πŸ‡¨πŸ‡¦VancouverπŸ‡¨πŸ‡¦TorontoπŸ‡ΊπŸ‡ΈMiamiπŸ‡ΊπŸ‡ΈOrlandoπŸ‡ΊπŸ‡ΈLos Angeles
1-855-KOO-TECH
KootechnikelKootechnikel
Search⌘KFree Health Check
Insights Β· Field notes from the SOC
Plain-language briefings from the people watching the alerts.
Weekly Β· No spam
Read4
Field GuideNewEngineer-written playbooks.β†’Blog & Field NotesWeekly threat briefings.β†’WhitepapersDeep dives on Secure AI, Zero Trust.β†’Case StudiesReal clients, real numbers.β†’
Watch & listen3
WebinarsMonthly Β· live Q&A with the team.β†’PodcastNew"Stronger.Smarter" Β· biweekly.β†’Quick Clips90-second how-tos on YouTube.β†’
Use3
Free Vulnerability Scan30-sec domain + email check.β†’Compliance ChecklistsSOC 2, HIPAA, PCI printable.β†’ROI CalculatorEstimate cost-of-incident savings.β†’
New series
Field Guide
Engineer-written playbooks for the problems 30-100 person companies actually hit.
MFA rollouts, SOC 2 timelines, M365 backup, HIPAA/PHIPA, CIS Controls, AI governance β€” specific, narrow, practical.
Open the Field Guide
Subscribe to weekly β†’All resources β†’
NO SPAM Β· UNSUBSCRIBE IN ONE CLICK
Volume 06ComplianceΒ·6 min readΒ·1,301 words

CIS Controls v8 IG1 in 90 days for a 50-person company

A dated 90-day runbook to implement the 56 CIS Controls v8 Implementation Group 1 safeguards β€” the baseline your cyber insurance and most SOC 2 auditors effectively expect.

Rami Friedman
Sr. Security Engineer Β· Kootechnikel Solutions
Published April 22, 2026
Quick answer

The 56 CIS Controls v8 IG1 safeguards are the SMB-appropriate baseline every cyber insurance underwriter and SOC 2 auditor effectively expects. For a 50-person company with a cooperative MSP, a 90-day implementation is realistic: weeks 1-4 on inventory + hardening basics, weeks 5-8 on access + data protection, weeks 9-12 on monitoring + response + documentation. Most organizations start at ~35% coverage and hit 95%+ by week 12.

CIS Controls v8 IG1 in 90 days for a 50-person company

You'll learn

  • The 56 IG1 safeguards grouped into 12 weekly work packages.
  • Which safeguards need your MSP, which need HR, and which need you.
  • The evidence trail that turns a finished IG1 into an underwriter-ready attestation.

Why this matters

Cyber insurance underwriters moved the bar in 2024-2026. "We have antivirus" no longer reads as a control posture. The Center for Internet Security\u2019s Controls v8, Implementation Group 1 (56 safeguards across 18 controls) has become the de facto SMB baseline β€” underwriters reference it in questionnaires, SOC 2 auditors accept it as technical evidence, and NIST CSF subcategories map to it cleanly.

The good news: IG1 is intentionally scoped for SMBs with limited resources. No one expects you to run a purple-team exercise. But 56 items is still 56 items. Most 50-person companies start at 30-40% coverage (they have the easy ones β€” asset inventory, antivirus, some MFA) and without a plan stall there for a year.

This is the 90-day plan we\u2019ve run with four clients in the last 18 months. It assumes a cooperative MSP and a weekly working session with a named internal sponsor. If your environment is especially complex (multi-tenant M365, hybrid infrastructure, 10+ lines of business apps), stretch weeks to 8-10 days each β€” don\u2019t compress.

What IG1 actually asks for

The 18 CIS Controls grouped by theme:

  • Asset + configuration (Controls 1-4): know what you have, know what\u2019s on it.
  • Access + data (Controls 5-7, 13): who can reach what, with what authentication.
  • Defense + monitoring (Controls 8-10, 13-14): detecting when something\u2019s wrong.
  • Response + operations (Controls 11, 17): being ready for incidents.
  • Training + supply chain (Controls 14, 15): people and vendors.

