Contents
🔒 CIS Controls – The Center for Internet Security
The Center for Internet Security (CIS) provides globally recognised best practices for securing IT systems and data. Their most notable framework is the CIS Controls – a prioritised set of actions that help organisations protect themselves against the most pervasive cyber threats.
✅ What is CIS?
CIS (Center for Internet Security) is a non-profit organisation that provides cybersecurity standards and benchmarks, used worldwide to harden systems and improve cyber hygiene. Their mission is to “make the connected world a safer place.”
Their flagship offering is:
- CIS Controls – a set of 18 critical security controls
- CIS Benchmarks – secure configuration baselines for systems, software, and cloud environments
🧰 What are the CIS Controls?
The CIS Critical Security Controls (v8) are grouped into three implementation groups (IG1, IG2, IG3), depending on organisational maturity and risk.
| Group | Description |
|---|---|
| IG1 (Basic) | Foundational cyber hygiene – ideal for small/medium organisations |
| IG2 (Standard) | Adds depth – suited to organisations with moderate resources and risks |
| IG3 (Advanced) | Designed for mature orgs with complex systems and significant risks |
🔐 CIS Control Categories (v8)
The 18 controls are:
- Inventory and Control of Enterprise Assets
- Inventory and Control of Software Assets
- Data Protection
- Secure Configuration of Enterprise Assets and Software
- Account Management
- Access Control Management
- Continuous Vulnerability Management
- Audit Log Management
- Email and Web Browser Protections
- Malware Defences
- Data Recovery
- Network Infrastructure Management
- Security Awareness and Skills Training
- Security Operations Centre (SOC)
- Service Provider Management
- Application Software Security
- Incident Response Management
- Penetration Testing
Each control includes safeguards (formerly sub-controls) that detail actionable steps, and each is mapped to risk areas and other frameworks like NIST CSF, ISO 27001, and PCI DSS.
🚀 Why Use CIS Controls?
- Prioritised: Focuses first on high-impact, achievable defences
- Actionable: Clear, practical steps for implementation
- Mappable: Aligns with other security standards (NIST, ISO, etc.)
- Free: Publicly available and supported by a global community
🛠️ How to Use CIS in Your Organisation
- Download the CIS Controls & Benchmarks
Get them from the official site: https://cisecurity.org - Conduct a Gap Assessment
Compare your current state against each control and its safeguards. - Prioritise by Implementation Group
Start with IG1 if you’re a small or new organisation. Mature companies should aim for IG2 or IG3. - Apply CIS Benchmarks
Harden operating systems, cloud, and software (e.g. Windows 10, Ubuntu, AWS) using step-by-step CIS benchmark guides. - Track Progress
Use tools like the CIS Controls Assessment Tool (CIS-CAT) to monitor improvements.
🔧 Tools That Support CIS
- CIS-CAT Pro (assessment and scoring tool)
- Microsoft Defender, CrowdStrike, Tenable, etc., map detections to CIS Controls
- Cloud providers like AWS, Azure, GCP support CIS benchmarks as compliance standards
📦 Where to Get It
🛡️ Summary
Implementing CIS Controls is one of the most effective ways to improve your cybersecurity posture quickly and systematically. Whether you’re a small business or an enterprise, CIS gives you a roadmap to reduce risk and meet compliance obligations.