• About Us
  • Contact

Navigating the CIS Critical Security Controls

Category: News
Published: 24th April 2025

Risk Assessment and Management, Businessman touching the risk scale on low

The CIS (critical security controls) are a recommended set of actions for cyber defence that provide actionable steps for organisations. The CIS controls were developed in 2008 by an international consortium of expert volunteers.

Although CIS controls are primarily endorsed by US departments, they are used as an “informative reference” for the NIST cyber security framework and have been adopted globally by organisations.

This framework is continuously updated by cyber security experts to reflect the latest attack techniques, making it a trusted and actionable roadmap for businesses aiming to enhance their security posture.

Many SMBs face increasing pressure from regulators, insurers, and clients to improve security, but often lack the in-house expertise or resources to implement complex frameworks. The CIS Controls provide a structured, prioritised set of security measures that help organisations protect critical assets, align with compliance requirements such as GDPR and NCSC guidance, and reduce the risk of cyber attacks in a cost-effective way.

Here’s how Red Helix can support you at each stage of the CIS framework:

  1. Inventory and Control of Enterprise Assets
    To establish control of your assets you need to establish full visibility across your endpoints, cloud and network devices. At Red Helix, we help clients do this through our MDR offering.
  2. Inventory and Control of Software Assets
    Unmanaged software is a welcome mat for attackers. Red Helix MDR solution tracks software usage across your estate, flagging anything suspicious and helping enforce policy.
  3. Data Protection
    Another vital step is to ensure that there are processes in place to control, manage and securely handle data. Data compromise is one of the leading causes of regulatory fines, so ensuring that customer data such as credit card information is secure is vital. With Red Helix’s EDR service we can set policies in place to ensure that no personal data can leave your environment.
  4. Secure Configuration of Assets & Software
    Establish and maintain the secure configuration of enterprise assets this includes end-user devices; portable and mobile, network devices; non-computing/IoT devices; and servers and software operating systems and applications. At Red Helix we can monitor all the above with our MDR service.
  5. Account Management
    Managing your accounts is vital to ensure that nobody can gain access to valid user credentials and log in to your system. Ensuring your employees have strong passwords and are up to date on their security awareness training is vital for securing your accounts.
  6. Access Control Management
    Use processes and tools to assign and manage authorisation to credentials for user accounts, with ZNTA (Zero Trust Access Network) you gain enhanced security controls across your entire infrastructure.
  7. Continuous Vulnerability Management
    Whether it’s via threat monitoring or formal penetration testing, Red Helix provides automated detection and expert analysis to identify, prioritise, and remediate vulnerabilities before they’re exploited.
  8. Audit Log Management
    Our SIEM service ensures centralised log collection, correlation, and compliance-ready reporting, so nothing slips past unnoticed.
  9. Email and Web Browser Protections
    Ensure you have protection and detection of threats from email and web. Phishing and spoofing don’t stand a chance. With DMARC, Secure Email Gateway, and security awareness training, Red Helix defends your inbox and browser while also educating your users.
  10. Malware Defences
    Red Helix MDR and Anti-Ransomware protection offer AI-driven malware detection, and proactive blocking, giving your team the upper hand against advanced threats.
  11. Data Recovery
    Data loss doesn’t have to be catastrophic. Red Helix supports with data loss prevention applying policies to manage sensitive data and prevent unauthorised access or the transfer of data across secure environments. As well as incident response, and business continuity planning to ensure you bounce back fast if you do lose data.
  12. Network Infrastructure Management
    Establish and manage network devices to prevent attackers form exploiting your vulnerable access points. One way of doing this is implementing an NDR service, that uses AI, machine learning and behavioural analytics to monitor network traffic.
  13. Network Monitoring and defence
    Operate processes and tooling to establish and maintain comprehensive network monitoring and defence against security threats across the enterprise’s network infrastructure and user base. This can be accomplished by our NDR service, or our SOCaaS solution.
  14. Security Awareness and Skills Training
    Your first line of defence is your human firewall, ensuring that all your employees are trained and aware of suspicious activity is essential. Having security awareness program to help influence company security culture is essential not just to improve your security posture but also to remain complaint with regulations and cyber insurance providers.
  15. Service Provider Management
    Supply chain risk is prevalent, so establishing a process to evaluate who in your supply chain holds sensitive data or is responsible for critical processes externally is essential, in ensure your business is secure. Red Helix tackles this with visibility tools, and consultancy services to vet your vendors before they become a liability.
  16. Application Software Security
    Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.  We can provide Application Security Posture Management (ASPM) which is an agentless tool that provides visibility into the security, data privacy, and operational risk of your applications. It delivers a continuous and comprehensive risk profile of your architecture, including databases, cloud providers, third parties, and more.
  17. Incident Response Management
    From tabletop exercises to real-time containment, Red Helix arms your team with Incident Response playbooks, breach and attack simulations, and expert incident responders if an attack occurs.
  18. Penetration Testing
    Penetration (or Pen) Testing is one of the most critical security measures a business can take to protect itself from cyber threats. It simulates real-world attacks to identify vulnerabilities before cyber criminals can exploit them, providing a proactive approach to security.