CIS Controls Accreditation

CIS Controls accreditation offers CIS SecureSuite Members the ability to provide CIS Critical Security Controls implementation and/or assessment with the assurance that they have met the consistent and rigorous standards that CIS expects. This program, powered by internationally respected accreditor CREST, offers service providers a “stamp of approval” at the organization level, assuring that their customers can feel confident that they are doing business with a reputable and reliable CIS Controls assessment organization.

Benefits of CIS Controls Accreditation

For Member Organizations

Provide your customers with the assurance that your organization has met CIS standards for CIS Controls assessment
Enjoy the added visibility of having your organization listed on the CIS website as a CIS Controls Accredited organization
Market and sell your services with the CIS Controls Accredited badge

For Customers

Be confident that you are engaging with qualified service providers to assess and improve your cybersecurity posture through a CIS Controls-accredited organization
Service providers will also have signed up to the CIS code of conduct

CIS Controls Accreditation Eligibility

CIS SecureSuite Membership is required to apply for this accreditation. The following CIS SecureSuite Member types are eligible and can start the application process by emailing CREST* directly at [email protected]:

CIS SecureSuite Product Vendor Membership
CIS SecureSuite Consulting and Services Membership
CIS SecureSuite Controls Membership

*CREST membership is not required.

Application Fee

	GBP	USD	SGD	AUD	EUR
Fee for CREST members	1,200	1,500	2,000	2,000	1,250
Fee for non-CREST members	2,000	2,500	3,250	3,250	2,250

Applying for CIS Controls Accreditation

Contact [email protected] to begin the application and get access to the CREST application portal.

The CREST application portal will automatically assign tasks based on the custom fields the applicant has selected. After completing the application, the applicant will receive the tasks that need to be completed to progress the application forward.

Application Tasks

The application form is split into several tasks. These tasks can be completed concurrently and by separate individuals.

The core assessment tasks are:

Company details and insurances – To assess the suitability of your organization, including insurances
General policies and procedures – To assess the core organizational policies and procedures, covering elements such as HR, Training, Information Security, Quality Management and Complaint handling
CIS Controls Accreditation – To assess your approach to delivering services, covering elements such as the governance of around assessments, how you handle client data, and the use of suitably qualified individuals, including evidence of certification to GIAC Critical Controls Certification.

The assessment process assures that the organization is reputable and adheres to the code of conduct.

CIS Controls Accreditation Approval

The organization must successfully complete the CIS assessment with CREST. You may market and sell your services with the CIS Controls Accredited badge only after your organization has been awarded CIS Controls accreditation. The badge will be provided to you at that time.

CIS Controls Accreditation FAQs

Why are CIS and CREST partnering on this program?

CIS and CREST are two industry leading non-profit organizations focused on improving standards and digital trust within the cyber security industry. Both are highly respected brands within the industry and this partnership combines CREST’s expertise in accreditation and CIS’s rigorous standards.

The partnership provides a new way for suppliers to offer Controls assessment with a stamp of approval and a means for organizations seeking Controls assessment to feel confident that they have selected a provider who has demonstrated proficiency in conducting assessments.

Who is eligible to join this program?

All organizations with a qualified CIS SecureSuite Membership can apply for this accreditation.

Qualified CIS SecureSuite Memberships include:

CIS SecureSuite Product Vendor Membership
CIS SecureSuite Consulting and Services Membership
CIS SecureSuite Controls Membership

The accreditation is suitable to any of these CIS member types that provide CIS Controls implementations, audits, and/or assessments to clients.

Who would buy services from accredited organizations?

Organizations looking to have an assessment or audit of their implementation of the CIS Controls would benefit from the services of a CIS Controls Accredited organization. Organizations wishing for assistance with their implementation of CIS Controls would also benefit from the services of a CIS Controls Accredited organization.

What do I get as an accredited organization?

Member of a select group of organizations who meet extra quality standards to implement, assess and audit CIS Critical Security Controls
Independent, verifiable quality assurance that my organization meets CIS standards which provides credibility, inspires customer confidence and distinguishes my organization from others
Market access through supplier uptake
Your company promoted as an accredited organization on the CIS website
Exclusive use of the CIS Controls Accredited badge to use to promote your services
CREST Members: additional listing on the CREST Website

How much does accreditation cost?

Accreditation costs $2,500 USD in addition to your normal CIS SecureSuite membership. This is an annual cost. The CREST members’ cost is $1,500.

Do I have to be a CREST member to be accredited?

No, it is not necessary to be a CREST member.

However, CREST Member Companies will receive a 40% discount on the Accreditation cost.

To find out more information about joining CREST please visit: https://www.crest-approved.org/membership/joining-crest/

What is CREST’s role in the process?

CREST will be carrying out the accreditation on behalf of CIS, using requirements set by CIS.

Is this a CIS or CREST accreditation?

This is a CIS accreditation to requirements set by CIS, managed and extended by Crest.

CREST will review and approve applications on behalf of CIS.

To register your interest and to start the process please email: [email protected]

Any queries related to the CIS Controls should be directed to: [email protected]

Are there different levels of accreditation?

There are no separate levels of Controls Accreditation.

Is this a global accreditation?

Yes, this is a global accreditation.

How long is the accreditation valid for?

The Accreditation is valid for 12 months, after which, it must be renewed.

Annual reviews consist of a shorter assessment with a full assessment once every three (3) years.

How long does the accreditation process take?

The application assessment process will be concluded within six (6) weeks of a completed submission, subject to any feedback and resubmission.

What do I need to demonstrate to be accredited?

Organizations will be asked to provide responses to a series of questions designed to assess the organization and their governance around delivering CIS Controls assessments.

This will include elements such as, but not limited to:

Organizational details
Insurances
Policies and procedures related to HR and training
Information security management
Quality Management
Complaint handling
Governance around service delivery
Data handling
Employee certifications

Full details will be available in the application form.

Does my team need any specific skills, experience, or certifications?

Yes, individuals who are performing assessments on behalf of your organization will need to hold a valid GIAC Critical Controls Certification (GCCC).

Do I need CIS SecureSuite Membership?

Accreditation requires organizations to maintain a CIS SecureSuite Membership. The acceptable levels of Membership are:

CIS SecureSuite Product Vendor Membership
CIS SecureSuite Consulting and Services Membership
CIS SecureSuite Controls Membership

How do I get a CIS SecureSuite Membership?

You can apply for a CIS SecureSuite Membership online: https://www.cisecurity.org/cis-securesuite

How do I join CREST?

For organizations interested in becoming a CREST member, get in touch via email: [email protected]

How do I cancel my Accreditation?

Should you wish, you can cancel your Accreditation at any time by contacting your CIS Customer Success representative. Once cancelled, you will need to remove all mention of the accreditation from marketing materials, letterheads etc.

Please note: Should you cancel your accreditation part way through an accreditation period, no refund of part fees will be provided.

In the event your CIS SecureSuite Membership is void or is not renewed, the CIS Controls Accreditation will no longer be applicable or valid.