Cyber Awareness

Implementing a Cybersecurity Framework Based on CIS Controls v8: A Blueprint for New Zealand SMBs and Micro-SMBs


Joseph Morgan


04 September, 2023



Welcome, New Zealand business leaders. In the digital landscape, cybersecurity is not an option but a necessity. This guide is tailored for New Zealand-based Small and Medium-sized Businesses (SMBs) and Micro-SMBs, focusing on implementing a cybersecurity framework based on the CIS Controls v8.

Intruder gains access to secrets. Hacker hacking into the security system.

The New Zealand Context

New Zealand’s geographical isolation doesn’t shield it from cyber threats. According to CERT NZ, cyber incidents have been on the rise, affecting businesses of all sizes. Understanding the local landscape is crucial for effective cybersecurity planning.

Why Align with CIS Controls v8

The Centre for Internet Security’s Controls (CIS Controls) version 8 offers a prioritised set of actions that provide a solid foundation for cybersecurity. Aligning with CIS Controls v8 ensures that you’re adhering to a globally recognised set of best practices, tailored to be effective and actionable for businesses of all sizes.

Inventory and Control of Hardware Assets

The first step in CIS Controls v8 is to have a comprehensive inventory of your hardware assets. Knowing what devices are connected to your network is akin to knowing who has keys to your office. Use automated tools to maintain an up-to-date inventory and ensure that only authorised devices can access your network.

Inventory and Control of Software Assets

Just as you need to know your hardware, you must also have an inventory of your software assets. Unauthorised software can pose significant security risks. Implement whitelisting to ensure only approved software runs on your network, thereby reducing the attack surface.

Data Protection

Data is the lifeblood of your business. CIS Controls v8 emphasises the need for robust data protection measures. Employ encryption for data at rest and in transit. In New Zealand, where data protection laws are stringent, this is not just best practice but often a legal requirement.

Businessman collects wooden puzzles with the word Data Protection
letter of the alphabet with the word iso standard.

Secure Configuration

Secure configuration is your first line of defence. It involves hardening your systems and applications to eliminate as many security risks as possible. Utilise configuration management tools and regularly update your security settings to align with the latest best practices.

Account Management

Account management is about controlling who has access to what within your organisation. Implement strong password policies and multi-factor authentication. Regularly review and update permissions to ensure that employees have only the access they need to perform their jobs.

Vulnerability Management

Vulnerability management is an ongoing process. Regularly scan your systems for vulnerabilities and apply patches promptly. In New Zealand, CERT NZ provides timely alerts about local vulnerabilities that you should be aware of.

Audit Log Management

Audit logs are your security cameras in the digital world. They record who did what and when, providing crucial information during a security incident. CIS Controls v8 recommends centralised log management for easier monitoring and analysis.

Incident Response Plan

An incident response plan is your playbook for when things go wrong. It outlines the steps to take in the event of a security incident, including system isolation, data backup, and notifying local authorities like CERT NZ.

Four Compelling Benefits of Outsourcing Your Cybersecurity

Ongoing Management

Cybersecurity is a dynamic field. Regular audits, system monitoring, and updates are essential for maintaining a secure environment. Employ Security Information and Event Management (SIEM) systems for real-time analysis of security alerts.

Budget Considerations

Budgeting for cybersecurity is an investment in your business’s future. New Zealand’s government offers grants and funding options through agencies like Callaghan Innovation to support cybersecurity initiatives for SMBs.

Compliance and Regulations

In New Zealand, compliance with the Privacy Act 2020 is mandatory for businesses. This act outlines the responsibilities concerning personal data protection. Regular audits and employee training are key to maintaining compliance.


Adopting a cybersecurity framework based on CIS Controls is a strategic necessity for SMBs and Micro-SMBs. This globally recognized set of best practices provides a prioritised, actionable roadmap for robust cybersecurity. It covers essential domains from asset management to incident response, enabling businesses to mitigate risks, comply with regulations, and maintain customer trust. In a landscape of escalating cyber threats, aligning with CIS Controls is not just advisable; it’s imperative for safeguarding your digital assets and organisational reputation.


Aligning with CIS Controls v8 is a strategic move for New Zealand SMBs and Micro-SMBs. This guide provides a comprehensive roadmap designed to navigate you through the intricate landscape of cybersecurity, specific to the New Zealand context.