Non-technical CIS (Center for Internet Security) cyber security assessments are becoming increasingly prevalent as organizations recognize the importance of assessing their cybersecurity posture and identifying vulnerabilities. The CIS Controls provide a framework of best practices for organizations to improve their cybersecurity posture, and non-technical assessments based on these controls can be a valuable tool for organizations of all sizes and types.
In recent years, there has been a growing emphasis on the importance of non-technical assessments in addition to technical assessments. Non-technical assessments focus on the policies, procedures, and people aspects of an organization's cybersecurity, rather than just the technical controls. This can include areas such as governance, risk management, compliance, and training.
Non-technical assessments can be particularly valuable for organizations that have already implemented technical controls but want to ensure that their overall cybersecurity posture is strong. They can also be useful for organizations that do not have a dedicated cybersecurity team or technical expertise in-house.
Overall, the prevalence of non-technical CIS cyber security assessments is likely to continue to increase as organizations seek to improve their cybersecurity posture and protect against cyber threats.
The Center for Internet Security (CIS) provides a framework of cybersecurity best practices known as the CIS Controls. These controls can be used by organizations of all sizes and industries to improve their cybersecurity posture. Therefore, there is no typical size of an organization doing non-technical cyber assessments using CIS.
While larger organizations may have more complex cybersecurity needs and may require more extensive assessments, smaller organizations may also need to assess their cybersecurity posture to identify and address vulnerabilities. In fact, smaller organizations are often targeted by cybercriminals precisely because they may have fewer cybersecurity resources.
Organizations of any size can benefit from non-technical cyber assessments using CIS, as these assessments can help identify and address vulnerabilities in an organization's systems and processes. Ultimately, the size of the organization conducting or receiving non-technical cyber assessments using CIS can vary widely, and the assessments can be valuable for organizations of any size.
The cost of a non-technical cyber assessment, such as the CIS IG1, IG2, or IG3 assessment, can vary widely depending on the scope of the assessment, the complexity of the organization's infrastructure and operations, and the expertise and reputation of the advisory company conducting the assessment.
However, as a rough estimate, the cost of a non-technical cyber assessment may range from a few thousand dollars to tens of thousands of dollars, or even more for larger and more complex organizations.
It's important to note that the cost of a non-technical assessment may include not only the actual assessment but also any remediation efforts that are needed to address vulnerabilities identified during the assessment. Therefore, organizations should consider the overall value and benefits of a non-technical assessment, such as improving their security posture and reducing the risk of cyber attacks, when evaluating the cost.