CIS Risk Assessment Method: Complete Guide to Security Controls

Introduction

Most boards can identify that cybersecurity matters. Far fewer can answer the question an audit committee actually needs answered: is our security program reasonable?

Without a structured method, security spending tends to follow the loudest vendor pitch, the most recent incident, or a gut-level sense of what "enough" looks like. None of those approaches hold up to regulatory scrutiny — and the stakes are rising. According to IBM's 2024 Cost of a Data Breach Report, the average global breach cost reached $4.88 million in 2024, with financial services enterprises averaging $6.08 million per incident.

Those numbers make one thing clear: "reasonable" security requires more than good intentions. CIS RAM — the CIS Risk Assessment Method — gives boards, CISOs, and risk leaders a defensible answer. It connects the 18 CIS Critical Security Controls to actual business risk decisions, replacing reactive spending with a documented rationale that holds up to scrutiny.

What follows is a practical guide to CIS RAM: what it is, how it works, and why it matters for boards and executives responsible for oversight — not just operations.

TL;DR

  • CIS RAM is a free method from the Center for Internet Security for justifying and prioritizing the 18 CIS Critical Security Controls
  • Built on the DoCRA standard, it carries weight in legal and regulatory contexts, not just technical ones
  • Three Implementation Groups (IG1, IG2, IG3) let organizations right-size their approach based on maturity and risk profile
  • The five-step process moves from defining risk criteria to validating safeguards, with documented outputs at each step
  • For boards and executives, CIS RAM answers "how much security is enough?" with evidence, not opinion

What Is the CIS Risk Assessment Method (CIS RAM)?

CIS RAM is a free information security risk assessment method developed by the Center for Internet Security in partnership with HALOCK Security Labs. Its purpose: help organizations assess, justify, and communicate their implementation of CIS Controls relative to their actual business risk tolerance.

The current version is CIS RAM v2.2, calibrated to CIS Controls v8.1.

The DoCRA Foundation

CIS RAM is built on the Duty of Care Risk Analysis (DoCRA) standard — a framework maintained by the DoCRA Council, a nonprofit that authors risk analysis principles aligned with judicial and regulatory expectations.

CIS RAM doesn't just tell you which controls to implement. It helps you determine whether your safeguards are reasonable — the standard that holds in courtrooms, regulatory examinations, and post-breach litigation. When a board or regulator asks whether your security program meets its duty of care, a CIS RAM assessment gives you a documented, principled answer.

What Makes It Different from a Generic Risk Assessment

Four characteristics separate CIS RAM from an ad hoc approach:

  • Aligns directly with the 18 CIS Controls — not a generic risk catalog
  • Scales to organizational maturity through IG1, IG2, and IG3 calibrated versions
  • Grounds threat likelihood in real-world incident data from the VERIS Community Database (VCDB), replacing subjective guesses with empirical reference points
  • Produces structured workbooks and templates reviewable by auditors, regulators, and legal counsel

The 18 CIS Critical Security Controls: What Executive Leaders Need to Know

The 18 CIS Critical Security Controls are a prioritized set of safeguards developed and maintained by a global practitioner community. Version 8.1 — the current release — reflects cloud, hybrid, and task-based environments, updated to align with NIST CSF 2.0 and evolving regulatory frameworks.

The Three Implementation Groups

CIS organizes the controls across three Implementation Groups that function as a tiering mechanism:

Group Profile Safeguards Included
IG1 Small/limited security expertise; low data sensitivity 56 foundational safeguards
IG2 Multiple departments; sensitive client data; moderate regulatory requirements IG1 + 74 additional safeguards
IG3 Sophisticated adversary exposure; stringent regulatory oversight All controls and safeguards

CIS Implementation Groups IG1 IG2 IG3 three-tier comparison infographic

The right IG reflects where your organization actually sits today — not where you'd like to be. What matters is what's defensible given your current resources and risk profile.

The 18 Controls in Three Clusters

For executive readers, the controls organize into three functional clusters:

Know your environment (Controls 1–4)

  • Inventory and Control of Enterprise Assets
  • Inventory and Control of Software Assets
  • Data Protection
  • Secure Configuration of Enterprise Assets and Software

What this protects against: attackers exploiting unknown or unmanaged assets, shadow IT, and misconfigured systems.

Manage access and vulnerabilities (Controls 5–8)

  • Account Management
  • Access Control Management
  • Continuous Vulnerability Management
  • Audit Log Management

What this protects against: credential theft, privilege abuse, unpatched exploits, and invisible attacker activity.

Defend, respond, and test (Controls 9–18)

  • Email and Web Browser Protections
  • Malware Defenses
  • Data Recovery
  • Network Infrastructure Management
  • Network Monitoring and Defense
  • Security Awareness and Skills Training
  • Service Provider Management
  • Application Software Security
  • Incident Response Management
  • Penetration Testing

What this protects against: phishing, ransomware, supply chain compromise, and the inability to recover when incidents occur.

