Armis Acquires Silk Security

Learn More

What are the CIS Controls?

The CIS Critical Security Controls (CIS Controls) are a set of actionable best practices that organizations should prioritize to improve their cybersecurity posture. Formerly known as the SANS Critical Security Controls (SANS Top 20 Controls), these guidelines are now published by the Center for Internet Security (CIS).

An international community of experts updates the list of controls periodically. In its current version 8, as of May 2021, there are 18 controls divided by activities.

What are the 18 CIS Controls?

  1. Data Protection
  2. Secure Configuration of Enterprise Assets and Software
  3. Account Management
  4. Access Control Management
  5. Continuous Vulnerability Management
  6. Audit Log Management
  7. Email Web Browser and Protections
  8. Malware Defenses
  9. Data Recovery
  10. Network Infrastructure Management
  11. Network Monitoring and Defense
  12. Security Awareness and Skills Training
  13. Service Provider Management
  14. Application Software Security
  15. Incident Response Management
  16. Penetration Testing

Within each CIS Control, three Implementation Groups (IGs)  help enterprises understand the security measures to be prioritized based on their resources and risk profile.

The CIS Controls v8 lists a total of 153 cyber defense Safeguards:

  • CIS Implementation Group 1 (IG1) focuses on basic cyber hygiene practices to protect against the most common attacks. There are 56 foundational Safeguards in this group to help small to medium-sized enterprises with limited IT security expertise keep their business operational.
  • CIS Implementation Group 2 (IG2) builds upon IG1 foundational Safeguards and brings an additional 74 Safeguards to help IT teams deal with greater operational complexity. IG2 enterprises typically support departments that have different risk profiles.
  • CIS Implementation Group 3 (IG3) adds 23 more Safeguards directed at organizations that deal with more sophisticated forms of attack. IG3 enterprises typically have specialized security professionals, deal with sensitive data, or are subject to compliance and regulatory oversights.

The CIS Controls also help organizations comply with other cybersecurity frameworks and industry standards, including the NIST Cybersecurity Framework.

Armis helps organizations implement 12 out of the 18 CIS Controls. Download our white paper to learn more.