CIS Controls
The CIS Controls are a set of 18 different cyber security best practices that have been developed and prioritised by the Centre for Internet Security (CIS). The aim of these controls is to help businesses improve their defences against cyber threats, and to help safeguard important systems and data.
Within each of the 18 controls is a set of safeguards that covers a specific aspect of security. In total there are 153 safeguards that businesses can implement. The controls are also organised into Implementation Groups (IGs), which help businesses ascertain what security measures they should work towards, based on the resources available to them. Here are the three groups:
IG1: Basic cyber hygiene suitable for small to medium-sized enterprises.
IG2: Enhanced measures for organisations handling sensitive data or facing moderate risks.
IG3: Advanced practices for entities with significant risk exposure, such as those in critical infrastructure sectors.
Each of these groups, and their associated controls, cover key areas of security. Let's look at a few examples:
Inventory and Control of Enterprise Assets (CIS Control 1): Ensures organisations maintain an up-to-date list of all devices connected to their network, helping prevent unauthorised or rogue devices from accessing sensitive data.
Inventory and Control of Software Assets (CIS Control 2): Focuses on tracking and managing software applications to prevent unapproved, vulnerable, or malicious software from being installed.
Data Protection (CIS Control 3): Covers encryption, data classification, and secure disposal methods to protect sensitive data from unauthorised access.
Secure Configuration of Enterprise Assets and Software (CIS Control 4): Ensures that systems and software are configured securely, reducing the vulnerabilities caused by keeping default settings.
Account Management (CIS Control 5): Helps organisations properly manage user, administrator, and service accounts.
Access Control Management (CIS Control 6): Focuses on restricting user access based on job roles and ensuring privileged accounts are properly secured.
Continuous Vulnerability Management (CIS Control 7): Involves regularly scanning for and addressing security vulnerabilities through patching and updates.
Security Awareness and Skills Training (CIS Control 14): Ensures employees are trained in cyber security best practices to reduce human error and social engineering risks.
Incident Response Management (CIS Control 17): Requires organisations to have a well-defined incident response plan to detect, respond to, and recover from cyber threats effectively.
There are no legal or industry requirements for businesses to meet the recommendations of the CIS Controls, as they only exist as a way for organisations to further improve their security, and compliment standards like ISO 27001 or SOC 2. There is also no formal audit or certification process, unlike many compliance standards and frameworks. So if businesses wish to verify their implementation of the controls, they will either have to conduct a self-assessment, perform an automated gap analysis, or hire an external consultant.
Within each of the 18 controls is a set of safeguards that covers a specific aspect of security. In total there are 153 safeguards that businesses can implement. The controls are also organised into Implementation Groups (IGs), which help businesses ascertain what security measures they should work towards, based on the resources available to them. Here are the three groups:
IG1: Basic cyber hygiene suitable for small to medium-sized enterprises.
IG2: Enhanced measures for organisations handling sensitive data or facing moderate risks.
IG3: Advanced practices for entities with significant risk exposure, such as those in critical infrastructure sectors.
Each of these groups, and their associated controls, cover key areas of security. Let's look at a few examples:
Inventory and Control of Enterprise Assets (CIS Control 1): Ensures organisations maintain an up-to-date list of all devices connected to their network, helping prevent unauthorised or rogue devices from accessing sensitive data.
Inventory and Control of Software Assets (CIS Control 2): Focuses on tracking and managing software applications to prevent unapproved, vulnerable, or malicious software from being installed.
Data Protection (CIS Control 3): Covers encryption, data classification, and secure disposal methods to protect sensitive data from unauthorised access.
Secure Configuration of Enterprise Assets and Software (CIS Control 4): Ensures that systems and software are configured securely, reducing the vulnerabilities caused by keeping default settings.
Account Management (CIS Control 5): Helps organisations properly manage user, administrator, and service accounts.
Access Control Management (CIS Control 6): Focuses on restricting user access based on job roles and ensuring privileged accounts are properly secured.
Continuous Vulnerability Management (CIS Control 7): Involves regularly scanning for and addressing security vulnerabilities through patching and updates.
Security Awareness and Skills Training (CIS Control 14): Ensures employees are trained in cyber security best practices to reduce human error and social engineering risks.
Incident Response Management (CIS Control 17): Requires organisations to have a well-defined incident response plan to detect, respond to, and recover from cyber threats effectively.
There are no legal or industry requirements for businesses to meet the recommendations of the CIS Controls, as they only exist as a way for organisations to further improve their security, and compliment standards like ISO 27001 or SOC 2. There is also no formal audit or certification process, unlike many compliance standards and frameworks. So if businesses wish to verify their implementation of the controls, they will either have to conduct a self-assessment, perform an automated gap analysis, or hire an external consultant.
Updated on: 20/02/2025
Thank you!