Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
Most Canadian SMBs do not need a new security framework. They need an opinionated checklist they can finish. CIS Controls v8.1, published by the Center for Internet Security, is that checklist: 18 controls, 153 safeguards, three Implementation Groups. It is free, it maps to PIPEDA and Bill C-8 obligations, and it answers every question on a 2026 cyber insurance renewal. This playbook walks through what to adopt, in what order, and with what tools.
Key Takeaways
- CIS Controls v8.1 contains 18 controls and 153 safeguards split across three Implementation Groups (IG1, IG2, IG3) so SMBs can scope coverage to risk.
- Most Canadian SMBs target IG1 first: 56 safeguards across 15 controls, deliverable by an MSP without dedicated security staff.
- CIS v8.1 maps natively to NIST CSF 2.0, the Canadian Centre for Cyber Security baseline, OSFI E-21, PIPEDA, and Bill C-8 expectations.
- A 90-day IG1 rollout sequences inventory, identity, endpoints, patching, backup, and tabletop, in that order.
- The six highest-impact controls cover roughly 80 percent of cyber insurance questionnaire scoring on a clean deployment.
Book a Free IT Business Consultation
What are CIS Controls v8.1, and why do Canadian SMBs adopt them?
The CIS Controls v8.1 give Canadian SMBs a prioritized 18-control baseline, and the Canadian Centre for Cyber Security (2025) maps its Baseline Cyber Security Controls to the same fundamentals: asset inventory, MFA, patching, backups, and incident response.
CIS Controls v8.1 are 18 prioritized cybersecurity controls and 153 safeguards published by the Center for Internet Security. The 8.1 release (2024) refreshes governance language, updates NIST CSF 2.0 mappings, and clarifies several IG1 safeguards without altering structure.
Canadian SMBs adopt v8.1 because it is prescriptive where NIST CSF 2.0 is descriptive. CSF tells leadership what outcomes to measure. CIS tells the engineer what to configure on Monday morning. The Canadian Centre for Cyber Security baseline controls overlap CIS IG1 by roughly 90 percent, so a CIS-aligned program satisfies federal guidance with one operating layer instead of two.
The 18 CIS Controls grouped into Implementation Groups (IG1, IG2, IG3)
Statistics Canada’s survey of cyber security and cybercrime finds that small and medium businesses absorb a disproportionate share of incident impact while running the leanest security teams.
Implementation Groups scope the framework to organizational risk. IG1 is essential cyber hygiene for SMBs under roughly 100 employees, with 56 safeguards across 15 of 18 controls. IG2 adds 74 safeguards for regulated mid-market organizations. IG3 adds 23 more for high-value or critical service providers.
| # | Control | IG1 | IG2 | IG3 |
|---|---|---|---|---|
| 1 | Inventory of Enterprise Assets | Yes | Yes | Yes |
| 2 | Inventory of Software Assets | Yes | Yes | Yes |
| 3 | Data Protection | Yes | Yes | Yes |
| 4 | Secure Configuration | Yes | Yes | Yes |
| 5 | Account Management | Yes | Yes | Yes |
| 6 | Access Control Management | Yes | Yes | Yes |
| 7 | Continuous Vulnerability Management | Yes | Yes | Yes |
| 8 | Audit Log Management | Partial | Yes | Yes |
| 9 | Email and Web Browser Protections | Yes | Yes | Yes |
| 10 | Malware Defenses | Yes | Yes | Yes |
| 11 | Data Recovery | Yes | Yes | Yes |
| 12 | Network Infrastructure Management | Yes | Yes | Yes |
| 13 | Network Monitoring and Defense | No | Yes | Yes |
| 14 | Security Awareness Training | Yes | Yes | Yes |
| 15 | Service Provider Management | Yes | Yes | Yes |
| 16 | Application Software Security | No | Yes | Yes |
| 17 | Incident Response Management | Yes | Yes | Yes |
| 18 | Penetration Testing | No | Yes | Yes |
Source: CIS Implementation Group definitions. The three controls deferred at IG1 (13, 16, 18) are the right deferral for an SMB without a SOC, in-house dev team, or annual pentest budget.
Why most Canadian SMBs target IG1 first
Microsoft and CISA both report that multi-factor authentication blocks the large majority of account-takeover attacks, which is why it is the highest-leverage control most Canadian SMBs can deploy.
IG1 is the realistic floor and the right starting line. It covers essential hygiene, satisfies the Canadian Centre for Cyber Security baseline, closes a 2026 cyber insurance questionnaire, and an MSP can operate it end to end without a dedicated security analyst on the client side.
