CIS Controls: The Critical Security Controls Explained

The Center for Internet Security’s Critical Security Controls are a set of prioritized best practices designed to help organizations improve their cybersecurity posture. The CIS Controls are one of the most widely used cybersecurity standards around the world and offer simple, practical steps to secure your IT. Learn about the different controls included in the CIS framework and what sets the CIS Controls apart from standards like ISO 27001 and NIST CSF.

What Are the CIS Controls?

The CIS Critical Security Controls or CIS Controls are a set of “prescriptive, prioritized and simplified” cybersecurity best practices developed by the Center for Internet Security (CIS). The CIS Controls are designed to help organizations achieve essential cyber hygiene and to serve as an on-ramp for compliance with other frameworks and industry regulations, such as SOX, HIPAA, the GLBA or PCI DSS.

Advantages of the CIS Controls

Cybersecurity is a complex topic, but that complexity shouldn’t stand in the way of taking action. While other frameworks focus on abstract security goals or how to split responsibilities across an organization to ensure accountability, the CIS Controls lay out specific, practice-oriented recommendations.

The CIS Controls are simplified and prioritized, making them both an ideal starting point on the road to more complex cybersecurity certifications, and an effective approach to making high-impact improvements with limited resources. This makes the CIS Controls a great choice for organizations that have no formal cybersecurity program yet or need to improve their IT security on a tight budget.

Why use the CIS Controls?

  • Widely used and well-tested framework

  • Practical recommendations in order of priority

  • Aligns well with other standards like NIST CSF and ISO 27001

  • Great starting point for more complex regulations

  • Free & accessible

The CIS Benchmarks: System-Specific Recommendations

In addition to the CIS Controls, the Center for Internet Security also offers a wide range of CIS Benchmarks: Security recommendations and best practice configurations for specific software products, such as Microsoft 365 or Windows Server/Active Directory. These detailed guides help businesses follow recommended safety measures with regards to the specific software and services they use.

CIS Controls v8: The Latest Version

Like all cybersecurity standards, the CIS Controls need to be regularly updated to reflect changing technologies and threats. The CIS Controls v8 (the latest version) were released in 2021 and represent a significant retooling of the framework.

By consolidating recommendations, the number of controls was reduced from 20 to 18. In addition, the safeguards within each control are now sorted into three implementation groups, from essential steps for all organizations to recommendations limited to large-scale enterprises.

Visit the CIS Controls website for more information on v8, including detailed change logs.

CIS Controls vs. ISO 27001

ISO 27001 is an international standard for IT security that guides organizations on how to establish an information security management system (ISMS). Naturally, there is a lot of overlap when it comes to effective cybersecurity. But while the CIS Controls give hands-on, practical advice, ISO 27001 is more governance-focused.

ISO 27001 covers organizational responsibilities and lays out the role of parties such as the CISO and the board. This approach is intended to ensure that cybersecurity receives enough resources and is continuously monitored and improved. However, it also represents a more abstract view of the topic.

While ISO 27001 includes a number of recommended technical, physical and organizational controls, it gives its users a lot of freedom to tailor recommendations to their IT and decide for themselves which controls are relevant to their environment. This means that preparing for ISO 27001 requires a lot of planning and risk assessment.

ISO 27001CIS Controls
Abstract security goalsMeasurable, practical safeguards
Tailoring of recommended controlsNo tailoring, but three tiers of implementation

Rather than competing with other standards, the CIS Controls are designed to align with commonly used frameworks. Download the official CIS Controls Mapping for ISO 27001 to learn more.

CIS Controls vs. NIST CSF

Like the CIS Controls, the NIST Cybersecurity Framework offers free, voluntary guidance for organizations looking to improve their cybersecurity posture. Many NIST CSF recommendations even map directly to CIS Controls.

However, the NIST Cybersecurity Framework takes a broader, less technical approach than the CIS Controls. It includes topics such as supply chain risk management and effective crisis communication. With the latest update, NIST CSF 2.0, the framework even adds an overarching Govern category that groups together many of these requirements.

Additionally, NIST CSF is used primarily by US organizations due to its close relationship to mandatory standards like NIST 800-53 and 800-171.

Broad security targetsSpecific, technical advice
Covers IT and organizational requirementsFocused on IT level
Organization creates own target profileThree pre-defined implementation groups

Despite a broader scope, there are many similarities between NIST CSF and the CIS Controls. An official mapping table is available on the CIS website.

The 18 CIS Controls: Overview

Version 8 of the CIS Controls, the latest update, features a total of 18 controls. Each control is split into a number of smaller safeguards that organizations need to implement in order to comply with the standard.

The CIS Controls are structured as simplified, prescriptive list of best practices. This means that each safeguard prescribes specific actions the organization needs to take, rather than setting a security target and leaving it up to you to figure out how to achieve it.

