CIS Critical Security Controls
The Ultimate Guide to

CIS Critical Security Controls®

Mitigate the Most Common Forms of Cyber Attacks with CIS Critical Security Controls®

Cyber attack schemes can change quickly, but the most common and effective forms of cyber attacks against an enterprise’s systems and networks haven’t changed all that much in the last few years.

The CIS Critical Security Controls (CIS Controls) are a prescriptive, prioritized, and simplified set of critical security controls and cybersecurity best practices developed by a community of cybersecurity experts that can help support compliance in a multi-framework era. They are leveraged by enterprises around the world to provide specific guidance and a clear pathway to achieve the goals and objectives described by multiple legal, regulatory, and policy frameworks.

Implementing all 18 CIS Controls is the definition of an effective cybersecurity program and effectively implementing Implementation Group 1 of the CIS Controls represents essential cyber hygiene for any enterprise. The CIS Controls can serve as a solid security baseline to help you in your compliance journey.

Want to become an expert in CIS Critical Security Controls?

Download our free eBook ›

How are organizations implementing the CIS Controls?

1. Speed up Compliance to Other Frameworks Such as SOC 2

Security-conscious enterprises have used CIS Controls to more rapidly achieve SOC 2 compliance. To pass a SOC 2 audit, enterprises need to use a set of best-practice controls to keep up with the evolving threat landscape and provide evidence to the auditor showing that they’ve been maintaining an effective cybersecurity program over time.

CIS Controls is a great resource for identifying what security actions an enterprise should prioritize and implement. While other frameworks emphasize requirements on a very general level, CIS Controls go further, showing enterprises how they can immediately improve security posture.

Meanwhile, enterprises have developed a policy for system hardening and workstation security using the CIS BenchmarksTM – consensus developed secure configuration guidelines for hardening operating systems, servers, cloud environments, and more. The CIS Benchmarks include more than 100 configuration guidelines across 25+ vendor product families.

Based on case studies published by CIS,  IT security auditors have chosen to use CIS Controls as their security audit criteria. Specifically, auditors want to understand the process auditee enterprises use to tailor the CIS best practices to their own environments and see evidence that their systems conform to the standards.

A compliance professional whose enterprise uses CIS Benchmarks and CIS Controls can show their auditor how they’ve aligned their security actions to CIS Controls and provide evidence that these controls were implemented, tested, and shown to be effective. These artifacts would satisfy the auditor.

From an audit report, an auditee enterprise can see how they align with leading practices and determine what else they can do to become more aligned with the CIS Controls. Using these evaluations, the auditee can do their own risk assessment and determine the level they’d like to achieve based on their enterprise’s size and resources.

2. Use CIS Controls to Measure Your Organization’s Security Posture and Identify Improvement Areas

Even if you’re not using CIS Controls to adhere to a regulatory or legal standard, you can use CIS Controls to see how your current security program maps to best practices and identify gaps and remediation areas to prioritize. What’s particularly nice about CIS Controls is that the controls are divided into three Implementation Groups (IGs): IG1, IG2, and IG3. These groups support a pragmatic approach based on an enterprise’s resource constraints and the sensitivity of the data they are responsible for protecting. The IGs build upon each other so enterprises can mature and improve their cyber hygiene with each.

For smaller enterprises with limited resources and cybersecurity expertise available to implement security controls, they can start improving their cyber hygiene by first focusing on controls within Implementation Group 1.

Read our article on the 6 Steps to Strengthening Your Security Posture

CIS Controls IG Levels Details
Source CIS

After implementing the essential controls in IG 1, you will have already made progress in improving your enterprise’s cyber hygiene. You can then tailor more advanced actions for your enterprise as needed by extending to IG2 and IG3.

What are the CIS Controls?

PCI Data Security Standards — High-Level Overview

source: PCI Security Standards Council

CIS Control 1 – Inventory and Control of Enterprise Assets

Catalog all “enterprise assets” attached to your enterprise (physically and virtually) in order to have a complete understanding of what needs monitoring and to identify potentially harmful unauthorized or unmanaged devices.

CIS Control 2 – Inventory and Control of Software Assets

Track all software on your network to prevent the installation of software that hasn’t been reviewed or authorized by your enterprise.

CIS Control 3 – Data Protection

Securely manage and monitor data by creating detailed data protection processes and controls.

CIS Control 4 – Secure Configuration of Enterprise Assets and Software

Develop comprehensive processes to ensure that your enterprise’s assets and software are configured securely.

