CIS Critical Security Controls
Overview
The CIS Critical Security Controls (formerly CIS Controls v6, now CIS Controls v8) are a prioritized set of 18 cybersecurity actions developed by Center for Internet Security (CIS). They provide a concrete, actionable set of best practices that organizations should implement to protect against the most common cyber attacks.
Unlike broader frameworks like ISO 27001 or NIST CSF, CIS Controls are implementation-focused — they tell you exactly what to do, not just what to think about.
CIS Controls v8 Structure
The 18 controls are organized into 3 implementation groups:
IG1 (Foundational — for all organizations)
| # | Control | Description |
|---|---|---|
| 1 | Inventory and Control of Enterprise Assets | Manage all devices, software, and data assets |
| 2 | Inventory and Control of Software Assets | Track authorized software; prevent unauthorized installation |
| 3 | Data Protection | Protect sensitive data through encryption, DLP, and backup |
| 4 | Secure Configuration of Enterprise Assets | Hardened configurations for all devices |
| 5 | Account Management | Manage user accounts, privileged access, and deprovisioning |
| 6 | Access Control Management | Enforce least privilege and multi-factor authentication |
| 7 | Continuous Vulnerability Management | Regular scanning and remediation of vulnerabilities |
| 8 | Audit Log Management | Centralized logging, monitoring, and retention |
| 9 | Email and Browser Protections | Anti-phishing, sandboxing, and browser hardening |
| 10 | Malware Defense | Antivirus, application whitelisting, and endpoint detection |
| 11 | Data Recovery | Tested backups and disaster recovery procedures |
| 12 | Network Infrastructure Management | Secure network architecture and configuration |
| 13 | Network Monitoring and Defense | Network traffic monitoring and intrusion detection |
IG2 (Organizational — for larger/complex organizations)
| # | Control | Description |
|---|---|---|
| 14 | Security Awareness and Skills Training | Role-based security training for all personnel |
| 15 | Service Provider Management | Security requirements for third-party vendors |
| 16 | Application Software Security | Secure SDLC, code review, and testing |
IG3 (Enhanced — for high-risk organizations)
| # | Control | Description |
|---|---|---|
| 17 | Incident Response Management | Formal incident response plan and team |
| 18 | Penetration Testing | Regular offensive security testing |
Key Principles
- Prioritized — not all controls are equal; IG1 provides the essential baseline
- Actionable — each control has specific implementation groups and sub-controls
- Measurable — includes implementation groups for tracking progress
- Technology-agnostic — applies regardless of specific tools or vendors
Relationship to Other Frameworks
- NIST CSF — CIS Controls map to NIST CSF categories; CIS is more prescriptive
- ISO 27001 — CIS Controls provide implementation guidance for ISO 27001 Annex A controls
- SOC 2 — CIS Controls help meet SOC 2 trust service criteria
References
- CIS Controls v8 official
- CIS Controls v8 overview
- technologies/security-frameworks/nist-csf.md | NIST Cybersecurity Framework — broader risk management context
- technologies/security-frameworks/iso-27001.md | ISO 27001 — management system standard