CIS Controls: The Critical Security Controls Explained

The CIS Critical Security Controls or CIS Controls are a set of “prescriptive, prioritized and simplified” cybersecurity best practices developed by the Center for Internet Security (CIS). The CIS Controls are designed to help organizations achieve essential cyber hygiene and to serve as an on-ramp for compliance with other frameworks and industry regulations, such as SOX, HIPAA, the GLBA or PCI DSS.

Cybersecurity is a complex topic, but that complexity shouldn’t stand in the way of taking action. While other frameworks focus on abstract security goals or how to split responsibilities across an organization to ensure accountability, the CIS Controls lay out specific, practice-oriented recommendations.

The CIS Controls are simplified and prioritized, making them both an ideal starting point on the road to more complex cybersecurity certifications, and an effective approach to making high-impact improvements with limited resources. This makes the CIS Controls a great choice for organizations that have no formal cybersecurity program yet or need to improve their IT security on a tight budget.

Why use the CIS Controls?

In addition to the CIS Controls, the Center for Internet Security also offers a wide range of CIS Benchmarks: Security recommendations and best practice configurations for specific software products, such as Microsoft 365 or Windows Server/Active Directory. These detailed guides help businesses follow recommended safety measures with regards to the specific software and services they use.

Like all cybersecurity standards, the CIS Controls need to be regularly updated to reflect changing technologies and threats. The CIS Controls v8 (the latest version) were released in 2021 and represent a significant retooling of the framework.

By consolidating recommendations, the number of controls was reduced from 20 to 18. In addition, the safeguards within each control are now sorted into three implementation groups, from essential steps for all organizations to recommendations limited to large-scale enterprises.

ISO 27001 is an international standard for IT security that guides organizations on how to establish an information security management system (ISMS). Naturally, there is a lot of overlap when it comes to effective cybersecurity. But while the CIS Controls give hands-on, practical advice, ISO 27001 is more governance-focused.

ISO 27001 covers organizational responsibilities and lays out the role of parties such as the CISO and the board. This approach is intended to ensure that cybersecurity receives enough resources and is continuously monitored and improved. However, it also represents a more abstract view of the topic.

While ISO 27001 includes a number of recommended technical, physical and organizational controls, it gives its users a lot of freedom to tailor recommendations to their IT and decide for themselves which controls are relevant to their environment. This means that preparing for ISO 27001 requires a lot of planning and risk assessment.

ISO 27001	CIS Controls
Governance-focused	IT-focused
Abstract security goals	Measurable, practical safeguards
Tailoring of recommended controls	No tailoring, but three tiers of implementation

Like the CIS Controls, the NIST Cybersecurity Framework offers free, voluntary guidance for organizations looking to improve their cybersecurity posture. Many NIST CSF recommendations even map directly to CIS Controls.

However, the NIST Cybersecurity Framework takes a broader, less technical approach than the CIS Controls. It includes topics such as supply chain risk management and effective crisis communication. With the latest update, NIST CSF 2.0, the framework even adds an overarching Govern category that groups together many of these requirements.

Additionally, NIST CSF is used primarily by US organizations due to its close relationship to mandatory standards like NIST 800-53 and 800-171.

NIST CSF	CIS Controls
Broad security targets	Specific, technical advice
Covers IT and organizational requirements	Focused on IT level
Organization creates own target profile	Three pre-defined implementation groups

Version 8 of the CIS Controls, the latest update, features a total of 18 controls. Each control is split into a number of smaller safeguards that organizations need to implement in order to comply with the standard.

The CIS Controls are structured as simplified, prescriptive list of best practices. This means that each safeguard prescribes specific actions the organization needs to take, rather than setting a security target and leaving it up to you to figure out how to achieve it.

In addition, the 18 CIS Controls are presented in order of priority (more or less). For example, the first chapter, Inventory of Enterprise Assets, is something organizations should tackle first because it will inform many of their choices down the line. Meanwhile, the Penetration Testing control is placed at the end because you need to have your defenses in place before it makes sense to test them.

The 18 CIS Controls are:

In order to provide recommendations that fit the scale of your business, the CIS Controls are divided into three Implementation Groups. IG1 represents essential cyber hygiene that all organizations should implement, while IG2 and IG3 include more complex safety measures reserved for enterprises with the staff and resources to implement them.

Each safeguard within the 18 CIS Controls is labelled as relevant for IG1, IG2 or IG3. Implementation Groups build on top of each other, so enterprises that fit into IG2 are still expected to implement safeguards from IG1, and organizations from IG3 must put every recommendation into action.

Implementation Groups are self-assessed categories, meaning that enterprises need to decide for themselves which category fits their resources and risk profile. These groups are defined as follows.

Unlike externally audited standards like ISO 27001, the CIS Controls are a self-help resource for enterprises that does not come with a badge or certificate. While there are audit companies that will offer to compare your cybersecurity program against the CIS Controls, there is no official certification for compliance with the CIS Controls.

Effective cybersecurity requires a broad mix of safety measures. With a total of 18 chapters and 153 individual safeguards, the CIS Controls aim to cover everything an organization needs in order to secure their IT against both outside attacks and insider threats. In order to comply with the framework, organizations need to address everything from malware protection to data backups and security awareness training.

However, one section of the CIS Controls is not only central to cybersecurity, but also to maintaining a productive and efficient IT environment: identity & access management.

Between Control 5 (Account Management) and Control 6 (Access Control Management), the Critical Security Controls require organizations to centralize their user management and access control, establish an automated access granting & revoking process, disable inactive accounts and implement role-based access control.

And for good reason: Following the recommended approach of least privilege access is essential to protecting sensitive data, while automated processes serve a dual purpose – automation prevents mistakes that could lead to overprivileged users, but also saves your IT staff valuable time. From automated provisioning to regular access reviews, automation is the key to success when it comes to identity & access management!

While identity & access management is critical to IT security, productivity and compliance, there is one major problem: Typical IAM solutions are far too complex for medium-sized organizations, requiring extensive scripting to set up. It is not uncommon for IAM projects to span several years from initial planning to successful deployment.

But there is a faster way to automate your user and access management without sacrificing IAM features. tenfold is the first fully no-code IAM platform, meaning it can be configured, operated and maintained entirely through its user-friendly UI. Thanks to out-of-the-box plugins for common IT systems like Active Directory and M365, it’s easy to integrate tenfold with your existing infrastructure and make quick use of our powerful IAM solution. Watch our video demo or sign up for a free trial to see for yourself!