Four Controls That Matter Most at the Start

Four controls stand out as the highest-leverage starting points:

  • Control 1 (Asset Inventory): Unknown and unmanaged assets are the first thing attackers exploit
  • Control 6 (Access Control): Stolen or misused credentials are the leading cause of breaches
  • Control 7 (Vulnerability Management): Unpatched systems remain the most common attacker entry point
  • Control 11 (Data Recovery): Without tested backups, a ransomware incident can become an existential event

Cross-Framework Efficiency

CIS Controls v8.1 maps directly to NIST CSF 2.0, HIPAA, PCI-DSS v4.0, and ISO/IEC 27001:2022. For regulated organizations, this matters practically: a single CIS RAM implementation produces evidence that satisfies multiple regulatory requirements at once, rather than running parallel compliance workstreams.

Why CIS RAM Matters for Boards and Executive Risk Leaders

A 2025 Gartner survey found that 90% of non-executive directors lack a measure of confidence in cybersecurity value — with only 10% strongly agreeing that security investments balance protection and cost. That's a governance gap, and CIS RAM is built to close it.

What It Gives Boards That They Don't Currently Have

By drawing a clear line between acceptable and unacceptable risk, grounded in DoCRA's reasonableness standard, CIS RAM gives executives a defensible answer to the question regulators and plaintiffs inevitably ask: how did you decide your security program was sufficient?

Operational benefits for leadership include:

  • Budget defensibility — clear prioritization of limited security investments against documented risk criteria
  • Measurable progress — a baseline against which future assessments can show movement, not just assertions
  • Plain-language board reporting — a risk register and posture summary that audit committees can actually evaluate
  • Reduced litigation exposure — documented reasonableness is a recognized defense in post-breach review
  • Faster alignment — a common language between technical teams and business leadership that doesn't require translation

Five board-level operational benefits of CIS RAM implementation for executives

The Right-Sizing Argument

CIS RAM's IG structure gives boards a documented rationale for scoping decisions. Full control implementation across every system isn't required. CIS RAM provides the reasoning to make that call defensibly.

That matters in three specific contexts: M&A due diligence, regulatory examination, and post-incident review. In each case, "we applied IG2 criteria and here's our documented rationale" is a far stronger position than "we did our best."

The SEC's 2023 cybersecurity disclosure rules now require public companies to describe their processes for assessing, identifying, and managing material cybersecurity risks, including board oversight. CIS RAM creates that documented process — with the risk criteria, scoping rationale, and control decisions that give those disclosures substance rather than boilerplate.

How CIS RAM Works: The Five Core Process Steps

CIS RAM Core consists of five structured activities. What distinguishes it from ad hoc assessments is that each step produces documented outputs — not just internal working notes. Here's how each step works:

Step 1 — Develop Risk Assessment Criteria and Risk Acceptance Criteria

This step defines what "acceptable risk" means for your organization: which harms matter most (confidentiality, integrity, availability), who the affected parties are, and what threshold of likelihood and impact the enterprise is willing to tolerate.

Skipping or rushing this step is the most common mistake in risk assessments. Every subsequent decision — what risks to treat, which safeguards to prioritize — flows from these criteria. Without them, you're making defensible decisions without a clear standard.

Step 2 — Model the Risks

Risk modeling evaluates your current CIS Safeguard implementation against foreseeable threats. CIS RAM v2.0+ uses the VCDB Index (drawn from Verizon's VERIS Community Database) to estimate how likely a given threat scenario is to occur given your current control environment.

This replaces "we think this is probably medium likelihood" with data-referenced estimates tied to real-world incident patterns across thousands of confirmed breaches.

Step 3 — Evaluate the Risks

This step applies your Step 1 criteria to your Step 2 models — producing a risk score and a determination of whether each identified risk is acceptable or requires treatment.

This is where boards get what they need: a defensible, documented view of risk posture. Not a list of vulnerabilities, but a ranked assessment of which risks exceed the organization's defined tolerance.

Step 4 — Recommend CIS Safeguards

Step 4 produces specific, prioritized recommendations for controls and safeguards that would bring unacceptable risks within the tolerance threshold. Recommendations are tied to business impact, not just technical scoring or vendor preference.

Step 5 — Evaluate Recommended Safeguards

The final step risk-analyzes the recommended safeguards themselves. Would implementing them create undue operational burden? Could they introduce new risks? This step reinforces the DoCRA principle that security measures must be proportionate to the risks they address.

The result is a documented record showing which risks each safeguard addresses, at what cost, and why the tradeoff is proportionate — the kind of evidence that supports audit committee review and regulator inquiries alike.

CIS RAM five-step risk assessment process flow from criteria to safeguard validation

CIS RAM at a Glance: Five Steps, Five Outputs

Step Activity Key Output
1 Define risk criteria Documented tolerance thresholds
2 Model the risks Data-referenced likelihood estimates
3 Evaluate the risks Ranked, scored risk register
4 Recommend safeguards Prioritized, business-aligned control list
5 Evaluate safeguards Proportionality justification for investment

CIS RAM in Practice: A Board-Level Scenario

A mid-sized financial services company faces a familiar situation: the audit committee asks leadership to demonstrate that the security program is "reasonable." No one can clearly answer that question. Here's how CIS RAM structures the response.

