What are the differences between the available CIS Self-Assessment tools?

Owned by Amanda McGown, created
Last updated: Jan 17, 2024
3 min read

Product Name

CIS CSAT - CIS Controls Self Assessment Tool

CIS CSAT Pro - SecureSuite CIS Controls Self Assessment Tool

CIS BIA - Ransomware Business Impact Analysis Tool

CIS NCSR - Nationwide Cybersecurity Review

CIS RAM - Risk Assessment Method

Product Version

All

Date

Jan 4, 2024

 

Problem

I have found multiple, manual, Self-Assessment tools from CIS, which should I take? Why would I choose one over the other?

 

Solution

Using the descriptions below enterprises can decide which, or all, tools will work to best suit their cyber hygiene needs.

All of the following tools are all based on the CIS Critical Security Controls

The following Self-Assessment tools are available from CIS. With the exception of CIS-CSAT Pro, all of the following tools are available for free to members and non-members alike.

  1. CIS Controls Self Assessment Tool Pro (CIS CSAT Pro) is the on-premises version of the tool based on the CIS Controls and is available exclusively to CIS SecureSuite Members CSAT Pro offers a wide range of features and benefits including, but not limited to:

    1. Greater flexibility with organization trees for managing organizations, sub-organizations, and assessments while tracking multiple concurrent assessments in the same organization.

    2. Easily access your tasks, assessments, and organizations from a consolidated home page.

    3. Save time by using a simplified scoring method with a reduced number of questions.

    4. Stores data locally/ offline.

  2. CIS Controls Self Assessment Tool (CIS Hosted CSAT) is a web-based portal version of CSAT hosted by CIS. It is free to every organization for use in a non-commercial capacity to conduct an assessment of their organization's own implementation of the CIS Controls.

  3. CIS Ransomware Business Impact Analysis Tool (CIS BIA) is a free tool and uses a quantitative method to assess enterprise risk against a ransomware attack on a cadence determined by the enterprise. BIA uses the FAIR methodology, which is scenario based. Our first scenario is ransomware.

  4. CIS Risk Assessment Method (CIS RAM) is a free, qualitative risk analysis for your whole enterprise on a cadence determined by the enterprise. RAM helps enterprises justify investments for reasonable implementation of the CIS Controls. CIS RAM helps enterprises define acceptable level of risk, and to prioritize and implement the CIS Controls to manage that risk. CIS RAM can help enterprises demonstrate “due care”.  

  5. CIS Nationwide Cybersecurity Review (NCSR) is a self-assessment survey available for free to Multi-State Information Sharing & Analysis Center (MS ISAC) members annually. It has a mapping to the CIS Controls and you can get an improvement plan based on the CIS Controls. It is designed to measure gaps and capabilities of SLTT governments’ cybersecurity programs and is based on the National Institute of Standards and Technology Cybersecurity Framework. Additionally, the NCSR helps fill a federal requirement for reporting.

As part of a general cybersecurity program, performing more than one type of assessment may be necessary.

For example, using the CIS Controls Self Assessment Tool to self-assess the enterprise's data and assets in conjunction with the CIS Bia tool to self-assess the enterprise’s risk against a ransomware attack can help an enterprises understand the potential exposure of a cyber event.

Keywords; self-assessment CSAT Pro CIS-Hosted BIA NCSR RAM

Content by Label

Copyright © 2024

Center for Internet Security®