HOW IT WORKS

A QUICK GUIDE TO GETTING STARTED

Zothommog helps your organisation track cybersecurity compliance based on the CIS Controls v8.1 framework — and map that progress to regulatory frameworks like NIS2, DORA, and ISO 27001. No consultants, no spreadsheets. Just clear tracking of where you are and what's left.

The three main areas

CIS Controls 18 controls · 153 safeguards

The core of the app. Each safeguard is a concrete security action — things like "maintain an asset inventory" or "enforce MFA". You set a status on each one (planned, in progress, implemented…) and the dashboard shows your overall progress. You only track the ones relevant to your size (IG1 for small orgs, IG2 for medium, IG3 for all).

Global Variables organisation facts & figures

Numbers that describe your organisation — how many devices you have, how many staff, which software tools are in use, etc. These feed into safeguard calculations and reports. Fill them in once, update when things change.

Frameworks NIS2 · DORA · ISO 27001 · optional

Activate the regulatory frameworks that apply to your organisation. Each one maps your CIS Controls progress to its own requirements — for example, NIS2 articles, DORA chapters, or ISO 27001 controls. Your safeguard statuses automatically translate into a compliance score per framework, no extra data entry needed.

Recommended order

1
Fill in your Global Variables
Head to Global Variables and complete your organisation's facts. Even partial data is useful — come back and fill in the rest as you go.
2
Work through your CIS Controls
Open CIS Controls and go safeguard by safeguard. Set a status for each one. Start with IG1 — those 56 safeguards cover the most critical basics for any organisation.
3
Activate your frameworks
Head to the Frameworks page and activate the ones that apply — NIS2, DORA, ISO 27001, or any combination. Your existing CIS Controls progress is automatically mapped across — no extra work required.
4
Generate reports
Head to Reports to preview and download compliance reports for your board, management, or auditors — populated with your actual data.

Implementation Groups (IG)

Group Who it's for
IG1 Small organisations with limited IT resources. 56 safeguards covering essential cyber hygiene.
IG2 Medium organisations with dedicated security staff. 130 safeguards — includes all of IG1.
IG3 Large or high-risk organisations. All 153 safeguards — the full CIS Controls framework.

Safeguard statuses

Not Started You haven't looked at this safeguard yet. The default for everything.
Planned You've decided to implement this — it's on the roadmap but work hasn't started.
In Progress Work is actively underway. You're partway there.
Implemented The safeguard is fully in place. Counts toward your compliance score.
Monitored Implemented and actively monitored with metrics or alerting. Also counts toward your score.
Excluded This safeguard doesn't apply to your environment. It's excluded from your compliance percentage.

Keep it real. Compliance tracking only works if the statuses reflect reality. A safeguard marked "Implemented" that isn't actually implemented gives you a false score — and false confidence. When in doubt, mark it lower and work up from there.

Want to know exactly how each percentage is calculated? How scores work →