CIS Control 5 – Account Management

Track user credentials for all accounts. Whether an account is tied to confidential data or is purely administrative, no account should be discounted or overlooked as a potential security risk.

CIS Control 6 – Access Control Management

Create detailed processes to track and manage who has credentials or access to what assets and software — the process of revoking user access should be just as carefully monitored as assigning access.

CIS Control 7 – Continuous Vulnerability Management

Build processes that regularly track and monitor vulnerabilities in order to identify potential risks and better prevent security incidents.

CIS Control 8 – Audit Log Management

Create an audit log where your team can track and manage events tied to security incidents. This log can be used to understand why incidents occur and as a means to help prevent future attacks.

CIS Control 9 – Email and Web Browser Protections

Identify potential email and web browser threats, then develop new protections or improve existing protections against those threats.

CIS Control 10 – Malware Defenses

Build processes focused on defending against the installation or spread of malware on your enterprise’s physical and virtual assets.

CIS Control 11 – Data Recovery

Develop robust practices to ensure that your enterprise’s assets can recover from, and potentially be restored after, any security incidents.

CIS Control 12 – Network Infrastructure Management

Protect vulnerable network services and access points by carefully tracking and monitoring your enterprise’s devices (physical and virtual).

CIS Control 13 – Network Monitoring and Defense

Utilize tools and processes to monitor and defend against potential security threats to your network.

CIS Control 14 – Security Awareness and Skills Training

Increase employee knowledge and awareness of potential security issues via a security awareness program that includes regular cross-departmental training sessions.

CIS Control 15 – Service Provider Management

Thoroughly evaluate service providers who have access to your enterprise’s sensitive data to ensure that they are managing data securely and appropriately.

CIS Control 16 – Application Software Security

Assess software that is developed, housed, or acquired by your company for security weaknesses, then protect and monitor those weaknesses to prevent potential incidents.

CIS Control 17 – Incident Response Management

Create a detailed incident response plan that will detect and analyze security incidents when they occur and then trigger the appropriate actions needed to mitigate such incidents.

CIS Control 18 – Penetration Testing

Identify and test weaknesses of enterprise assets in order to better understand how effective your controls are.

“Enterprise assets” is defined by CIS as: “end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers.

Mapping Between CIS Controls and Other Frameworks

On the CIS website you can see how the CIS Controls map to a variety of other legal, regulatory, and policy frameworks, including:

  • AICPA Trust Services Criteria (SOC2)
  • Azure Security Benchmark
  • CMMC Cyber Security Maturity Model Certification v1.0
  • Criminal Justice Information Services
  • CSA CCM Cloud Security Alliance Cloud Control Matrix
  • Cyber Essentials v2.2
  • GSMA FS.31 Baseline Security Controls
  • ISACA COBIT 19
  • HIPAA Health Insurance Portability and Accountability Act of 1996
  • NIST Special Publication 800-53 Rev.5 (Moderate and Low Baselines)
  • ISO/IEC 27002:2002
  • NERC-CIP
  • NIST CSF
  • NIST Special Publication 800-171 Rev.2
  • PCI Payment Card Industry
  • Mitre Enterprise ATT&CK v8.2

The CIS Critical Security Controls®: Frequently Asked Questions

The CIS Controls® are organized into 18 top-level Controls that represent overarching measures that help strengthen an organization’s cybersecurity posture.

1. Inventory and Control of Enterprise Assets

Catalog all “enterprise assets” attached to your enterprise (physically and virtually) to have a complete understanding of what needs to be monitored and to identify potentially harmful unauthorized or unmanaged devices.

2. Inventory and Control of Software Assets

Track all software versions in use on your network to prevent others from installing software that hasn’t been reviewed, licensed, or authorized by your enterprise.

3. Data Protection

Securely manage and monitor data by creating detailed data protection processes and controls, including controls like encryption and data loss prevention.

4. Secure Configuration of Enterprise Assets and Software

Develop comprehensive processes to ensure that your enterprise’s assets and software are configured securely.

5. Account Management

Track user credentials for all accounts. Whether an account is tied to confidential data or is purely administrative, no account should be discounted or overlooked as a potential security risk. Manage accounts through principles like least privilege and separation of duties.

6. Access Control Management

Create detailed processes to track and manage who has credentials or access to what assets and software — the process of revoking user access should be just as carefully monitored as assigning access. Implement and manage policies for user access rights, including role-based controls and multi-factor authentication.

