How are people practically scoping and tracking CIS18 controls across environments?

Hey all,

I'm looking for input/ideas on how you tend to scope/track CIS18 controls (or really any security framework) across multiple environments. For example, we have many different environments with varying controls based on data classification. Cloud environments typically provide "out of the box" security features that other on-premise environments do not. As an example:

* AWS (non prod)
* AWS (prod)
* GCP (non prod)
* GCP (prod)
* On-premise (mostly enterprise software)

When performing a self-assessment for CIS18 …

controls cybersecurity people scoping tracking