Center for Internet Security Critical Security Controls
Prioritized, actionable security controls based on real-world attack data
// What is CIS Controls?
The CIS Critical Security Controls are a prioritized set of cybersecurity best practices developed by a community of IT practitioners and security experts. Unlike compliance frameworks that focus on documentation, CIS Controls emphasize practical, technical actions that stop real-world attacks.
Version 8 consolidated the controls from 20 to 18, reorganized for modern hybrid environments including cloud and remote work. The controls are prioritized by Implementation Groups (IG1-IG3), allowing organizations to focus on foundational controls before advancing to more sophisticated measures.
CIS Controls are widely referenced by cyber insurers, regulators, and industry groups as a reasonable security baseline. Many organizations use CIS Controls as their primary security framework or as a complement to compliance-driven frameworks like NIST CSF or ISO 27001.
// Inside the Regulation
CIS Controls v8 organizes 18 control families into three Implementation Groups based on organizational resources and risk. IG1 represents essential cyber hygiene for all organizations, while IG2 and IG3 add controls for organizations with greater resources and risk exposure.
Implementation Group 1 (IG1): Essential Cyber Hygiene
The foundational controls every organization should implement regardless of size or resources. IG1 contains 56 safeguards representing minimum viable security.
Target Organizations
Small to medium enterprises with limited IT expertise, commodity hardware/software, and data not highly sensitive.
Focus Areas
Basic asset inventory, access control, secure configuration, malware defenses, data recovery, and security awareness.
Implementation Approach
Can often be achieved with built-in operating system features and modest investment in security tools.
Implementation Group 2 (IG2): Expanded Controls
Additional controls for organizations with dedicated IT staff, some security expertise, and more sensitive data or regulatory requirements.
Target Organizations
Mid-sized organizations with IT staff, moderate complexity, and data sensitivity requiring enhanced protection.
Additional Controls
Enhanced logging and monitoring, email and web protections, network monitoring, and more sophisticated access controls.
Implementation Approach
Typically requires dedicated security tools, SIEM capabilities, and some security staff or managed services.
Implementation Group 3 (IG3): Comprehensive Security
The full set of 153 safeguards for organizations with mature security programs, dedicated security teams, and significant assets requiring protection.
Target Organizations
Large enterprises, critical infrastructure, financial services, and organizations with advanced persistent threat exposure.
Additional Controls
Application security, penetration testing, red team exercises, and advanced threat detection capabilities.
Implementation Approach
Requires dedicated security operations, advanced tooling, and continuous security improvement processes.
The 18 Control Families
CIS Controls v8 organizes safeguards into 18 families covering the full spectrum of cybersecurity defenses.
Asset Management (1-2)
Control 1: Enterprise Asset Inventory. Control 2: Software Asset Inventory. Know what you have before you can protect it.
Data & Configuration (3-4)
Control 3: Data Protection. Control 4: Secure Configuration. Protect data and harden systems against attack.
Access Management (5-6)
Control 5: Account Management. Control 6: Access Control Management. Control who can access what.
Vulnerability Management (7)
Continuous vulnerability management including scanning, prioritization, and remediation tracking.
Logging & Defense (8-10)
Control 8: Audit Log Management. Control 9: Email/Web Protections. Control 10: Malware Defenses.
Recovery & Awareness (11-14)
Data recovery, network infrastructure, security awareness training, and service provider management.
Advanced (15-18)
Network monitoring, application security, incident response, and penetration testing.
Note: CIS Controls are technology-agnostic and map to many compliance frameworks including NIST CSF, ISO 27001, PCI-DSS, and HIPAA. Organizations often use CIS Controls as the technical implementation layer beneath higher-level governance frameworks.
// Who Must Comply
- 1 Organizations seeking a practical, prioritized security framework
- 2 Companies referenced by cyber insurers to CIS Controls
- 3 Organizations wanting to demonstrate reasonable security practices
- 4 Entities using CIS Controls as baseline for compliance mappings
- 5 Any organization seeking to improve security posture systematically
// Key Requirements
Asset Inventory
Maintain inventories of enterprise assets (hardware) and software deployed across the organization
Access Controls
Manage accounts and access rights using least privilege principles and regular reviews
Secure Configuration
Establish and maintain secure configurations for all enterprise assets and software
Vulnerability Management
Continuously identify, prioritize, and remediate vulnerabilities across the environment
Audit Logging
Collect, alert, and review audit logs to detect and respond to security events
Security Training
Establish and maintain a security awareness and skills training program
// Enforcement & Penalties
CIS Controls are a voluntary framework with no direct regulatory penalties. However, failure to implement reasonable security controls can create liability exposure in breach litigation, regulatory actions, and insurance claims. Many courts and regulators reference industry frameworks like CIS Controls when evaluating security reasonableness.
No direct regulatory fines (voluntary framework)
Examples:
- Courts citing industry frameworks when determining security negligence
- Cyber insurers denying claims for failure to implement basic controls
- Regulators using CIS Controls as benchmark for 'reasonable security' in enforcement
- Contract requirements increasingly reference CIS Controls compliance
// Cyber Insurance Impact
Cyber insurers frequently use CIS Controls as a benchmark when evaluating security practices. Many insurance applications specifically ask about CIS Control implementation, particularly IG1 safeguards. Demonstrating CIS Controls alignment can improve coverage terms, while significant gaps may result in exclusions or higher premiums.
// How Breach Craft Helps
We help organizations achieve CIS Controls compliance through genuine security improvements—not checkbox exercises. Our services address the specific requirements and challenges of CIS Controls.
Ready to Strengthen Your Defenses?
Schedule a free consultation with our security experts to discuss your organization's needs.
Or call us directly at (445) 273-2873