CIS Controls10 min read

How to Implement CIS Controls

This guide provides a practical implementation roadmap for CIS Controls. Whether you're starting from scratch or formalizing existing practices, these steps will help you build a security program based on CIS Controls effectively.

Implementing CIS Controls can seem daunting when you look at all 153 safeguards. The key is to start with Implementation Group 1 (IG1) and build progressively. This guide walks through the process step by step.

Key Takeaways

Point Summary
Start with IG1 56 safeguards that provide essential protection
Prioritize by risk Focus on your most critical assets first
Build incrementally Don't try to implement everything at once
Measure progress Track safeguard implementation status
Maintain continuously Security is ongoing, not a one-time project

Quick Answer: To implement CIS Controls, start by assessing your current state, prioritize IG1 safeguards, and implement them in phases. Begin with asset inventory (Controls 1-2), access controls (Controls 5-6), and data protection (Controls 3, 11). Track your progress, document your implementation, and continuously improve. Most organizations can achieve IG1 compliance in 3-6 months with focused effort.

Phase 1: Assessment and Planning

Before implementing safeguards, understand your starting point.

Step 1: Understand Your Environment

Identify critical assets:

  • What systems store sensitive data?
  • What services are customer-facing?
  • What would cause the most damage if compromised?

Map your technology stack:

  • Cloud providers and services
  • Operating systems and versions
  • Applications and databases
  • Network infrastructure

Understand your team:

  • Available IT/security resources
  • Existing security expertise
  • Time available for security work

Step 2: Assess Current State

Evaluate your existing security practices against CIS Controls:

Option 1: Self-assessment
Use the CIS Controls Self Assessment Tool (CSAT) to evaluate your current implementation status.

Option 2: Manual review
Review each IG1 safeguard and rate your current state:

Rating Description
Not implemented Safeguard is not in place
Partially implemented Some elements exist
Fully implemented Safeguard is operational
N/A Not applicable to your environment

Option 3: External assessment
Engage a third party to evaluate your current state objectively.

Step 3: Identify Gaps

Based on your assessment, identify:

  • Which IG1 safeguards are missing?
  • Which are partially implemented?
  • What are the highest-risk gaps?

Prioritize gaps based on:

  1. Risk: What's the potential impact of exploitation?
  2. Ease: How difficult is implementation?
  3. Dependencies: What needs to happen first?

Step 4: Create Implementation Plan

Develop a phased implementation plan:

Phase Focus Timeline
Phase 1 Foundation (asset inventory, access controls) Month 1-2
Phase 2 Protection (configuration, patching, backups) Month 2-3
Phase 3 Detection (logging, monitoring) Month 3-4
Phase 4 Response (training, incident management) Month 4-5
Phase 5 Refinement (remaining gaps, documentation) Month 5-6

Phase 2: Foundation (Controls 1-2, 5-6)

Start with safeguards that enable all other security work.

Implement Asset Inventory (Controls 1-2)

Why first: You cannot protect assets you don't know exist.

Safeguard 1.1: Enterprise Asset Inventory

Create and maintain an inventory of all hardware assets:

Attribute Example
Asset ID SRV-001
Type Server
OS/Platform Ubuntu 22.04
Location AWS us-east-1
Owner Engineering
Classification Production
Last updated 2024-03-01

Implementation approaches:

Organization Size Approach
Small (< 50 employees) Spreadsheet-based tracking
Medium (50-200) IT asset management tool
Large (200+) Automated discovery + CMDB

Safeguard 2.1: Software Asset Inventory

Track authorized software:

Attribute Example
Software name PostgreSQL
Version 15.2
Vendor PostgreSQL Global Development Group
License type Open source
Business owner Data team
End of support Active

Safeguard 1.2 & 2.3: Address Unauthorized Assets/Software

Establish a process to:

  1. Detect unauthorized assets/software
  2. Investigate and classify findings
  3. Remove, approve, or quarantine

Implement Access Controls (Controls 5-6)

Safeguard 5.1: Account Inventory

Document all accounts:

Attribute Example
Account name jsmith
Type User
Status Active
Owner Jane Smith
Created 2023-01-15
Last used 2024-03-01
MFA enabled Yes

Safeguard 5.2: Unique Passwords

Enforce password management:

  • Deploy a password manager
  • Require unique passwords for each system
  • Enforce minimum password complexity

Safeguard 5.3: Disable Dormant Accounts

Establish account review process:

  • Review accounts monthly
  • Disable accounts inactive for 45+ days
  • Immediate deactivation for terminations

Safeguard 5.4: Dedicated Admin Accounts

Separate administrative access:

  • Create separate admin accounts
  • Use standard accounts for daily work
  • Elevate only when needed

Safeguards 6.3, 6.4, 6.5: MFA Requirements

Enable MFA everywhere:

System Type MFA Requirement
Cloud admin consoles Required
Production systems Required
VPN access Required
Email Required
All external applications Required

Safeguards 6.1 & 6.2: Access Granting/Revoking

Document access management processes:

  • Who can request access?
  • Who approves access?
  • How is access provisioned?
  • How is access revoked?

Phase 3: Protection (Controls 3, 4, 7, 11)

Implement protective controls to reduce attack surface.

Data Protection (Control 3)

Safeguard 3.1: Data Management Process

Define how data is handled:

  • Classification levels (Public, Internal, Confidential)
  • Handling requirements per level
  • Storage and transmission rules

Safeguard 3.4: Data Retention

Establish retention policies:

  • How long is data kept?
  • When is it deleted?
  • How is deletion verified?

Safeguard 3.6: Encrypt End-User Devices

Enable full disk encryption:

  • macOS: FileVault
  • Windows: BitLocker
  • Linux: LUKS

Secure Configuration (Control 4)

Safeguard 4.1: Secure Configuration Process

Establish configuration baselines:

  • Define standard configurations
  • Document security settings
  • Use CIS Benchmarks as reference

Safeguard 4.4 & 4.5: Firewalls

Enable firewalls on servers and endpoints:

  • Configure default-deny rules
  • Allow only necessary traffic
  • Log firewall activity

Safeguard 4.7: Manage Default Accounts

Secure default configurations:

  • Change default passwords
  • Disable unused default accounts
  • Remove unnecessary default services

Vulnerability Management (Control 7)

Safeguard 7.1: Vulnerability Management Process

Establish a structured approach:

  1. Identify vulnerabilities (scanning, advisories)
  2. Assess severity and impact
  3. Prioritize remediation
  4. Track to completion

Safeguards 7.3 & 7.4: Automated Patching

Automate patch management:

  • Enable automatic OS updates
  • Automate application patching where possible
  • Test patches before production deployment

Data Recovery (Control 11)

Safeguard 11.1: Data Recovery Process

Document recovery procedures:

  • What data is backed up?
  • How often?
  • How long are backups retained?
  • How is recovery performed?

Safeguard 11.2: Automated Backups

Implement automated backup:

Data Type Frequency Retention
Databases Daily 30 days
File systems Daily 30 days
Configuration On change 90 days

Safeguard 11.4: Isolated Recovery Data

Maintain offline or immutable backups:

  • Separate backup storage from production
  • Use immutable storage for protection against ransomware
  • Test restoration regularly

Phase 4: Detection (Control 8)

Implement logging and monitoring for visibility.

Audit Log Management (Control 8)

Safeguard 8.1: Audit Log Management Process

Define logging requirements:

  • What events to log?
  • Where to store logs?
  • How long to retain logs?
  • Who reviews logs?

Safeguard 8.2: Collect Audit Logs

Enable logging across systems:

System Type Log Types
Cloud platforms CloudTrail, Activity Logs
Servers Authentication, authorization, changes
Applications User actions, errors, access
Network Firewall, flow logs

Safeguard 8.3: Adequate Log Storage

Ensure sufficient storage and retention:

  • Minimum 90 days online retention
  • Consider longer archival
  • Protect logs from tampering

Phase 5: Response (Controls 14, 17)

Prepare your organization to respond to incidents.