In addition, the 18 CIS Controls are presented in order of priority (more or less). For example, the first chapter, Inventory of Enterprise Assets, is something organizations should tackle first because it will inform many of their choices down the line. Meanwhile, the Penetration Testing control is placed at the end because you need to have your defenses in place before it makes sense to test them.

The 18 CIS Controls are:

  • Inventory and Control of Enterprise Assets

  • Inventory and Control of Software Assets

  • Data Protection

  • Secure Configuration

  • Account Management

  • Access Control Management

  • Continuous Vulnerability Management

  • Audit Log Management

  • Email and Web Browser Protections

  • Malware Defenses

  • Data Recovery

  • Network Infrastructure Management

  • Network Monitoring and Defense

  • Security Awareness and Skills Training

  • Service Provider Management

  • Application Software Security

  • Incident Response Management

  • Penetration Testing

The full list of CIS Controls and individual safeguards is available for download on the CIS website.

CIS Controls: Implementation Groups

In order to provide recommendations that fit the scale of your business, the CIS Controls are divided into three Implementation Groups. IG1 represents essential cyber hygiene that all organizations should implement, while IG2 and IG3 include more complex safety measures reserved for enterprises with the staff and resources to implement them.

Each safeguard within the 18 CIS Controls is labelled as relevant for IG1, IG2 or IG3. Implementation Groups build on top of each other, so enterprises that fit into IG2 are still expected to implement safeguards from IG1, and organizations from IG3 must put every recommendation into action.

Implementation Groups are self-assessed categories, meaning that enterprises need to decide for themselves which category fits their resources and risk profile. These groups are defined as follows.

  • Implementation Group 1: Small to mid-sized enterprises with limited IT and cybersecurity expertise. They need to defend against non-targeted attacks while working within the constraints of off-the-shelf software and hardware.

  • Implementation Group 2: Medium-sized enterprises with dedicated IT staff but limited resources. Diversity of job functions and risk profiles leads to operational complexity. Enterprise-grade technology must be properly configured to avoid risk.

  • Implementation Group 3: Large-scale enterprises that process sensitive information and are subject to regulatory compliance. Employ dedicated security experts, but need to fend off targeted and sophisticated attacks.

CIS Controls: Certification

Unlike externally audited standards like ISO 27001, the CIS Controls are a self-help resource for enterprises that does not come with a badge or certificate. While there are audit companies that will offer to compare your cybersecurity program against the CIS Controls, there is no official certification for compliance with the CIS Controls.

CIS Controls Requirements: User & Access Management

Effective cybersecurity requires a broad mix of safety measures. With a total of 18 chapters and 153 individual safeguards, the CIS Controls aim to cover everything an organization needs in order to secure their IT against both outside attacks and insider threats. In order to comply with the framework, organizations need to address everything from malware protection to data backups and security awareness training.

However, one section of the CIS Controls is not only central to cybersecurity, but also to maintaining a productive and efficient IT environment: identity & access management.

Between Control 5 (Account Management) and Control 6 (Access Control Management), the Critical Security Controls require organizations to centralize their user management and access control, establish an automated access granting & revoking process, disable inactive accounts and implement role-based access control.

And for good reason: Following the recommended approach of least privilege access is essential to protecting sensitive data, while automated processes serve a dual purposeautomation prevents mistakes that could lead to overprivileged users, but also saves your IT staff valuable time. From automated provisioning to regular access reviews, automation is the key to success when it comes to identity & access management!

CIS Controls covered by tenfold Access Management:

Control 05: Account Management

  • 5.1 – Establish an Inventory of Accounts

  • 5.2 – Use Unique Passwords

  • 5.3 – Disable Dormant Accounts

  • 5.4 – Restrict Administrator Privileges

  • 5.5 – Establish an Inventory of Service Accounts

  • 5.6 – Centralize Account Management

Control 06: Access Control Management

  • 6.1 – Establish an Access Granting Process

  • 6.2 – Establish an Access Revoking Process

  • 6.6 – Establish an Inventory of Authentication Systems

  • 6.7 – Centralize Access Control

  • 6.8 – Maintain Role-Based Access Control

tenfold: The Easy Way to Manage Access

While identity & access management is critical to IT security, productivity and compliance, there is one major problem: Typical IAM solutions are far too complex for medium-sized organizations, requiring extensive scripting to set up. It is not uncommon for IAM projects to span several years from initial planning to successful deployment.

But there is a faster way to automate your user and access management without sacrificing IAM features. tenfold is the first fully no-code IAM platform, meaning it can be configured, operated and maintained entirely through its user-friendly UI. Thanks to out-of-the-box plugins for common IT systems like Active Directory and M365, it’s easy to integrate tenfold with your existing infrastructure and make quick use of our powerful IAM solution. Watch our video demo or sign up for a free trial to see for yourself!


Best Practices for Access Management In Microsoft® Environments

Our in-depth guide explains how to manage access securely and efficiently from a technical and organizational standpoint, including tips for implementation, reporting and auditing.

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.