Center for Internet Security Controls (CIS)

What is Center for Internet Security Controls (CIS)?

The CIS Critical Security Controls (CIS Controls) is a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks

Background of CIS Controls

The SANS Institute and the FBI started the CIS Controls as the Top 20 Critical Controls in 2001. Over the years it evolved to the popular SANS Top 20. In 2015, the effort of maintaining and improving the guidelines was transferred to the Center for Internet Security. The name changed to the CIS Critical Security Controls and was eventually shortened to “CIS Controls.” During this time, the controls identified 20 major areas to focus on in data security. Since complexity often obstructs security, the v8 revisions of CIS Controls reduced the top 20 to the top 18.

What are the 18 Center for Internet Security Controls (CIS)?

Was formerly as the SANS Critical Security Controls (SANS Top 20) these are now officially called the CIS Critical Security Controls (CIS Controls).

CIS Controls Version 8 combines and consolidates the CIS Controls by activities, rather than by who manages the devices. Physical devices, fixed boundaries, and discrete islands of security implementation are less important; this is reflected in v8 through revised terminology and grouping of Safeguards, resulting in a decrease of the number of Controls from 20 to 18.

Click on the individual CIS Control for more information:

  • CIS Control 1: Inventory and Control of Enterprise Assets
    • Actively manage all enterprise hard assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately account for, monitor, and protect assets within the enterprise.
  • CIS Control 2: Inventory and Control of Software Assets
    • Actively manage all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
  • CIS Control 3: Data Protection
    • Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
  • CIS Control 4: Secure Configuration of Enterprise Assets and Software
    • Establish and maintain the secure configuration of enterprise hard assets and software.
  • CIS Control 5: Account Management
    • Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts and service accounts, to enterprise assets and software.
  • CIS Control 6: Access Control Management
    • Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
  • CIS Control 7: Continuous Vulnerability Management
    • Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure in order to remediate and minimize the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
  • CIS Control 8: Audit Log Management
    • Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
  • CIS Control 9: Email Web Browser and Protections
    • Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.
  • CIS Control 10: Malware Defenses
    • Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
  • CIS Control 11: Data Recovery
    • Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
  • CIS Control 12: Network Infrastructure Management
    • Establish, implement, and actively manage (e.g., track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.
  • CIS Control 13: Network Monitoring and Defense
    • Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.
  • CIS Control 14: Security Awareness and Skills Training
    • Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
  • CIS Control 15: Service Provider Management
    • Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
  • CIS Control 16: Application Software Security
    • Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.
  • CIS Control 17: Incident Response Management
    • Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, communications) to prepare, detect, and quickly respond to an attack.
  • CIS Control 18: Penetration Testing
    • Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (e.g., people, processes, technology), and simulating the objectives and actions of an attacker.

What are the the Implementation Groups in CIS?


Version 7.1 introduced the Implementation Groups, dividing the Controls into 3 sections:

  • Implementation Group 1: Applicable to all companies (small to large)
  • Implementation Group 2: Additional Controls for storing sensitive information
  • Implementation Group 3: Additional Controls for very sensitive information

With the implementation groups, smaller companies do not need to comply with all CIS Controls.

Who are the users the CIS Controls?

The CIS Controls have been adopted by thousands of global enterprises–large and small–and are supported by numerous security solution vendors, integrators, and consultants. 

Some users of the CIS Controls include: the Federal Reserve Bank of Richmond, Corden Pharma, Boeing, Citizens Property Insurance, Butler Health System, University of Massachusetts, the states of Idaho, Colorado, and Arizona; the cities of Portland, and San Diego, and many others. As of May 1, 2017, the CIS Controls have been downloaded more than 70,000 times.

Leave a Reply

Your email address will not be published. Required fields are marked *