CIS Controls
A prioritized set of actions to protect your organization and data from known cyber-attack vectors.
The Center for Internet Security (CIS) Controls are a prioritized set of best practices created to stop the most pervasive and dangerous of today's cyber attacks. The CIS Controls are developed and maintained by a community of experts from around the world.
They are designed to be a starting point for organizations to improve their cybersecurity posture, and they can be mapped to many other security frameworks, including the NIST Cybersecurity Framework.
- Type: Cybersecurity Best Practices
- Core Idea: Prioritized and Actionable
- Key Elements: 18 Controls, 3 Implementation Groups
CIS Controls v8
The 18 CIS Controls in version 8.
Basic Controls (IG1)
The first 6 controls are considered "basic" and should be implemented by all organizations. They include inventory of hardware and software assets, continuous vulnerability management, and controlled use of administrative privileges.
Foundational Controls (IG2)
The next 10 controls are considered "foundational" and should be implemented by organizations with more complex IT environments. They include email and web browser protections, malware defenses, and data recovery.
Organizational Controls (IG3)
The final 2 controls are considered "organizational" and are for mature organizations. They include implementing a security awareness and training program and penetration testing.
Implementation Groups (IGs)
The CIS Controls are divided into three Implementation Groups (IGs). IGs are self-assessed, and they help organizations prioritize their implementation of the controls.
Prioritized and Actionable
The CIS Controls are prioritized to help organizations focus on the most important actions they can take to improve their security. They are also written in a way that is easy to understand and implement.
Community-Driven
The CIS Controls are developed and maintained by a community of experts from around the world. This ensures that they are up-to-date and relevant to the latest threats.
Implementation & Strategy
Costs, timelines, and strategic considerations for adopting the CIS Controls.
Estimated Project Costs
The CIS Controls are a free set of best practices, so there are no direct costs associated with them. However, there are costs associated with implementing the controls. These costs can range from a few thousand dollars to several hundred thousand dollars, depending on the size and complexity of the organization.
Implementation Strategy
A typical CIS Controls implementation starts with a self-assessment to determine the organization's current security posture. From there, the organization can develop a plan for implementing the controls, starting with the basic controls and moving on to the foundational and organizational controls as their security program matures.
Comparisons
How the CIS Controls stack up against other security frameworks.