When I talk to MSPs about security frameworks, I hear the same frustration. Too many of them. Not enough clarity about where to start. 

NIST. ISO 27001. Cyber Essentials. SOC 2. Most are written for enterprise security teams with dedicated compliance staff, not for MSPs managing 40 SMB clients with a team of 8. 

The CIS Critical Security Controls are different. They are practical, prioritized and built to stop the attacks that are happening right now. If you are going to standardize on one framework for client hardening, this is the one I would pick. 

What the CIS Controls are and why they matter for MSPs 

The Center for Internet Security publishes a set of 18 security controls designed to give organizations a prioritized, defensible approach to cybersecurity. Each control addresses a specific attack vector. The controls are ordered by impact: the first few stop the most attacks. 

That prioritization is what makes them useful in practice. They also connect directly to cyber insurance requirements. Most insurers reference them when assessing coverage. 

For MSPs, the CIS Controls do something frameworks like ISO 27001 do not. They translate directly into technical actions you take across client environments. This is not a paper exercise. It is a checklist of things you either have configured or you have not. 

The three implementation groups and how to use them 

The CIS Controls are organized into Implementation Groups (IGs) based on organizational complexity and risk profile. 

IG1 is your baseline for every SMB client you manage. It covers the controls every organization, regardless of size or sector, should have in place. If a client is not IG1 compliant, they are exposed to the most common attacks with no technical mitigation in place. 

IG2 builds on IG1 and applies to clients with more complex IT environments, including those handling sensitive data, operating in regulated sectors or managing significant internet-facing infrastructure. 

IG3 is enterprise territory. Most MSP clients do not need to aim for IG3. Focus your energy on getting every client to IG1 and your more complex clients to IG2. 

The 18 CIS Controls: what each one requires and where MSPs typically fall short 

Control 1: inventory and control of enterprise assets 

You cannot protect what you do not know exists. This control requires a complete, continuously maintained hardware asset inventory of all devices connected to the network. Most MSP clients have incomplete asset lists, particularly for IoT devices, BYOD endpoints and cloud-hosted assets. Your RMM is a starting point. Automated network discovery tools close the gap. 

Control 2: inventory and control of software assets 

Unauthorized software is a persistent attack vector. Attackers install tools. Employees install applications that introduce vulnerabilities. This control requires an inventory of all authorized software and active monitoring for anything outside that list. Application allowlisting is the gold standard. For SMB clients, start with a software inventory audit and a clear policy on authorized applications. 

Control 3: data protection 

Sensitive data needs to be identified, classified and protected in transit and at rest. For most SMB clients, this means knowing where their sensitive data lives, who has access to it and whether encryption is applied. Data sprawl across SharePoint, OneDrive, local drives and email attachments is the common problem. Data classification and DLP tools are the answer. 

Control 4: secure configuration of enterprise assets and software 

Default configurations are insecure by design. Every device, operating system and application that ships with default settings is running with known, exploitable weaknesses. This control requires documented secure baselines and active monitoring for configuration drift. CIS provides benchmarks for every major platform. Use them. 

Control 5: account management 

Every account is a potential entry point. This control covers the full lifecycle of user accounts: creation, management, de-provisioning and access reviews. Stale accounts from former employees, service accounts with excessive privileges and shared credentials are the common failures. Automate account de-provisioning on offboarding. Review privileged accounts quarterly. 

Control 6: access control management 

Least privilege is the principle. Every user and every application should have exactly the access they need and nothing more. Implementing role-based access control, removing standing administrative privileges and enforcing MFA on all privileged accounts are the core actions here. This is the control most directly linked to containing the blast radius of a compromised credential. 

Control 7: continuous vulnerability management 

New vulnerabilities are published every day. Without a process to identify, prioritize and remediate them on a continuous basis, your clients' environments are permanently behind the threat curve. Weekly automated vulnerability scanning, tracked against a remediation SLA, is the baseline. This is not optional in 2026. 

