CIS Controls accreditation offers CIS SecureSuite Members the ability to provide CIS Critical Security Controls implementation and/or assessment with the assurance that they have met the consistent and rigorous standards that CIS expects. This program, powered by internationally respected accreditor CREST, offers service providers a “stamp of approval” at the organization level, assuring that their customers can feel confident that they are doing business with a reputable and reliable CIS Controls assessment organization.
For Member Organisations
For Customers
CIS SecureSuite Membership is required to apply for this accreditation. The following CIS SecureSuite Member types are eligible and can start the application process by emailing CREST* directly at [email protected]:
*CREST membership is not required.
GBP | USD | SGD | AUD | EUR | |
---|---|---|---|---|---|
Fee for CREST members | 1,200 | 1,500 | 2,000 | 2,000 | 1,250 |
Fee for non-CREST members | 2,000 | 2,500 | 3,250 | 3,250 | 2,250 |
The CREST application portal will automatically assign tasks based on the application. After completing the application, the applicant will receive the tasks that need to be completed to progress the application forward.
Please complete our online form to start your application: Apply to start a CIS accreditation
The application form is split into several tasks. These tasks can be completed concurrently and by separate individuals.
The core assessment tasks are:
The assessment process assures that the organization is reputable and adheres to the code of conduct.
The organization must successfully complete the CIS assessment with CREST. You may market and sell your services with the CIS Controls Accredited badge only after your organization has been awarded CIS Controls accreditation. The badge will be provided to you at that time.
CIS and CREST are two industry leading non-profit organizations focused on improving standards and digital trust within the cyber security industry. Both are highly respected brands within the industry and this partnership combines CREST’s expertise in accreditation and CIS’s rigorous standards.
The partnership provides a new way for suppliers to offer Controls assessment with a stamp of approval and a means for organizations seeking Controls assessment to feel confident that they have selected a provider who has demonstrated proficiency in conducting assessments.
All organizations with a qualified CIS SecureSuite Membership can apply for this accreditation.
Qualified CIS SecureSuite Memberships include:
The accreditation is suitable to any of these CIS member types that provide CIS Controls implementations, audits, and/or assessments to clients.
Organizations looking to have an assessment or audit of their implementation of the CIS Controls would benefit from the services of a CIS Controls Accredited organization. Organizations wishing for assistance with their implementation of CIS Controls would also benefit from the services of a CIS Controls Accredited organization.
Accreditation costs $2,500 USD in addition to your normal CIS SecureSuite membership. This is an annual cost. The CREST members’ cost is $1,500.
No, it is not necessary to be a CREST member.
However, CREST Member Companies will receive a 40% discount on the Accreditation cost.
To find out more information about joining CREST please visit: About Membership
In addition, to be eligible to deliver services assuring MSPs for the GTIA Cybersecurity Trustmark you must be both a CREST Member and CIS Controls Accredited.
CREST will be carrying out the accreditation on behalf of CIS, using requirements set by CIS.
This is a CIS accreditation to requirements set by CIS, managed and extended by Crest.
CREST will review and approve applications on behalf of CIS.
To register your interest and to start the process please email: [email protected]
Any queries related to the CIS Controls should be directed to: [email protected]
There are no separate levels of Controls Accreditation.
Yes, this is a global accreditation.
The Accreditation is valid for 12 months, after which, it must be renewed.
Annual reviews consist of a shorter assessment with a full assessment once every three (3) years.
The application assessment process will be concluded within six (6) weeks of a completed submission, subject to any feedback and resubmission.
Organizations will be asked to provide responses to a series of questions designed to assess the organization and their governance around delivering CIS Controls assessments.
This will include elements such as, but not limited to:
Full details will be available in the application form.
Yes, individuals conducting assessments on behalf of your organisation must hold one of the following certifications to be eligible for CIS Controls Accreditation:
GIAC Critical Security Controls Certification (GCCC): This certification is available through SANS and aligns with the CIS Controls framework. Learn more about GIAC Certifications or SANS SEC 566: Implementing and Auditing CIS Controls course, which includes the GCCC certification.
CIS Controls Mastery Course for MSPs: Offered by Black Hills Information Security (BHIS), this course includes certification and is designed specifically for Managed Service Providers. Learn more about the CIS Controls Mastery Course for MSPs.
Accreditation requires organizations to maintain a CIS SecureSuite Membership. The acceptable levels of Membership are:
You can apply for a CIS SecureSuite Membership online: https://www.cisecurity.org/cis-securesuite
For organizations interested in becoming a CREST member, get in touch via email: [email protected]
Should you wish, you can cancel your Accreditation at any time by contacting your CIS Customer Success representative. Once cancelled, you will need to remove all mention of the accreditation from marketing materials, letterheads etc.
Please note: Should you cancel your accreditation part way through an accreditation period, no refund of part fees will be provided.
In the event your CIS SecureSuite Membership is void or is not renewed, the CIS Controls Accreditation will no longer be applicable or valid.