Citation capsule. The Canadian Centre for Cyber Security Baseline Cyber Security Controls for Small and Medium Organizations aligns roughly 90 percent with CIS IG1, with no IG1 safeguard absent from the CCCS baseline as of the current revision.
IG2 makes operational sense once a Canadian SMB crosses three thresholds: a vCISO relationship, mature centralized logging, and a documented annual pentest cadence. Below those thresholds, IG2 spend produces shelfware. Above them, it produces defensible audit evidence.
IG3 is rarely the right scope below 500 users. The exception is a smaller business serving critical infrastructure or holding regulated data at scale, where contractual terms force the deeper safeguards regardless of headcount.
The 6 highest-impact CIS controls for Canadian SMBs
According to the Canadian Centre for Cyber Security (2025), ransomware remains the top cybercrime threat to Canadian organizations, with state-sponsored and AI-assisted attacks increasing both the pace and the sophistication of intrusions.
Inside IG1, six controls do most of the work. They close the bulk of insurance questionnaires, mitigate roughly 80 percent of the techniques an SMB actually faces, and produce the cleanest evidence on a regulator request.
| Control | Tool | Effort | Outcome |
|---|---|---|---|
| 1. Asset Inventory | NinjaOne | 2 weeks | Every device known and managed |
| 5. Account Management | Microsoft Entra ID | 2 weeks | Joiner, mover, leaver discipline |
| 6. Access Control (MFA) | Microsoft Entra ID + Intune | 3 weeks | Phishing-resistant MFA everywhere |
| 10. Malware Defenses | SentinelOne or Defender for Endpoint | 2 weeks | Managed EDR on every endpoint |
| 11. Data Recovery | Veeam | 3 weeks | Immutable backup with tested restore |
| 14. Awareness Training | Microsoft Defender phishing sims | Ongoing | Quarterly sims, board-ready reporting |
The six map cleanly to the eight questions every Canadian carrier asks at renewal. A clean deployment of these controls turns the questionnaire into a copy-paste exercise rather than a discovery exercise.
Mapping CIS Controls to PIPEDA, Bill C-8, OSFI E-21, cyber insurance
CIS does not replace privacy law. It operationalizes it. Every Canadian regulatory expectation that touches IT security translates to a specific set of CIS controls, and that mapping is what auditors and underwriters actually want to see.
| Regulator or instrument | Core requirement | Mapped CIS controls |
|---|---|---|
| PIPEDA | Reasonable safeguards, breach reporting | 3, 6, 8, 11, 17 |
| Bill C-8 (CCSPA) | Cyber program, incident reporting (designated sectors) | 1, 5, 6, 8, 17 |
| OSFI E-21 | Operational risk, third-party, recovery | 11, 15, 17 |
| Cyber insurance (2026) | MFA, EDR, immutable backup, IR plan, training | 5, 6, 9, 10, 11, 14, 17 |
| CCCS Baseline | Federal SMB security baseline | Most of IG1 |
The Government of Canada PIPEDA requirement for safeguards is principle-based, not prescriptive. CIS turns the principle into auditable line items. Bill C-8 would create the Critical Cyber Systems Protection Act and codify cyber program obligations for designated federally regulated sectors.
The 90-day CIS IG1 rollout plan
An IG1 rollout for a 50 to 150 user Canadian SMB takes 90 to 120 days when an experienced MSP runs it. Sequence is non-negotiable: inventory before tooling, identity before endpoints, backup verification before any other recovery work.
| Phase | CIS controls | Duration | Owner |
|---|---|---|---|
| 1. Asset and software inventory | 1, 2, 15 | Weeks 1 to 3 | MSP + Owner |
| 2. Identity hardening | 5, 6 | Weeks 3 to 6 | MSP |
| 3. Endpoint and email defenses | 9, 10, 12 | Weeks 5 to 8 | MSP |
| 4. Patch and configuration baseline | 4, 7 | Weeks 6 to 10 | MSP |
| 5. Backup and tested restore | 3, 11 | Weeks 8 to 12 | MSP |
| 6. Training, IR plan, tabletop | 14, 17 | Weeks 10 to 13 | MSP + Leadership |
Across Fusion Computing IG1 deployments, the most common 90-day blocker is not technical. It is the data classification workshop in Phase 1 that maps where regulated data lives. Skip it and Phases 5 and 6 protect the wrong files.
Tools FC deploys per CIS control
The toolset is opinionated by design because operational overhead has to be predictable across dozens of clients. Substituting one component for another is fine on paper and expensive in practice once an incident lands.
