Framework Explorer

An Interactive Guide to Foundational Frameworks

CIS Controls

Learn about the CIS Controls, a prioritized set of actions to protect your organization and data from known cyber-attack vectors.

Key Features

Why developers choose CIS Controls.

Basic Controls (IG1)

The first 6 controls are considered "basic" and should be implemented by all organizations. They include inventory of hardware and software assets, continuous vulnerability management, and controlled use of administrative privileges.

Foundational Controls (IG2)

The next 10 controls are considered "foundational" and should be implemented by organizations with more complex IT environments. They include email and web browser protections, malware defenses, and data recovery.

Organizational Controls (IG3)

The final 2 controls are considered "organizational" and are for mature organizations. They include implementing a security awareness and training program and penetration testing.

Implementation Groups (IGs)

The CIS Controls are divided into three Implementation Groups (IGs). IGs are self-assessed, and they help organizations prioritize their implementation of the controls.

Prioritized and Actionable

The CIS Controls are prioritized to help organizations focus on the most important actions they can take to improve their security. They are also written in a way that is easy to understand and implement.

Community-Driven

The CIS Controls are developed and maintained by a community of experts from around the world. This ensures that they are up-to-date and relevant to the latest threats.

Implementation & Strategy

Costs, timelines, and strategic considerations for adopting CIS Controls.

Estimated Project Costs

The CIS Controls are a free set of best practices, so there are no direct costs associated with them. However, there are costs associated with implementing the controls. These costs can range from a few thousand dollars to several hundred thousand dollars, depending on the size and complexity of the organization.

Implementation Strategy

A typical CIS Controls implementation starts with a self-assessment to determine the organization's current security posture. From there, the organization can develop a plan for implementing the controls, starting with the basic controls and moving on to the foundational and organizational controls as their security program matures.