IT-Security Gap Analysis: CIS-20 Critical controls

Pragmatic IT-Security

Deloitte has developed a practical approach to IT security, based on 20 Critical IT-Security Controls "CIS-20".


Finding a practical balance between IT security risks and associated controls is a challenge.

Most organisations struggle to develop a practical IT security programme. The challenge is simply where to start and which initiatives to prioritise. The potential pitfalls can be either to overimplement, or even worse, underimplement IT security measures.

Our approach

We have developed a system of profiles based on 20 Critical Controls (CIS-20). This enables your organisation to deep dive into specific topics or start from the Security Profile and work from that foundation.

In-depth analysis which forms the basis for working with IT security in the years ahead to achieve a specific IT Security profile (future state of security). The other profiles are based on this gap assessment.

  • Approach based on CIS-20 (critical IT security controls) and the recommendations
  • Definition of the organisation's current IT Security Profile (A)
  • Definition of the new targeted IT Security Profile (B)
  • Specification of how the organisation comes from A to B
  • Assessment of implementation time and operating time

Organisations that want to secure Management support for measurable improvements in the Security Profile. The Management Profile gives the IT department and Management a tool which forms the basis for a constructive and targeted dialogue on measurable improvements of IT security and an assessment of risks.

  • Based on a practical approach to IT security, we will cover critical questions with Management to ensure that the important dimensions to security have Management involvement
  • Management is presented with the most important results from the GAP Analysis
  • Management can assess whether it itself constitutes an IT security risk.

(‘The Security Profile‘ is a prerequisite for the ’Management Profile’).

Helps the organisation transform the measurable IT Security Profile (#1) into a risk that can form the basis for Management's choice of what level of risk the organisation will accept. This is tied up in 11 IT security projects that cover the most important areas for mitigating IT security risk and includes specific figures for costs and time consumption. This profile also includes appropriate tools as well as the degree of implementation of them over time.

  • Helps the organisation translate the current Security Profile into a risk analysis and sets out the projects needed to mitigate the found risk to an acceptable level in terms of economy and time consumption.
  • Transforms IT security into a detailed risk analysis based on the Security Profile and relevant risks assessed by probability and consequence.
  • Links risk, mitigation, finance and CSC controls
  • Shows the order in which risks should be mitigated
  • Is DIRECTLY in line with the requirements for processing security in the GDPR

("The security profile" is a prerequisite for the ’Risk Profile’).

Ensures that all measurements that are selected are performed regularly and that the results checked with ’CIS CSC Measuring Companion‘ as ’true‘ (green) or ’False‘ (red). All indicators marked by red background color are non-compliance events caused by KPI violations. For the sake og compliance and it-audit, organisations should create a service desk ticket for each event and include information about ticket owner, deadline to resolve and resolution description.

  • Ensures that what you ’say you do to secure the organisation- is also what you actually do, and that what you do is effective in mitigating security breaches.
  • This is done by following the CIS CSC guidelines for effective controls for IT security.

(‘The Security Profile‘ is a prerequisite for the ’Risk Profile’).

This profile helps with a structured description of all the mitigation measures selected within the 20 Critical Security Controls. Used as part of the documentation requirement for the controls profile and provides the most meaning when purchasing the controls profile.

  • This profile ensures that there is one correct description of the processes for the mitigation measures selected by the organisation.
  • Here, we refer to the controls profile and process purposes, actions and link to ISO27001/ISO27002.

(‘The Security Profile‘ is a prerequisite for the ’Process Profile’).

All organisations required to comply with Article 32 on treatment security. This profile is a tool that solves the task of ensuring a risk-based assessment and implementation of relevant and adequate Treatment security.

  • Calculates measurable risk of data processing: The present and the desired risk levels
  • Provides an overview for treatment activities and instructs on relevant technical as well as organisational mitigation needs.

By setting requirements for subcontractors / partners in the form of a predefined security profile, the supplier can ensure and document that subcontractors and partners do not pose a security risk to the organisation.

  • The supplier defines a level of IT security that the partner is required to meet based on CIS 20 CSC / BitSight © score.
  • The profile meets ISO 27001 / 2 requirements managing partners and supplier.

Why Deloitte?

Awarded market leaders

We strive to continuously lead the market in the area of cyber risk and security services. We are awarded and acknowledged by some of the most renowned institutions within the area of cyber, e.g. Gartner, ALM Intelligence and Forrester. In 2020, we were named global leader in Security Consulting Services for the 9th year in a row by Gartner.

Leading-edge technologies

We are committed to investing in innovation and emerging technologies to ensure that we are equipped with the latest tools to solve current and future challenges for our clients. Alliances with market-leading cyber vendors and groundbreaking startups around the world offer our clients access to a wide range of cyber-risk technologies and leading-edge technology innovation.

Global intelligence delivered locally

We have the largest professional services network in the world. Diversity across our cyber teams helps us work across the globe with a local and personal lens. We have over 8,600 dedicated cyber-risk service practitioners of which 1,300 are dedicated to Europe and the Middle East alone, ready to help our clients everywhere with any challenge.

End-to-end cyber-risk services

We cover every aspect of cyber risk — from advisory and implementation of strategic transformations to managed security services, product solutions and incident management. This enables us to deliver more resilient and silo-breaking solutions, taking the whole business chain into account. This helps our clients to leverage their potential and growth even more.

Reach out

Would you like to know more about the different profiles? Contact our experts.

Christian Schmidt


$(document.head).append(''); $(document.head).append('