It would be my first time implementing CIS Top 20 Controls in a company and I was hoping to find the answer of some questions here.
The company is a small one based in Europe. I have to use the Implementation Group 1 for a small company. By checking the CIS Controls Navigator, I’ve notice that every control has sub-control. By clicking on one if these sub-controls (for example for Control 1) I can see different Groups such as CMMC, ISO 27001, NIST 800-53, NIST-800-800-171, etc).
My question is, should I implement all of these frameworks (of course only the components which are mentioned in the CIS site) and if not why.
Also, why the CIS Controls have some many different chunks of different frameworks,guidance, standards? All of the frameworks are overlapping at some point anyway.
Bonus question: Which framework is appropriate for a Europe based company which has USA and Canadian customers?
Thank you in advance. I appreciate any piece of advice!
Have a wonderful day!