The 90-day runbook

Weeks 1-2: Asset inventory (Controls 1, 2, 5)

If you don\u2019t know what you have, you can\u2019t secure it. First two weeks are documentation-heavy.

  • Endpoint inventory (1.1, 1.2). Full list of laptops + desktops, who\u2019s assigned to them, operating system, last patch date. Typically pulled from your RMM (NinjaOne, Intune, JAMF).
  • Software inventory (2.1, 2.2). Catalog of approved software + process to detect unapproved. M365 Defender or comparable EDR usually produces this as a byproduct.
  • User inventory (5.1, 5.2). All user accounts across M365, Google Workspace, all major SaaS tools. Critical: shared/orphaned accounts identified and remediated.

Evidence artifacts: exported inventories dated week 2.

Weeks 3-4: Secure configuration + patching (Controls 3, 4, 7)

  • Secure endpoint configuration (4.1-4.6). Baseline policies via Intune / JAMF: disable legacy protocols, enforce encryption, configure browser hardening.
  • Patch management (7.1, 7.3, 7.4). 14-day SLA for critical patches + 30-day SLA for high/medium. Evidence: patching reports from your RMM.
  • Data classification + protection (3.1-3.6). Identify where sensitive data lives (PHI, PII, financial). Tag it in DLP policies. If you handle healthcare, see Vol 5.

Evidence artifacts: configuration baseline documents, patch compliance report, data classification spreadsheet.

Weeks 5-6: Access control + MFA (Controls 5, 6)

If you\u2019ve already run Vol 1 this is a quick block of work.

  • MFA on all user accounts (6.3, 6.4, 6.5). No exceptions beyond break-glass. See Vol 1 for the Conditional Access structure.
  • Role-based access (6.8). Users have the permissions they need, nothing more. The M365 admin-role review is the painful one; usually finds 2-5 over-permissioned accounts per 50-person tenant.
  • Privileged account management (5.4, 6.2). Separate admin accounts for admin work. Naming convention like "tjones-admin@tenant".
  • Account lifecycle (5.3, 5.5, 5.6). Documented onboarding + offboarding checklists. Access revoked within 24 hours of termination.

Evidence artifacts: MFA coverage report (target 100%), admin-role audit, onboarding/offboarding checklists.

Weeks 7-8: Malware + data protection (Controls 10, 11, 13)

  • EDR deployed everywhere (10.1-10.7). Managed EDR (SentinelOne, Defender for Business, Sophos). Policy tuned, alerts going somewhere a human will see them.
  • Data recovery capability (11.1-11.5). Backups configured, tested, immutable. See Vol 3.
  • Data loss prevention (13.1-13.6). Basic DLP policies (M365 DLP or similar) to flag PHI/PII in email + cloud storage.

Evidence artifacts: EDR coverage report, quarterly restore-test log, DLP policy configuration export.

Weeks 9-10: Network + log monitoring (Controls 8, 9, 12, 13)

  • Audit log management (8.1-8.12). Logs collected from endpoints, cloud services, firewall. Retained 90+ days. Reviewed weekly (minimum).
  • Network monitoring (12.1-12.3, 13.1). Firewall logs + DNS logs + VPN logs into your SIEM (or MSSP equivalent). Alerting on known-bad indicators.
  • Email + web defenses (9.1-9.7). M365 Defender or equivalent email security, DNS filtering (Cisco Umbrella, DNS Defender), browser isolation for high-risk roles.

Evidence artifacts: log retention configuration, weekly log review log, firewall rule audit.

Weeks 11-12: Response, training, documentation (Controls 14, 15, 17)

  • Security awareness training (14.1-14.6). Annual baseline training + monthly phishing simulations. KnowBe4, Hoxhunt, or equivalent. Measure click-through rates.
  • Service provider management (15.1-15.7). Vendor inventory with security attestation for each (SOC 2 report, BAA, etc.). See also Vol 2.
  • Incident response plan (17.1-17.9). Written IR plan, named roles, escalation path, annual tabletop exercise.

Evidence artifacts: training completion report, vendor security inventory, written IR plan, tabletop exercise log.