7. Continuous Vulnerability Management

Build processes that regularly track and monitor vulnerabilities in order to identify potential risks and better prevent security incidents.

8. Audit Log Management

Create an audit log where your team can analyze, track, and manage events tied to security incidents. This log can be used to understand why incidents occur and as a means to help prevent future attacks.

9. Email and Web Browser Protections

Identify potential email and web browser threats, then develop new protections or improve existing protections against those threats.

10. Malware Defenses

Build processes focused on defending against the installation or spread of malware on your enterprise’s physical and virtual assets.

11. Data Recovery

Develop and test robust practices to ensure that your enterprise’s assets can recover from, and potentially be restored after, any security incidents.

12. Network Infrastructure Management

Protect vulnerable network services and access points by carefully tracking and monitoring your enterprise’s devices (physical and virtual).

13. Network Monitoring and Defense

Utilize tools and processes to monitor and defend against potential security threats to your network.

14. Security Awareness and Skills Training

Increase employee knowledge and awareness of potential security issues via a security awareness program that includes regular cross-departmental training sessions.

15. Service Provider Management

Thoroughly evaluate service providers who have access to your enterprise’s sensitive data to ensure that they are managing data securely and appropriately.

16. Application Software Security

Assess software that is developed, housed, or acquired by your company for security weaknesses, then protect and monitor those weaknesses to prevent potential incidents. Implement controls like secure coding processes, regular code reviews, and static and dynamic code analysis tools.

17. Incident Response Management

Create a detailed incident response plan that will detect and analyze security incidents when they occur and then trigger the appropriate actions needed to mitigate such incidents.

18. Penetration Testing

Identify and test weaknesses of enterprise assets in order to better understand how effective your controls are.

The CIS (Center for Internet Security) Critical Security Controls® are updated through a collaborative and iterative process that involves various stakeholders, including cybersecurity professionals, industry experts, and government representatives. The process typically includes the following steps:

  1. Feedback collection: CIS continuously collects feedback from its community of users, which includes feedback from surveys, workshops, and direct communication with CIS members.
  2. Review and analysis: A dedicated team reviews the feedback and assesses current cyber threat landscapes, emerging trends, and the effectiveness of existing controls.
  3. Drafting updates: Based on the review, CIS drafts updates to the CIS Controls®. This may include introducing new controls, modifying existing ones, or removing obsolete controls.
  4. Community involvement: Draft updates are shared with the broader cybersecurity community for review and comment. This ensures that a wide range of perspectives and expertise are considered.
  5. Finalization and publication: After incorporating community feedback, the updated controls are finalized and published. CIS also provides guidance documents and implementation resources to help organizations adopt the updated controls.

Want to take a deep dive into the CIS Critical Security Controls®? Check out our complete guide

The CIS Critical Security Controls® offer numerous benefits to organizations, including:

  • Comprehensive coverage: They cover a broad range of security measures, addressing multiple aspects of cybersecurity.
  • Prioritization: The CIS Controls® are prioritized based on their effectiveness in mitigating common and severe cyber threats, helping organizations focus their resources on the most effective and impactful actions.
  • Ease of implementation: The CIS Controls® are designed to be actionable and practical, with detailed guidance and best practices to aid implementation.
  • Scalability: They are suitable for organizations of all sizes and industries, providing a flexible framework that can be tailored to specific needs.
  • Alignment with standards: The mapping to other frameworks and standards helps organizations maintain compliance with regulatory and industry requirements.
  • Continuous improvement: Regular updates ensure that the CIS Controls® evolve with the changing threat landscape, keeping organizations’ defenses current and effective.

The CIS Critical Security Controls® are used by a wide range of organizations, including:

Private sector

Businesses of all sizes and across various industries use the CIS Controls® to strengthen their cybersecurity posture.

Public sector

Government agencies and entities adopt the CIS Controls® to protect public information and critical infrastructure.

Healthcare

Healthcare organizations use the CIS Controls® to safeguard sensitive patient data and comply with regulations like HIPAA.

Financial services

Financial institutions implement the CIS Controls® to secure financial data and transactions, meeting regulatory requirements like PCI DSS.

Education

Educational institutions apply the CIS Controls® to protect academic records and research data.

Nonprofits

Nonprofit organizations use the CIS Controls® to secure donor information and operational data.