Stack at a glance. Identity: Microsoft Entra ID + Microsoft Intune. Endpoint: SentinelOne or Microsoft Defender for Endpoint. Patch and asset: NinjaOne. Data classification and DLP: Microsoft Purview. Backup: Veeam (immutable repositories with tested restore). Network: Fortinet FortiGate. Awareness training: Microsoft Defender phishing simulation.
Each tool maps to specific CIS controls so audit evidence flows out of the tool rather than out of a spreadsheet. Entra ID handles Controls 5 and 6. Intune extends Control 4 to mobile and BYOD. SentinelOne or Defender for Endpoint carry Control 10. Veeam owns Control 11 immutability. Purview handles Control 3 data protection. NinjaOne owns Controls 1, 2, and 7. FortiGate covers Control 12.
Common CIS adoption mistakes
Three mistakes sink CIS programs faster than budget pressure. First, buying tools before completing inventory. EDR on an unknown endpoint is theatre, and unmanaged laptops are the most common gap on intake.
Second, treating Control 8 (logging) as IG1 work. IG1 only requires basic log collection. Trying to centralize SIEM-grade logging without the IG2 staffing model produces noise that nobody reads. Defer Control 8 depth until Phase 2 of the program.
Third, skipping the tabletop. Control 17 is not a document; it is an exercise. A written incident response plan that has never been walked through with leadership is worse than no plan because it produces false confidence at the worst possible moment. Run the tabletop annually and after every meaningful staffing change.
Get a CIS-Aligned IT Business Consultation
Frequently asked questions
Is CIS Controls v8.1 free to use?
Yes. The Center for Internet Security publishes CIS Controls v8.1 free under a Creative Commons license. The download includes the controls, safeguards, IG mappings, and the CIS Controls Self Assessment Tool. Operational cost (tooling, MSP, staff) is separate.
How is CIS v8.1 different from CIS v8?
v8.1 (2024) is a refinement of v8 (2021), not a rewrite. The 18 controls and IG structure are unchanged. v8.1 adds NIST CSF 2.0 mappings, refines governance language, and clarifies several IG1 safeguards. SMBs already on v8 do not re-implement; they refresh mapping documents.
Does CIS v8.1 satisfy PIPEDA?
CIS IG1 satisfies the technical and procedural safeguard portion of PIPEDA when paired with a written privacy policy and breach response procedure. PIPEDA also requires consent management and accountability practices that sit outside CIS scope.
How long does an IG1 deployment take?
Typical IG1 deployments for Canadian SMBs run 90 to 120 days when delivered by an experienced MSP. Faster timelines are possible when asset and identity inventory is already clean. Slower timelines occur when legacy infrastructure requires migration before safeguards can attach.
Do I need a vCISO if I implement CIS IG1?
For most SMBs under 150 users running IG1, a vCISO is optional and useful for board reporting, insurance renewal narratives, and annual risk register reviews. IG2 makes a vCISO functionally required because of the audit, incident response, and penetration testing programs in scope.
Can my existing MSP run CIS v8.1?
Some can; many cannot. The right diagnostic is whether they can show a redacted CIS Controls Self Assessment Tool output for one of their clients, the safeguards they own versus the safeguards the client owns, and the cadence at which they re-score posture. If those three artifacts do not exist, the program is not running.
How does CIS v8.1 map to NIST CSF 2.0?
The Center for Internet Security publishes a free CIS-to-NIST CSF 2.0 mapping spreadsheet. Every CIS safeguard maps to one or more CSF Functions and Categories. SMBs report up to leadership using CSF language and operate the program using CIS safeguards.
What about CIS Benchmarks vs CIS Controls?
Different artifacts, same publisher. CIS Controls v8.1 are the framework (what to do). CIS Benchmarks are configuration baselines for specific products (how to harden Windows Server, M365, Cisco IOS). A CIS-aligned program uses both: Controls as the program, Benchmarks as the configuration standard for Control 4.
Does Bill C-8 require CIS Controls?
Bill C-8 does not name a specific framework. It would obligate designated operators to maintain a cyber security program, report incidents, and follow ministerial directions. CIS IG1 or IG2, mapped to NIST CSF 2.0, satisfies the program requirement for most in-scope SMB suppliers.
Will my cyber insurer accept CIS v8.1 as evidence?
Canadian carriers do not certify against CIS, but they accept CIS posture documentation as supporting evidence on renewal questionnaires. The strongest renewal package is a CIS Self Assessment export, current asset inventory, MFA coverage report, EDR coverage report, and the most recent tabletop after-action report.
