You can now access the CIS18 framework in .legal. Just as you may have worked with ISO27001, NIS2, AI Act or other frameworks in the platform, we've added a standard mapping of CIS18.
CIS18 is an international cybersecurity framework developed by the Center for Internet Security. It consists of 18 concrete security controls that help organisations protect themselves against the most common cyber threats. The controls cover everything from basic tasks like managing hardware and software inventory to more advanced measures such as protecting sensitive data, handling security incidents and conducting penetration tests.
The framework builds on best practices from cybersecurity experts and is continuously updated to address emerging threats. CIS18 gives organisations a structured approach to prioritising their security work and reducing the risk of cyber attacks.
You've long had the option to use ISO27001 as your IT security standard in .legal platform. But many organisations prefer working with the CIS framework instead – or in combination. On a technical level, CIS18 goes deeper regarding tasks and controls, making it natural to also support it in .legal.
We've added CIS18 directly to the Framework module and mapped it to both existing and new tasks in the .legal task catalogue. This means if you're already working with other frameworks in the platform, you can log in today and see your progress on CIS18. You can also plan it from scratch if you haven't yet worked with Frameworks in .legal.
We've mapped the 18 CIS18 controls as categories and created the specific safeguards under each category. Safeguards have been mapped to .legal tasks, which function as documentation for individual safeguards and thereby controls.
The structure and logic are the same as you already know from Frameworks, but with CIS18 framework as content.
We've also extended our framework functionality to support some CIS18-specific technical requirements. This includes mapping each Safeguard to their respective implementation group IG1, IG2 and IG3.
Additionally, you can now add tags to a control in Frameworks, which can be used to register Security Function on each Safeguard.
Finally, we've expanded our assessment so you can now evaluate a task on a 1-5 scale, and this evaluation contributes to calculating an overall assessment for a control (safeguard).
This way you can work more comprehensively with implementation and operation of CIS18 in your organisation.
As with all other Frameworks, you can work with group management on your CIS18 Framework. In connection with the implementation, we've also made it easier for you to plan your framework across different group companies – so your overall framework reflects your group structure.
For example, there might be different implementation groups for different countries. You might want .legal DK to only have implementation group 1 controls, but .legal UK should have both implementation groups 1 and 2. This has now become much easier to administer in the planning.
CIS18 is already available in .legal. This requires access to our Frameworks and Information & Cybersecurity plans. From there you can begin your work with the controls. You can use CIS18 as your IT and cybersecurity foundation and see how it benefits your work with NIS2, ISO27001, ISAE3402 declaration or something else entirely.
Feedback and comments are always welcome – contact our support team, they look forward to hearing from you.