Two frameworks — different focus
When organisations need to structure their security work, two names often emerge: CIS Controls and ISO 27001. Both are well-regarded, but they have different origins, focus areas, and use cases.
Short version: CIS Controls answers “what should we do technically?”. ISO 27001 answers “how should we govern and manage information security?”.
CIS Controls in brief
What are CIS Controls? Center for Internet Security (CIS) Controls is a list of 18 prioritised security measures, developed by security experts based on real-world attack patterns.
Key characteristics:
- Technical focus — concrete actions
- Priority order — most important first
- Implementation Groups (IG1-IG3) — tailored to maturity
- Free to use
- No certification — best practice
The 18 controls:
- Inventory and Control of Enterprise Assets
- Inventory and Control of Software Assets
- Data Protection
- Secure Configuration of Enterprise Assets and Software
- Account Management
- Access Control Management
- Continuous Vulnerability Management
- Audit Log Management
- Email and Web Browser Protections
- Malware Defences
- Data Recovery
- Network Infrastructure Management
- Network Monitoring and Defence
- Security Awareness and Skills Training
- Service Provider Management
- Application Software Security
- Incident Response Management
- Penetration Testing
ISO 27001 in brief
What is ISO 27001? ISO/IEC 27001 is an international standard for information security management systems (ISMS). It specifies requirements for establishing, implementing, maintaining and continually improving an ISMS.
Key characteristics:
- Management system focus — processes and governance
- Risk-based approach
- Certifiable — third-party audit
- Requires documentation and policies
- Annex A with 93 controls (ISO 27001:2022)
Structure:
- Clauses 4-10: Management system requirements (shall requirements)
- Annex A: 93 controls across 4 themes:
- Organisational controls (37)
- People controls (8)
- Physical controls (14)
- Technological controls (34)
Comparison
| Aspect | CIS Controls | ISO 27001 |
|---|---|---|
| Focus | Technical implementation | Management system |
| Approach | Prioritised list | Risk-based |
| Certification | No | Yes |
| Cost | Free framework | Certification costs |
| Documentation | Minimal | Extensive |
| Target audience | IT/security teams | Entire organisation |
| Updates | v8 (2021) | 2022 version |
| Controls | 18 + 153 safeguards | 93 Annex A controls |
Implementation Groups (CIS)
56 safeguards. For smaller organisations with limited IT resources. Protects against common, uncomplicated attacks.
74 safeguards (incl. IG1). For organisations with IT staff and more complex environments. Protects against more sophisticated threats.
All 153 safeguards. For organisations with dedicated security teams and high requirements. Protects against advanced threats.
When does CIS Controls fit?
Choose CIS Controls when:
- You want concrete, technical measures
- You need to prioritise — what first?
- You have limited resources
- Certification is not a requirement
- You want to complement ISO 27001 with practical guidance
Typical users:
- Startups building security from the ground up
- SMEs wanting to raise the level quickly
- IT departments needing actionable steps
- Organisations complementing ISO 27001
When does ISO 27001 fit?
Choose ISO 27001 when:
- Customers or partners require certification
- You need structured governance of information security
- Management needs to be involved
- You want internationally recognised standard
- NIS2 Directive is relevant (ISO 27001 covers much)
Typical users:
- B2B companies with certification requirements
- Organisations handling sensitive data
- Companies wanting to demonstrate serious security work
- Organisations under NIS2 Directive
Mapping between frameworks
CIS Controls and ISO 27001 Annex A have significant overlap. Here are examples of how they map:
| CIS Control | ISO 27001 Annex A |
|---|---|
| 1. Inventory and Control of Enterprise Assets | A.5.9 Inventory of assets |
| 3. Data Protection | A.5.12-A.5.14 Data classification |
| 5. Account Management | A.5.16-A.5.18 Identity management |
| 7. Continuous Vulnerability Management | A.8.8 Vulnerability management |
| 8. Audit Log Management | A.8.15-A.8.16 Logging |
| 14. Security Awareness and Skills Training | A.6.3 Awareness training |
| 17. Incident Response Management | A.5.24-A.5.28 Incident management |
Combining both frameworks
- Start with CIS IG1 for quick wins Implement the 56 basic safeguards to establish baseline security. This provides immediate risk reduction.
- Build ISMS structure in parallel Establish policies, processes and documentation according to ISO 27001. CIS implementation becomes evidence for many Annex A controls.
- Map CIS to Annex A Document how your CIS implementations satisfy ISO 27001 controls. Avoid duplication of effort.
- Fill the gaps ISO 27001 requires more than technical controls — management system, risk management, internal audit. Complement with what CIS doesn't cover.
- Certify when needed When ISMS is mature, undergo certification audit. CIS implementation provides strong technical foundation.
Common pitfalls
CIS without management support becomes isolated IT project. ISO 27001 without technical implementation becomes paper exercise. Balance both.
ISO 27001 certification is means, not end. Focus on actual security, not just compliance.
Don't try to implement all CIS controls or entire ISO 27001 simultaneously. Prioritise based on risk.
Both frameworks require continuous work. CIS gets updated, ISO 27001 requires annual review.
Summary
| Question | CIS Controls | ISO 27001 |
|---|---|---|
| What should we do technically? | ✓ Strong | General |
| How do we prioritise? | ✓ Clear order | Risk-based |
| Do we need certification? | No | ✓ Yes |
| Does management want involvement? | Optional | ✓ Required |
| Do we have limited resources? | ✓ IG1 | More demanding |
How Securapilot can help
Securapilot supports both CIS Controls and ISO 27001:
- Multi-framework support — Manage both frameworks in the same system
- Control mapping — See how your controls satisfy multiple frameworks
- GAP analysis — Identify what’s missing
- Evidence management — Collect proof for audits
- Dashboard — Overview of compliance status
Book a demo and see how we can support your framework choice.
Frequently asked questions
Can you become CIS-certified?
No, CIS Controls has no formal certification. It's a best practice framework. ISO 27001, however, offers third-party certification through accredited certification bodies.
Which is easiest to implement?
CIS Controls, particularly Implementation Group 1 (IG1), is designed to be practical and quickly implementable. ISO 27001 requires more documentation and processes but provides certifiability.
Do they work together?
Yes, they complement each other excellently. CIS Controls provides concrete technical measures that can map to ISO 27001 Annex A controls. Many organisations use CIS for technical implementation and ISO 27001 for the management system.
Which do customers usually require?
ISO 27001 certification is most common as a customer requirement, particularly in B2B. CIS Controls are used more internally to prioritise security measures and as a complement to ISO 27001.
