<h2>What are the 18 CIS Controls?</h2>

<ol> <li><a href="/blog/strengthening-data-protection-and-privacy-with-cis-control-3-v8/">Data Protection</a></li> <li>Secure Configuration of Enterprise Assets and Software</li> <li>Account Management</li> <li>Access Control Management</li> <li>Continuous Vulnerability Management</li> <li>Audit Log Management</li> <li>Email Web Browser and Protections</li> <li>Malware Defenses</li> <li>Data Recovery</li> <li><a href="/blog/see-whats-new-in-cis-critical-security-control-12-version-8/">Network Infrastructure Management</a></li> <li>Network Monitoring and Defense</li> <li>Security Awareness and Skills Training</li> <li>Service Provider Management</li> <li>Application Software Security</li> <li>Incident Response Management</li> <li>Penetration Testing</li> </ol> <p>Within each CIS Control, three Implementation Groups (IGs) help enterprises understand the security measures to be prioritized based on their resources and risk profile.</p>

What are the CIS Controls?

The CIS Critical Security Controls (CIS Controls) are a set of actionable best practices that organizations should prioritize to improve their cybersecurity posture. Formerly known as the SANS Critical Security Controls (SANS Top 20 Controls), these guidelines are now published by the Center for Internet Security (CIS).

An international community of experts updates the list of controls periodically. In its current version 8, as of May 2021, there are 18 controls divided by activities.

What are the 18 CIS Controls?

Data Protection
Secure Configuration of Enterprise Assets and Software
Account Management
Access Control Management
Continuous Vulnerability Management
Audit Log Management
Email Web Browser and Protections
Malware Defenses
Data Recovery
Network Infrastructure Management
Network Monitoring and Defense
Security Awareness and Skills Training
Service Provider Management
Application Software Security
Incident Response Management
Penetration Testing

Within each CIS Control, three Implementation Groups (IGs) help enterprises understand the security measures to be prioritized based on their resources and risk profile.

The CIS Controls v8 lists a total of 153 cyber defense Safeguards:

CIS Implementation Group 1 (IG1) focuses on basic cyber hygiene practices to protect against the most common attacks. There are 56 foundational Safeguards in this group to help small to medium-sized enterprises with limited IT security expertise keep their business operational.
CIS Implementation Group 2 (IG2) builds upon IG1 foundational Safeguards and brings an additional 74 Safeguards to help IT teams deal with greater operational complexity. IG2 enterprises typically support departments that have different risk profiles.
CIS Implementation Group 3 (IG3) adds 23 more Safeguards directed at organizations that deal with more sophisticated forms of attack. IG3 enterprises typically have specialized security professionals, deal with sensitive data, or are subject to compliance and regulatory oversights.

The CIS Controls also help organizations comply with other cybersecurity frameworks and industry standards, including the NIST Cybersecurity Framework.

Armis helps organizations implement 12 out of the 18 CIS Controls. Download our white paper to learn more.