CIS Critical Security Controls are popular with IT; ISO 27001 with leadership and certification. Together works — duplicate documentation does not have to.
When CIS helps
- technical teams want priorities before full SoA;
- SME/SaaS with limited capacity — implementation group 1 first;
- bridge NCSC-style baseline and Annex A with concrete controls.
When CIS is not enough
ISO 27001 requires PDCA: risk, SoA rationale, internal audit, management review, improvement. CIS alone does not deliver a certificate or governance trail.
Practical mapping
Map CIS to Annex A in one matrix; one evidence map tagged CIS/ISO. More: ISMS and Annex A.
In 2026 many Dutch SMEs use CIS IG1 as starting point and document in the SoA that IG1 implementation is the chosen risk treatment for baseline threats. Auditors accept that when rationale and residual risk are explicit.
Avoid two parallel evidence folders: tag existing ISO evidence with CIS control IDs in one matrix. IT sees priority; auditors see Annex A coverage — without double-uploading the same screenshot.
When expanding CIS to IG2/IG3, update risk assessment and management review. Scope expansion without board decision is a common surveillance theme.
One matrix, two audiences
IT prefers CIS because controls are concrete and prioritised. Leadership and certification bodies speak ISO 27001. A single mapping matrix — CIS control, Annex A reference, owner, evidence location — prevents surveillance debate about what is in scope.
Start with Implementation Group 1 and record in the risk assessment which threats you cover. Residual risk for IG2/IG3 belongs explicitly in management review, including planned investment or accepted exception.
Use the matrix for security questionnaires too: many questions map directly to IG1 topics (MFA, patch, backup). A short reference to your matrix and evidence saves hours of rewriting per customer.
Review the matrix at least annually or after major cloud or SaaS changes. Stale mappings are a common theme when auditors sample access management and logging.
Present the matrix in management review in one slide: IG1 coverage, open IG2 items, planned investment. Leadership need not become CIS experts — but should see priority and residual risk are explicit. That prevents surprises with certification bodies.
Note: this article is educational and does not replace legal, privacy or audit advice for your specific situation.