Using the CIS Top 20 for Control Self Assessments


Control Self Assessments (CSAs) are a key control that we consistently recommend to our SOC and other audit clients.  The purpose of this blog post is to elaborate on CSAs and provide a practical and effective approach to performing them.

CSAs can take many different forms and can range from very simple to extremely comprehensive.  Although there is no one size fits all solution to CSAs, it is important that they focus on high risk areas such as network security, logical access and change management.  Frequently, we recommend that our SOC clients include a subset of the controls from their SOC report in their CSA and “kick the tires” midway through their SOC audit period to ensure that the controls are operating effectively.  Another related approach is to use the Center for Internet Security (CIS) controls as a starting point or baseline for the CSA.

The CIS Controls are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks.  The CIS Controls were developed by a community of IT experts who applied their first-hand experience as cyber defenders to create a set of globally accepted security best practices.  They focus on the most fundamental and valuable actions that every enterprise should take.  In short, the CIS Controls are considered to be the most effective and specific set of technical measures available to detect, prevent, respond to and mitigate damage from the most common to the most advanced cyber-attacks. 

The CIS Controls and supporting implementation guidance are available free at:

So how do you use the CIS Controls to perform a CSA?  Here is a tool that we developed to get you started:  Control Self-Assessment Tool

You can modify this CSA template/tool to suit your needs by adding or removing controls and test steps.  If you are a service organization that is subject to an annual SOC audit, completing the CSA once a year will go a long way toward ensuring that you receive a clean SOC report.  And even if you do not have a SOC reporting requirement, CSAs are an effective way to ensure that you have the proper controls in place to prevent future cyber-attacks.