56 safeguards. Every client.
We implement CIS Controls v8 Implementation Group 1, all 56 safeguards, for every managed client. Documented evidence, quarterly assessments, and cyber insurance preparation included.
Compliance that’s implemented, not aspirational.
Most MSPs list compliance as a service. We implement it as a standard. Every managed client gets the full CIS Controls v8 IG1 framework. No add-ons, no premium tier.
CIS Controls are a prioritised set of cybersecurity best practices published by the Center for Internet Security, a non-profit trusted by governments and businesses worldwide. Implementation Group 1 is the foundational tier: 56 safeguards that directly address the techniques used in over 80% of real-world cyberattacks. It is not a watered-down framework. It is the baseline every business should meet, and we implement it in full for every managed client, backed by continuous monitoring and threat detection to track control effectiveness in real time.
CIS Controls are an open framework, not a certification. There is no third-party audit or accreditation process the way there is with ISO 27001 or SOC 2. We adopt IG1 as our security baseline because it is the most practical, evidence-based standard available for small and medium businesses. What makes it meaningful is not a stamp on a certificate. It is the disciplined implementation, documented evidence, and continuous measurement that we apply to every safeguard.
Implementation without evidence is just a claim. For every safeguard we implement, we maintain documented evidence: configuration screenshots, policy documents, test results, and audit trails. When your cyber insurance provider asks if you enforce MFA on all accounts, we don’t say “yes.” We show them the conditional access policy, the compliance report, and the exceptions log.
Quarterly risk assessments track your posture over time. We review control effectiveness, identify gaps introduced by environment changes, and update remediation priorities. Each assessment builds on the last, creating a documented security improvement trajectory that insurance underwriters and auditors value.
Cyber insurance questionnaires have become the de facto compliance audit for SMBs. We prepare your applications with verified, evidence-backed answers. No guessing, no aspirational responses. When you check “yes” on that form, it’s because we can prove it.
56 safeguards. Eight areas of protection.
CIS Controls v8 Implementation Group 1 covers the threats that affect small and medium businesses every day. Each category maps to real attack techniques used in ransomware, phishing, and credential theft. We implement all of them.
Asset inventory. Every device and application on your network is identified and tracked. Unrecognised hardware or software gets flagged immediately. You cannot protect what you do not know exists.
Data protection and recovery. Sensitive data is encrypted in transit, backed up on schedule, and verified as recoverable. Devices that are retired or reassigned are wiped to documented standards. This is your safety net against ransomware and hardware failure.
Secure configuration. Systems are hardened before deployment. Default passwords are changed, unnecessary features are disabled, and configurations follow a documented baseline rather than ad hoc setup.
Access management. Every user gets their own account with only the access their role requires. Shared accounts are eliminated. When someone changes roles or leaves, access is adjusted or revoked the same day.
Vulnerability management. Operating systems and applications are patched on a documented schedule. Known exploits are closed before attackers can use them. When patches cannot be applied immediately, the risk is assessed and tracked.
Email and web protection. Malicious attachments, phishing links, and spoofed messages are filtered before reaching your team. Web browsers are configured to block known malicious sites and prevent drive-by downloads.
Malware defence. Every endpoint runs centrally managed security software that monitors behaviour patterns, not just known virus signatures. Threats are detected, contained, and resolved in minutes.
Audit logging. Logins, failed access attempts, permission changes, and access to sensitive resources are logged and retained. If something goes wrong, there is a documented trail to investigate, not guesswork.
What’s included in compliance management.
Initial assessment of your environment against all 56 safeguards, prioritised remediation plan, and phased control deployment with evidence collected at every step.
Quarterly reviews tracking control effectiveness, gap identification, and remediation priorities.
Evidence-backed questionnaire responses prepared from your actual security posture. Every “yes” on the form is backed by documented proof.
Acceptable use, incident response, data handling, and access management policies documented and maintained.
Monthly and quarterly reports showing safeguard implementation status, posture trends, and remediation progress.
Privacy controls aligned to PIPEDA and BC PIPA requirements for Canadian businesses handling personal information.
Frequently asked questions.
CIS Controls v8 are a prioritised set of cybersecurity best practices developed by the Center for Internet Security. Implementation Group 1 (IG1) includes 56 specific safeguards designed for small and medium businesses. Cyber insurance underwriters increasingly reference CIS Controls when assessing your policy, and implementing them demonstrates due diligence in the event of a breach. We implement all 56 IG1 controls for every managed client.
Cyber insurance questionnaires typically ask about multi-factor authentication enforcement, endpoint protection, backup practices, access controls, and incident response plans. We maintain documentation of all controls we implement and can provide evidence packages showing your current compliance posture. When renewal season arrives, we help you answer technical questionnaires accurately and provide supporting documentation to your broker.
PIPEDA requires Canadian businesses to protect personal information through appropriate security safeguards, obtain meaningful consent for data collection, and report breaches that pose a real risk of significant harm. In BC, the Personal Information Protection Act (PIPA) adds provincial requirements. We help you implement the technical controls, including encryption, access management, audit logging, and breach detection, that demonstrate compliance with both frameworks.
We maintain a compliance evidence library for each managed client that includes CIS Controls implementation status, security configuration baselines, backup verification logs, access review records, and incident response documentation. This evidence is available on demand for auditors, insurance underwriters, or regulatory inquiries.
How compliant are you, really?
Send us a message. We’ll assess your current posture against CIS Controls and show you exactly where the gaps are.