Check out our Summer Demo Sessions. Sign up now

What are the CIS Controls?

The CIS Critical Security Controls (CIS Controls) are a set of actionable best practices that organizations should prioritize to improve their cybersecurity posture. ormerly known as the SANS Critical Security Controls (SANS Top 20 Controls), these guidelines are now published by the Center for Internet Security (CIS).

An international community of experts updates the list of controls periodically. In its current version 8, as of May 2021, there are 18 controls divided by activities.

What are the 18 CIS Controls?

  1. Inventory and Control of Enterprise Assets
  2. Inventory and Control of Software Assets
  3. Data Protection
  4. Secure Configuration of Enterprise Assets and Software
  5. Account Management
  6. Access Control Management
  7. Continuous Vulnerability Management
  8. Audit Log Management
  9. Email Web Browser and Protections
  10. Malware Defenses
  11. Data Recovery
  12. Network Infrastructure Management
  13. Network Monitoring and Defense
  14. Security Awareness and Skills Training
  15. Service Provider Management
  16. Application Software Security
  17. Incident Response Management
  18. Penetration Testing

Within each CIS Control, three Implementation Groups (IGs)  help enterprises understand the security measures to be prioritized based on their resources and risk profile. 

The CIS Controls v8 lists a total of 153 cyber defense Safeguards:

  • CIS Implementation Group 1 (IG1) focuses on basic cyber hygiene practices to protect against the most common attacks. There are 56 foundational Safeguards in this group to help small to medium-sized enterprises with limited IT security expertise keep their business operational.
  • CIS Implementation Group 2 (IG2) builds upon IG1 foundational Safeguards and brings an additional 74 Safeguards to help IT teams deal with greater operational complexity. IG2 enterprises typically support departments that have different risk profiles. 
  • CIS Implementation Group 3 (IG3) adds 23 more Safeguards directed at organizations that deal with more sophisticated forms of attack. IG3 enterprises typically have specialized security professionals, deal with sensitive data, or are subject to compliance and regulatory oversights.

The CIS Controls also help organizations comply with other cybersecurity frameworks and industry standards, including the NIST Cybersecurity Framework.

Armis helps organizations implement 12 out of the 18 CIS Controls. Download our white paper to learn more.