Task | Role | Description |
---|---|---|
Create asset inventory (hardware) | ITA | CMDB or spreadsheet |
Document authorized software list | ITA, CO | Whitelist of approved apps |
Deploy inventory tool | SE | Agent or network-based scanner |
Verify asset/software coverage | IA | Sampling for gaps |
Phase 3: Access & Identity Management (Days 10β25)
CIS Control 04 & 05
Task | Role | Description |
---|---|---|
Enforce MFA for remote users | SE, ITA | VPN, email, cloud apps |
Remove unused user accounts | ITA | Monthly review baseline |
Document roles and access policies | CO | RBAC standardization |
Centralize user provisioning | ITA, HDL | Admin controls documented |
Phase 4: Vulnerability & Patch Management (Days 15β30)
CIS Control 07, 08, 10
Task | Role | Description |
---|---|---|
Schedule vulnerability scans | SE | Monthly minimum |
Enable automatic patching | ITA | OS + critical software |
Patch all critical vulnerabilities within 30 days | ITA, CO | Evidence for audit |
Document patching process | CO | SOPs and approvals |
Phase 5: Data Protection & Backups (Days 20β35)
CIS Control 03 & 11
Task | Role | Description |
---|---|---|
Encrypt sensitive data in transit | SE | SSL/TLS enforcement |
Establish automated backups | ITA | Cloud/local hybrid if needed |
Test backup recovery | ITA | Monthly test simulation |
Write backup policy | CO | Include RTO/RPO targets |
Phase 6: Secure Configuration & App Controls (Days 25β45)
CIS Control 04, 06, 14
Task | Role | Description |
---|---|---|
Harden baseline system images | SE | Based on CIS benchmarks |
Disable unused ports/services | ITA | Firewall & endpoint configs |
Restrict admin privileges | ITA, CO | Least privilege applied |
Deploy application allowlisting | SE | Where feasible for IG1 |
Phase 7: Incident Response & Monitoring (Days 40β60)
CIS Control 09, 12, 17
Task | Role | Description |
---|---|---|
Create an IR Plan | CO | Simple playbook, contact tree |
Enable log collection | SE | From servers, endpoints, critical apps |
Configure alerts for key events | SE | Unauthorized access, malware detection |
Train staff on IR procedures | HDL, CO | Email phishing, escalation, etc. |
Phase 8: Security Awareness & Training (Days 45β65)
CIS Control 14 & 17
Task | Role | Description |
---|---|---|
Launch cybersecurity training | CO | For all users, testable format |
Phishing simulations (optional IG1+) | SE | Gauge readiness |
Track and report participation | PM | Evidence for audit |
Phase 9: Final Audit & Documentation (Days 60β80)
Task | Role | Description |
---|---|---|
Gather evidence for all controls | IA, CO | Screenshots, logs, policies |
Perform internal audit | IA | Validate against IG1 checklist |
Remediate any late gaps | SE, ITA | High-priority fixes only |
Document exceptions (if any) | CO | Risk-accepted deviations |
Phase 10: Executive Review & Certification (Days 80β90)
Task | Role | Description |
---|---|---|
Present compliance report | PM, CO | Summary of safeguards implemented |
Approve compliance status | ES | Sign-off or defer to future |
Finalize policy & procedure documents | CO | Archive for audits |
Define plan for continuous compliance | PM, CO | Post-90 day roadmap |
π§Ύ Key Deliverables by Day 90:
β CIS IG1 Implementation Matrix
β Asset & Software Inventories
β Patch Logs & Scanning Reports
β Policies (Access, Backup, IR, Training)
β IR Plan & Training Records
β Executive Sign-Off Sheet