Organizations typically adopt the CIS Controls® by identifying their appropriate Implementation Group (IG).  There are three IGs, which categorize organizations based on their risk profile, size, and resources. Each IG identifies a set of Safeguards that businesses should implement based on their business maturity and needs. 

To get started, your organization should conduct a self-assessment based on your risk profile and business maturity to see which of the IGs you fall into. From there, you can get started with implementing the suggested Safeguards in a prioritized order.

For more in-depth info on IGs, check out our complete guide to the CIS Critical Security Controls®

The NIST Cybersecurity Framework (NIST CSF) and the CIS Critical Security Controls® are related in that they both aim to improve cybersecurity practices, but they serve different purposes and offer complementary guidance.

NIST CSF provides a high-level, strategic view of an organization’s cybersecurity risks and measures. It is organized into six core functions (Govern, Identify, Protect, Detect, Respond, and Recover) and provides a risk management approach.

The CIS Controls® provide detailed, specific actions that organizations can take to implement effective cybersecurity practices. They are more granular and tactical compared to the strategic nature of the NIST CSF.

Organizations often use the NIST CSF to define their overall cybersecurity strategy and then apply the CIS Controls® to operationalize that strategy with concrete next steps.

The cost of implementing the CIS Security Controls® varies widely by organization based on several factors, like an organization’s size, current security posture, available resources, and scope of the implementation. 

Costs can include investments in technology, training, process improvements, and ongoing maintenance. Organizations can perform a cost-benefit analysis to prioritize the most impactful controls within their budget.

The CIS Controls® Assessment Tool is a resource provided by CIS to help organizations track and prioritize implementation of the CIS Controls®. It includes:

  • Self-assessment checklist: A comprehensive checklist that organizations can use to assess their compliance with each CIS control.
  • Scoring system: A scoring mechanism to rate the level of implementation and identify gaps.
  • Improvement plans: Guidance on creating action plans to address identified gaps and enhance overall security posture.
  • Benchmarking: The ability to benchmark against industry standards and peers to understand relative performance.

This tool helps organizations systematically evaluate their cybersecurity practices, identify areas for improvement, and track progress over time.

Several tools and resources are available to help organizations implement CIS security controls, such as:

Compliance management software: Tools like Hyperproof can help organizations manage their compliance with CIS controls, offering automated evidence collection, risk assessments, and continuous monitoring.

CIS security controls map to the following frameworks: 

Hyperproof for Critical Security Controls® Compliance

Hyperproof’s powerful compliance operations platform is designed to help you maintain security controls and continuous compliance in the most efficient way possible.

CIS Controls

Reference CIS Controls and Tailor Them for Your Security Program

Enterprises large and small, from a variety of industries, have incorporated the CIS Controls into their environment to support a solid security posture, but many firms also need to implement controls recommended by other cybersecurity guidelines (e.g. NIST SP 800-53, NIST CSF, Cloud Security Alliance’s Cloud Controls Matrix) for a host of reasons.

In Hyperproof, it’s easy to reference the CIS Controls and a host of other data protection control frameworks and add them to your control environment. By creating a single source of controls – or a common controls framework – within your enterprise, you’ll gain better visibility into your compliance posture, catch issues sooner, and improve the operational efficiency of your compliance program.

Implement the CIS Controls to Meet Multiple Compliance Requirements

Use Hyperproof to cut down on the time it takes to comply with new regulatory regimes and standards. Hyperproof comes with the CIS Controls (including IG1, IG2, and IG3) out-of-the box, making it easy to implement the CIS Controls in your environment.

Hyperproof speeds up the mapping of the CIS Controls to various frameworks, standards, and regulatory regimes (e.g., PCI, SOC 2, or HIPAA and more). Once a control is mapped to multiple compliance requirements, you’ll be able to collect evidence once and use that evidence to satisfy multiple auditors’ requests.

Continuously Monitor Your Controls

While CIS provides native tools to conduct point-in-time tests of their controls, Hyperproof comes with an automation engine that enables you to set up a continuous controls monitoring system.

You can configure Hyperproof to automatically extract evidence of specific control procedures from source systems, define automated tests highlighting success or failure of each assertion, conduct tests at any frequency you need, and automate a workflow for managing the generated alarms, including communicating and investigating any failed assertion and ultimately correcting the control weakness.

Hyperproof partners with professional service firms with proven track records and deep expertise in helping organizations. Our partners help customers design their compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader