# CIS Controls v8 Mapping > *"CIS IG1 is 56 safeguards that every organization must implement. It is not aspirational. It is the floor."* This document maps the [Rapid Modernisation Plan](../playbooks/rapid-modernisation-plan.md) and the antifragile workstreams to CIS Controls v8 Implementation Groups. The goal is to show clients that antifragile hardening is not an alternative to standards—it is the fastest path to meeting them while building real resilience. --- ## Implementation Group 1 (IG1): The Minimum Viable Posture IG1 is the **safeguards that every organization should implement to protect against common, known threats**. We treat IG1 as a non-negotiable 90-day target. Most organizations can achieve IG1 primarily through **configuration of existing tools** rather than new procurement. ### Control 1: Inventory and Control of Enterprise Assets | Rapid Modernisation Phase | Action | Typical Tool Investment | |--------------------------|--------|------------------------| | Hygiene (Days 0-30) | Active Directory / cloud IAM census | Existing identity provider | | Hygiene (Days 0-30) | CMDB seeding with T0/T1 assets | Existing ITAM or spreadsheet | | Control (Days 30-60) | Automated discovery of new assets | Existing EDR or NAC | **Antifragile Angle**: You cannot defend what you cannot see. But inventory without ownership is just a list. Every asset in the CMDB must have an owner, a criticality rating, and a dependency map. ### Control 2: Inventory and Control of Software Assets | Rapid Modernisation Phase | Action | Typical Tool Investment | |--------------------------|--------|------------------------| | Hygiene (Days 0-30) | Software inventory via EDR or SCCM | Existing endpoint management | | Hygiene (Days 0-30) | Unauthorized software detection | Existing EDR | | Sovereignty (Days 60-90) | AI tool inventory and shadow AI discovery | Proxy logs + interviews | **Antifragile Angle**: Software inventory is not about license compliance. It is about understanding your **attack surface**. Every unauthorized application is a potential path for an adversary. ### Control 3: Data Protection | Rapid Modernisation Phase | Action | Typical Tool Investment | |--------------------------|--------|------------------------| | Hygiene (Days 0-30) | Data classification by criticality | Manual + existing DLP if available | | Sovereignty (Days 60-90) | Ensure proprietary AI data never leaves perimeter | Local AI infrastructure | | Antifragility (Days 90-180) | Automated data loss prevention | Existing CASB or DLP | **Antifragile Angle**: Data protection is not encryption at rest. It is **ensuring your proprietary signal does not train your competitor's model**. Local AI is a data protection control. ### Control 4: Secure Configuration of Enterprise Assets and Software | Rapid Modernisation Phase | Action | Typical Tool Investment | |--------------------------|--------|------------------------| | Control (Days 30-60) | ASR rule deployment on endpoints | Microsoft Defender (often already owned) | | Control (Days 30-60) | Secure baseline for cloud resources | Azure Policy / AWS Config / GCP Org Policy | | Antifragility (Days 90-180) | Automated drift detection and remediation | Existing configuration management | **Antifragile Angle**: Secure configuration is not a project. It is a **continuous state**. Every deviation from baseline is a fragility. Automate the detection and remediation of drift. ### Control 5: Account Management | Rapid Modernisation Phase | Action | Typical Tool Investment | |--------------------------|--------|------------------------| | Hygiene (Days 0-30) | Identity census and orphan elimination | Existing AD / IAM | | Hygiene (Days 0-30) | Privileged account inventory and rotation | Existing AD / IAM + PAM if owned | | Control (Days 30-60) | JIT elevation and PAW deployment | Existing PAM or native tools (PIM, AWS IAM Identity Center) | **Antifragile Angle**: Account management is not about password complexity. It is about **reducing the number of keys that can unlock the kingdom**. Every account is a latent failure mode. ### Control 6: Access Control Management | Rapid Modernisation Phase | Action | Typical Tool Investment | |--------------------------|--------|------------------------| | Control (Days 30-60) | Least-privilege review across platforms | Existing IAM + manual review | | Control (Days 30-60) | Conditional access policies | Entra ID / Okta / native cloud IAM | | Antifragility (Days 90-180) | Automated access reviews and revocation | Existing IAM or GRC tool | **Antifragile Angle**: Access control is not about denying access. It is about **ensuring every allowed access is known, justified, and temporary**. ### Control 7: Continuous Vulnerability Management | Rapid Modernisation Phase | Action | Typical Tool Investment | |--------------------------|--------|------------------------| | Hygiene (Days 0-30) | External vulnerability scanning | Open-source or existing scanner | | Control (Days 30-60) | Internal vulnerability scanning | Existing scanner or EDR-integrated | | Antifragility (Days 90-180) | Risk-based prioritization and SLA | Existing vulnerability management platform | **Antifragile Angle**: Vulnerability management is not about scanning everything. It is about **finding the shortest path to compromise and closing it first**. ### Control 8: Audit Log Management | Rapid Modernisation Phase | Action | Typical Tool Investment | |--------------------------|--------|------------------------| | Hygiene (Days 0-30) | Centralized log aggregation for critical systems | Existing SIEM or syslog server | | Control (Days 30-60) | Log integrity protection | Existing SIEM or file integrity monitoring | | Antifragility (Days 90-180) | Automated log analysis and anomaly detection | Existing SIEM or local AI pilot | **Antifragile Angle**: Logs are not compliance artifacts. They are **the raw material of organizational memory**. If an attacker deletes your logs, they delete your ability to learn. ### Control 9: Email and Web Browser Protections | Rapid Modernisation Phase | Action | Typical Tool Investment | |--------------------------|--------|------------------------| | Control (Days 30-60) | Anti-phishing and safe links | Microsoft Defender for O365 (often already owned) | | Control (Days 30-60) | Browser isolation or hardening | Existing endpoint management | **Antifragile Angle**: Email is the primary initial access vector for most adversaries. Hardening it is not optional. Fortunately, most organizations already own the tools to do so. ### Control 10: Malware Defenses | Rapid Modernisation Phase | Action | Typical Tool Investment | |--------------------------|--------|------------------------| | Hygiene (Days 0-30) | EDR deployment and coverage validation | Existing EDR | | Control (Days 30-60) | ASR rules and exploit protection | Microsoft Defender (often already owned) | | Antifragility (Days 90-180) | Behavioral detection tuning | Existing EDR | **Antifragile Angle**: Malware defence is not about signature updates. It is about **behavioural visibility**: can you see anomalous process execution, lateral movement, and data staging? ### Control 11: Data Recovery | Rapid Modernisation Phase | Action | Typical Tool Investment | |--------------------------|--------|------------------------| | Hygiene (Days 0-30) | Backup coverage inventory | Existing backup solution | | Sovereignty (Days 60-90) | Recovery drill: one critical system | Existing backup solution | | Antifragility (Days 90-180) | Automated backup verification and recovery testing | Existing backup solution + scripting | **Antifragile Angle**: Backups that have not been restored are **theological constructs**. They require faith, not evidence. We test. ### Control 12: Network Infrastructure Management | Rapid Modernisation Phase | Action | Typical Tool Investment | |--------------------------|--------|------------------------| | Hygiene (Days 0-30) | Network diagram and firewall rule audit | Existing firewall management | | Control (Days 30-60) | DNS security and network segmentation | Existing DNS and firewall infrastructure | | Antifragility (Days 90-180) | Automated network policy validation | Existing configuration management | **Antifragile Angle**: Network infrastructure is not about speed. It is about **containment**: when one segment fails, how many others can you save? ### Control 13: Network Monitoring and Defense | Rapid Modernisation Phase | Action | Typical Tool Investment | |--------------------------|--------|------------------------| | Control (Days 30-60) | Network sensor deployment at critical boundaries | Existing IDS/IPS or open-source Zeek/Suricata | | Antifragility (Days 90-180) | Automated threat detection and response | Existing SIEM + SOAR or scripted response | **Antifragile Angle**: Network monitoring is not about catching everything. It is about **detecting the anomaly that matters before it becomes the incident that kills you**. ### Control 14: Security Awareness and Skills Training | Rapid Modernisation Phase | Action | Typical Tool Investment | |--------------------------|--------|------------------------| | Control (Days 30-60) | Phishing simulation and targeted training | Existing security awareness platform | | Antifragility (Days 90-180) | Security champions program | No tool required—organizational design | **Antifragile Angle**: Awareness is not about compliance videos. It is about **building a human sensor network** that reports anomalies faster than any technology. ### Control 15: Service Provider Management | Rapid Modernisation Phase | Action | Typical Tool Investment | |--------------------------|--------|------------------------| | Hygiene (Days 0-30) | Vendor access audit and inventory | Manual + existing IAM | | Control (Days 30-60) | Supplier access lockdown and time-bounding | Existing PAM or IAM | | Sovereignty (Days 60-90) | AI vendor risk assessment and exit planning | Manual + legal review | **Antifragile Angle**: Supplier management is not about contracts. It is about **ensuring your suppliers cannot become your single point of failure**. ### Control 16: Application Software Security | Rapid Modernisation Phase | Action | Typical Tool Investment | |--------------------------|--------|------------------------| | Sovereignty (Days 60-90) | AI-assisted code review pilot | Local AI on existing hardware | | Antifragility (Days 90-180) | SAST/DAST integration into CI/CD | Existing DevOps tooling | **Antifragile Angle**: Application security is not about finding every bug. It is about **making the development pipeline inhospitable to entire classes of vulnerabilities**. ### Control 17: Incident Response Management | Rapid Modernisation Phase | Action | Typical Tool Investment | |--------------------------|--------|------------------------| | Hygiene (Days 0-30) | IR contact list and escalation paths | Manual + existing ticketing | | Sovereignty (Days 60-90) | AI-specific incident response runbook | Manual + existing IR framework | | Antifragility (Days 90-180) | Automated containment playbooks | Existing SOAR or scripted response | **Antifragile Angle**: Incident response is not about playbooks. It is about **the speed at which you convert an incident into a structural improvement**. ### Control 18: Penetration Testing | Rapid Modernisation Phase | Action | Typical Tool Investment | |--------------------------|--------|------------------------| | Antifragility (Days 90-180) | Red team engagement or adversarial simulation | External provider or internal team | | Antifragility (Days 90-180) | Continuous purple team exercises | Existing EDR + internal team | **Antifragile Angle**: Penetration testing is not a compliance checkbox. It is **controlled failure that teaches you where your kill chain lives**. --- ## IG2 and IG3: The Antifragile Extension We do not stop at IG1. IG2 and IG3 are implemented selectively based on the organization's kill chain and risk profile: | IG | When We Pursue It | How We Fund It | |----|-------------------|----------------| | IG1 | Always. Non-negotiable 90-day target. | Primarily existing tool configuration | | IG2 | When the organization processes sensitive data or faces targeted threats. | Reallocated savings from IG1 efficiency | | IG3 | When the organization is critical infrastructure or faces advanced persistent threats. | Strategic security investment, justified by kill chain analysis | --- ## The IG1-as-Foundation Pitch > *"CIS IG1 is 56 safeguards. Most organizations we assess have implemented fewer than 20. We are not suggesting you buy 36 new products. We are suggesting you configure what you already own to meet the minimum viable security posture. This is not a procurement project. It is a configuration project. And we can prove value in the first 30 days."* --- *Next: [NIST CSF Mapping](nist-csf-mapping.md)* *Previous: [Move Fast and Fix Things](../core/move-fast-and-fix-things.md)*