Control 8: audit log management 

Logs are how you find out what happened. Without centralized log collection, retention and monitoring, an attacker spends weeks in a client's environment without leaving a visible trace. SIEM is the tool category here. Configure logging on every endpoint, server and network device. Retain logs for a minimum of 90 days. Review alerts. 

Control 9: email and web browser protection 

Phishing and malicious web content are still the primary delivery mechanism for most attacks. This control covers email security, web filtering and browser configuration. DNS filtering, email authentication (SPF, DKIM, DMARC) and browser endpoint protection should be baseline for every client. If a client does not have DNS filtering, start there today. 

Control 10: malware defenses 

Malware defense has moved beyond antivirus. This control requires anti-malware tools on all endpoints with behavioral detection, not signature-based scanning alone. Modern EDR platforms with behavioral analysis are the standard. Review every client's endpoint protection to confirm they are running a current, actively monitored solution. 

Control 11: data recovery 

Backups are not a security control until they are tested. This control requires regular backups, protected from modification, with documented and tested recovery procedures. Ransomware attacks frequently target backup systems first. Air-gapped or immutable backup copies are the protection. If you cannot restore from backup in a tested, documented process, the backup is theoretical. 

Control 12: network infrastructure management 

Network segmentation limits the blast radius of a breach. Attackers who compromise one segment should not be able to move freely across the entire network. This control covers network architecture, segmentation and secure management of network devices. For SMB clients, this often means VLAN segmentation and firewall rules that have been reviewed in the last 12 months. 

Control 13: network monitoring and defense 

Network traffic is where attacker activity shows up. This control requires active monitoring of network traffic for anomalies, intrusion detection and the ability to detect lateral movement. IDS/IPS tools and network behavior analytics are the technology layer. Without active monitoring, attackers operate undetected for weeks. 

Control 14: security awareness and skills training 

Every employee is a potential entry point. Every employee is also a detection capability if they know what to look for. This control requires regular, role-appropriate security awareness training with phishing simulation. Quarterly training is the minimum. Monthly phishing simulations with tracked results give you data to show clients how their exposure is changing. 

Control 15: service provider management 

Your clients' security is only as strong as the third parties they trust with access to their systems. This control requires a process for assessing, onboarding and monitoring third-party service providers. For SMB clients, this often means reviewing which vendors have admin access to their systems and when that access was last reviewed. 

Control 16: application software security 

Applications are a primary attack vector. This control covers secure development practices, application security testing and third-party application vetting. For MSPs managing client environments, the practical focus is patch management for business applications, web application protection and enforcing software update policies. 

Control 17: incident response management 

When something goes wrong, the speed and quality of your response determines the outcome. This control requires a documented incident response plan, tested at least annually, with clear roles, communication protocols and escalation paths. For MSPs, this also means having a clear process for communicating with clients during an incident. 

Control 18: penetration testing 

Testing your own defenses before attackers do is the only way to find out whether your controls are working as intended. This control requires regular penetration testing, with findings tracked to remediation. Annual penetration testing is the baseline for most SMB clients. For clients in regulated sectors or with significant internet-facing infrastructure, more frequent testing is appropriate. 

Where to start 

Do not try to address all 18 controls at once. That is the fastest way to achieve nothing. 

Start with a gap assessment against IG1 for every client. Score each control. Prioritize the gaps by risk. Build a remediation plan with a timeline. Review progress quarterly. 

Controls 1 through 6 are your foundation. Asset inventory, software inventory, secure configuration, account management and access control. Get those right and you close the majority of commodity attack paths. 

Once IG1 is solid, work through IG2 for clients with more complex environments. And for every client, put continuous vulnerability management (Control 7) and audit log monitoring (Control 8) in place as soon as possible. Those two controls are the difference between finding out about a breach in 11 days and finding out in 11 months. 

Start with a gap assessment 

The question is not whether your clients need CIS Control alignment. The question is how many of them currently have it. 

The answer for most MSPs is: fewer than you think. 

Want to run a baseline CIS Control gap assessment across your client base?

Talk to us about how enhanced.io makes that systematic.