CIS Controls–Based Assessment
How does your business stack up against essential cyber hygiene?
These 10 questions are drawn from the most foundational controls in the CIS Critical Security Controls (CIS Controls v8) — the same framework used by organizations of all sizes to prioritize cybersecurity investments. Each question is backed by data showing why it matters.
Question 1 of 10
Asset inventory
CIS Control 1
You can't protect what you don't know you have. Maintaining an accurate inventory of every device that connects to your network is the foundational first step in the CIS Controls — without it, every other control has gaps.
Source: CIS Critical Security Controls v8, Control 1
Does your business maintain a current list of all devices (computers, phones, servers) connected to your network?
Yes
No
Not sure
Account & access management
CIS Control 6
Compromised credentials are involved in the majority of confirmed data breaches, and only 35% of small businesses have multi-factor authentication enabled on business accounts.
Source: CIS Controls v8, Control 6 / SQ Magazine 2026
Does your business require multi-factor authentication (MFA) on email and critical accounts?
Yes
No
Not sure
Secure configuration
CIS Control 4
Devices and software often ship with default passwords, open ports, and unnecessary services enabled. Hardening default configurations closes off some of the easiest entry points attackers scan for automatically.
Source: CIS Controls v8, Control 4
Have default passwords been changed and unnecessary software/services removed from your business devices?
Yes
No
Not sure
Malware defenses
CIS Control 10
A single unprotected laptop or phone is often all it takes for malware to enter and spread across a network. Managed endpoint protection can reduce malware infection risk by up to 85%.
Source: CIS Controls v8, Control 10 / IBM X-Force 2026
Are all company devices protected with managed endpoint security (not just basic antivirus)?
Yes
No
Not sure
Data recovery
CIS Control 11
40% of businesses that pay a ransomware demand never fully recover their data — even after paying. Tested, automated, off-site backups are your last line of defense.
Source: CIS Controls v8, Control 11 / Sophos 2025
Does your business have automated backups that have been tested for successful restoration?
Yes
No
Not sure
Email & web protections
CIS Control 9
Phishing remains the #1 reported entry point for attacks on small businesses. 68% of breaches involve a human element — usually a phishing email or malicious link.
Source: CIS Controls v8, Control 9 / Verizon DBIR 2026
Does your business use email filtering or web browser protections to block known malicious links and attachments?
Yes
No
Not sure
Security awareness training
CIS Control 14
Your employees are simultaneously your biggest vulnerability and your strongest defense. 12 months of regular training cuts phishing susceptibility by 86% — yet only 11% of small businesses provide it.
Source: CIS Controls v8, Control 14 / StationX 2026
Does your business provide regular security awareness training to employees?
Yes
No
Not sure
Network monitoring & defense
CIS Control 13
A consumer-grade router from your ISP is not the same as a business firewall. Businesses without network monitoring often go weeks before detecting an intrusion — giving attackers time to move freely.
Source: CIS Controls v8, Control 13 / CISA 2026
Does your business use a business-grade firewall with any form of network monitoring or filtering?
Yes
No
Not sure
Service provider management
CIS Control 15
Third-party involvement in breaches doubled to 30% in a single year — your security is only as strong as the weakest vendor with access to your systems or data.
Source: CIS Controls v8, Control 15 / Verizon DBIR 2025
Have you reviewed the security practices of vendors, software, or service providers that have access to your business data?
Yes
No
Not sure
Incident response management
CIS Control 17
When a breach happens, every hour without a plan compounds the damage. Organizations with a tested incident response plan recover 75% faster and spend 60% less — yet only 34% of SMBs have one.
Source: CIS Controls v8, Control 17 / IBM Cost of a Data Breach 2025
Does your business have a documented, tested incident response plan?
Yes
No
Not sure
--
out of 10
Your CIS Controls gap summary
01 · AUDIT
AuditWe review your current setup — no jargon, no judgment
→
02 · ADVISE
AdviseClear, prioritized recommendations for what to fix first
→
03 · ASSIST
AssistWe help you implement it — start to finish
Safient Solutions
Cybersecurity advisory for small & mid-sized businesses
Don't become the next statistic
Based on your results, here's where we'd recommend starting. Every gap above maps to a specific, addressable control — most can be improved quickly and affordably.
Schedule a free consultation →