Steps 1–2: Setting Criteria and Modeling Threats

The team defines risk acceptance criteria based on two anchors: regulatory obligations (GLBA, state-level requirements) and customer data sensitivity. They select IG2 as their baseline given the firm's profile — dedicated security staff, sensitive client data, moderate regulatory exposure.

Threat modeling against the VCDB Index surfaces a familiar gap pattern. Two controls show significant exposure relative to real-world incident patterns for financial services:

  • Access control (Control 6) — privileged account management and authentication gaps
  • Vulnerability management (Control 7) — unpatched internet-facing systems exceeding remediation windows

The common mistake at this stage is setting risk thresholds based on internal comfort rather than external data. A threshold calibrated to "what leadership finds tolerable" without reference to actual incident likelihood produces a risk register that looks clean on paper but fails under scrutiny.

Steps 3–5: From Risk Scores to Board-Ready Plan

Risk evaluation against the defined criteria identifies three unacceptable risks:

  1. Privileged account access without multi-factor authentication
  2. Unpatched vulnerabilities in internet-facing systems older than 30 days
  3. No documented, tested account lifecycle management process

The team recommends specific safeguards from Controls 5, 6, and 7. Step 5 validates that each recommendation is proportionate — the cost and burden of implementation is defensibly lower than the cost of the risk it addresses.

The output: a risk register, a 90-day implementation plan with named owners and measurable outcomes, and a one-page board summary.

What the Board Has Now

The assessment converts a vague belief that security was "adequate" into something tangible: a documented risk posture, a prioritized remediation plan tied to business impact, and a baseline that makes future progress measurable.

Security stops being a black box. It becomes an inspectable governance artifact — the kind of evidence an audit committee can act on and a regulator or opposing counsel can scrutinize.

How Tyson Martin Can Help

Tyson Martin is a board advisor and cybersecurity governance specialist with executive experience at AWS, Home Depot, and Best Buy. He contributes actively to the World Economic Forum's Centre for Cybersecurity and the NRF CISO Executive Committee, and has applied CIS Controls-aligned risk governance across financial services, healthcare, retail, and technology environments.

That experience points directly at the place most assessments break down: the gap between findings and board-ready communication. The risks are documented — but there's no clear escalation path, no decision-rights framework, no dashboard showing trend rather than trivia.

Engagements with Tyson typically produce:

  • A plain-language risk register — top risks ranked by business impact, not technical severity score
  • A decision-rights map — who accepts risk, who approves exceptions, who has authority to act
  • A trend-based board dashboard — stable metrics that show movement, not noise
  • A 90-day plan — sequenced fixes with named owners, due dates, and measurable outcomes

Board-ready cybersecurity risk dashboard displaying ranked risks and remediation plan

If your organization needs to conduct or validate a CIS RAM-aligned risk assessment, prepare findings for a board or audit committee, or establish a security program that can withstand regulatory scrutiny, reach out directly to discuss scope and next steps.

Frequently Asked Questions

What is the CIS RAM risk assessment method?

CIS RAM is a free information security risk assessment method from the Center for Internet Security, built on the DoCRA standard. It helps organizations evaluate and justify their implementation of the 18 CIS Critical Security Controls relative to their specific risk tolerance and business context, with documented outputs suitable for regulatory and legal review.

What are the 18 CIS Critical Security Controls?

The 18 CIS Critical Security Controls are a prioritized set of safeguards developed by a global security practitioner community. Organized across three Implementation Groups based on organizational maturity and risk profile, v8.1 is the current release.

What are the 5 steps of a CIS RAM security risk assessment?

CIS RAM follows five steps, each producing documented outputs:

  1. Develop risk criteria and acceptance thresholds
  2. Model risks against current controls using real-world incident data
  3. Evaluate risk scores against the acceptance threshold
  4. Recommend specific safeguards to address unacceptable risks
  5. Validate that recommended safeguards are proportionate

How does CIS RAM differ from NIST CSF?

NIST CSF is outcome-focused — it defines what security results to achieve. CIS RAM is controls-focused — it specifies how to assess and justify specific safeguards. The two are complementary: CIS Controls v8.1 maps directly to NIST CSF 2.0, so organizations can use CIS RAM to operationalize NIST CSF goals with a controls-level implementation method.

What are CIS Implementation Groups and which one applies to my organization?

IG1 suits smaller organizations with limited security resources and low data sensitivity. IG2 fits organizations with dedicated IT security staff managing sensitive data and moderate regulatory requirements. IG3 applies to enterprises facing sophisticated adversaries and stringent regulatory oversight. CIS RAM calibrates its assessment to each level, so your IG selection directly shapes scope and depth.

How often should an organization conduct a CIS RAM assessment?

At minimum, annually. Beyond that, the FTC's Safeguards Rule guidance requires periodic reassessments in response to changes in operations, threats, or business circumstances — which means M&A activity, major technology transitions, leadership changes, or a security incident should each trigger a fresh assessment. Continuous monitoring of controls between formal assessments is expected, not optional.