The tool stack that gets you there

The shortest path assumes M365 Business Premium + one of each:

  • RMM: NinjaOne / Kaseya / Datto RMM / Intune β€” endpoint + software inventory, patching.
  • EDR: Defender for Business (bundled with Business Premium) OR SentinelOne / CrowdStrike for higher-touch environments.
  • SIEM / log aggregation: Sentinel (native M365) OR a small Datadog / Splunk deployment.
  • M365 backup: see Vol 3.
  • Email security: M365 Defender (bundled) OR Proofpoint / Abnormal / Mimecast.
  • DNS filter: DNS Defender / Cisco Umbrella / Cloudflare Gateway.
  • Training + phishing: KnowBe4 / Hoxhunt / Proofpoint Security Awareness.
  • Vendor-risk tracking: spreadsheet is fine at 50-person scale; Vanta / Drata if you\u2019re also pursuing SOC 2.

Realistic tool budget for a 50-person firm: $30-45k/year all-in (assumes M365 Business Premium is already budgeted separately). This drops significantly if you\u2019re on a managed-IT engagement where the MSP absorbs some into their fee.

Week-by-week pattern

  • Monday: 30-min sync between internal sponsor + MSP engineer. Review last week, confirm this week\u2019s safeguards.
  • Mid-week: engineering work. Most safeguards are configuration changes + documentation, not build projects.
  • Friday: evidence collection. Screenshots, reports, policy docs filed in a shared folder.

At 12 weeks with a competent MSP, IG1 coverage typically moves from 35% β†’ 95%+ with ~6-8 findings for the next quarter.

The mistakes we see most often

  1. Skipping the inventory weeks. Everyone wants to start with the interesting controls (MFA, EDR). Without the inventory, you can\u2019t evidence the interesting ones. Two weeks of inventory saves two months of audit pain.

  2. Training-as-checkbox. An annual "watch a 20-minute video" doesn\u2019t move phishing click-through. Monthly simulations + role-based content do. Budget accordingly.

  3. IR plan that\u2019s never rehearsed. A plan nobody has seen in action is a document, not a capability. Annual tabletop exercise β€” minimum. Quarterly if you have real regulatory exposure.

  4. Over-buying tools. IG1 doesn\u2019t require a $80k SIEM deployment. M365 Defender + one good EDR + M365 audit logs covers most of it. Add complexity only when IG2 or a specific compliance framework demands it.

  5. Declaring victory too early. IG1 coverage at 95% is a starting point, not a finish. Annual re-assessment is the discipline that keeps it real.

If you want help with this

IG1 in 90 days is a common engagement for us. We\u2019ve run the playbook across services firms, dental groups, fintechs, and manufacturing clients β€” the week-by-week structure holds with minor vertical adjustments. The free IT health check includes a starting IG1 coverage assessment so you know where you\u2019re starting from.

Further reading

  • Volume 1 β€” MFA rollout. The core of Controls 5 and 6.
  • Volume 2 β€” SOC 2 Type II cost breakdown. Most SOC 2 clients use IG1 as the underlying technical control set.
  • Volume 5 β€” HIPAA + PHIPA for Ontario clinics. Healthcare-specific overlay on IG1.
  • Managed Cybersecurity β€” how we operate this as a monthly service.
CIS ControlsCybersecurityComplianceIG1SMB security
← Previous
Vol 05
HIPAA + PHIPA for Ontario clinics: the 14 technical safeguards your MSP must implement
Next β†’
Vol 07
Shadow AI and Copilot data-residency: the governance policy a 50-person firm can actually enforce

Related reading

Vol 01
Rolling out MFA to 40-100 users in Microsoft 365 without a lockout storm
10 min read
Vol 02
SOC 2 Type II for a 50-person services firm: what 12 months actually costs
6 min read
Vol 05
HIPAA + PHIPA for Ontario clinics: the 14 technical safeguards your MSP must implement
7 min read
Free self-serve tools

Score your risk. Price your downtime. No call required.

Two short diagnostics built by our senior engineers. Answer a handful of questions, get a scored report with next steps β€” yours to keep either way.

10 QUESTIONS Β· 3 MIN

IT Risk Calculator

Ten questions across MFA, backups, patching, access, response. Get a weighted score and a prioritized fix list.

Start the quiz
4 INPUTS Β· LIVE MATH

Managed IT ROI Calculator

Users, downtime hours, annual spend, loaded cost. We compute projected savings and payback months in real time.

Run the numbers