Security Awareness (Control 14)

Safeguard 14.1: Security Awareness Program

Implement basic security training:

  • New hire onboarding
  • Annual refresher training
  • Role-specific training as needed

Safeguard 14.2: Social Engineering Training

Train on recognizing attacks:

  • Phishing identification
  • Pretexting awareness
  • Reporting procedures

Safeguard 14.6: Incident Reporting

Ensure everyone knows how to report:

  • What constitutes an incident?
  • How to report (email, Slack, phone)?
  • Who to contact?

Incident Response (Control 17)

Safeguard 17.1: Designate Personnel

Assign incident response ownership:

  • Who is the primary incident coordinator?
  • Who are the backup contacts?
  • What are escalation paths?

Safeguard 17.2: Contact Information

Maintain emergency contacts:

  • Internal contacts (IT, legal, executives)
  • External contacts (cloud providers, law enforcement, PR)
  • Update quarterly

Safeguard 17.3: Reporting Process

Document incident reporting:

  • How are incidents reported internally?
  • What information is collected?
  • Who is notified and when?

Phase 6: Remaining IG1 Safeguards

Complete IG1 with remaining safeguards:

Email and Browser Security (Control 9)

Safeguard 9.1: Use only supported browsers and email clients
Safeguard 9.2: Implement DNS filtering

Malware Defenses (Control 10)

Safeguard 10.1: Deploy anti-malware on all systems
Safeguard 10.2: Keep anti-malware signatures current
Safeguard 10.3: Disable autorun for removable media

Network Infrastructure (Control 12)

Safeguard 12.1: Keep network infrastructure up to date

Service Provider Management (Control 15)

Safeguard 15.1: Maintain inventory of service providers

Measuring and Maintaining Progress

Track Implementation Status

Create a tracking system for all safeguards:

Safeguard Status Owner Target Date Notes
1.1 Complete IT 2024-01-15 Using Asset Tiger
5.4 In Progress Security 2024-02-28 Rolling out admin accounts
6.5 Planned IT 2024-03-15 Waiting on SSO project

Metrics to Track

Metric Target Frequency
IG1 safeguards implemented 100% Monthly
MFA coverage 100% of required accounts Monthly
Patch compliance 95% within SLA Weekly
Backup success rate 99% Weekly
Security training completion 100% Quarterly

Ongoing Maintenance

CIS Controls implementation is not a one-time project:

Monthly:

  • Review access and disable dormant accounts
  • Verify backup completion
  • Update asset inventory

Quarterly:

  • Review security training status
  • Test backup restoration
  • Review and update policies

Annually:

  • Full reassessment against CIS Controls
  • Update to new CIS Controls versions
  • Comprehensive policy review

Common Implementation Challenges

Challenge 1: Resource Constraints

Problem: Limited time and personnel for security work.

Solutions:

  • Focus on IG1 only (56 safeguards, not 153)
  • Automate where possible
  • Use managed services to reduce burden
  • Prioritize highest-impact safeguards first

Challenge 2: Resistance to Change

Problem: Teams push back on new security requirements.

Solutions:

  • Explain the "why" behind controls
  • Phase in changes gradually
  • Provide tools that make compliance easy
  • Celebrate security wins

Challenge 3: Legacy Systems

Problem: Older systems can't meet all safeguard requirements.

Solutions:

  • Document exceptions with risk acceptance
  • Implement compensating controls
  • Plan for replacement or upgrade
  • Isolate legacy systems where possible

Challenge 4: Maintaining Momentum

Problem: Initial enthusiasm fades over time.

Solutions:

  • Set achievable milestones
  • Report progress to leadership regularly
  • Connect security to business outcomes
  • Celebrate completions

Tools for Implementation

Assessment Tools

Tool Use Case Cost
CIS CSAT Self-assessment Free
CIS-CAT Pro Automated assessment Membership
Custom spreadsheets Simple tracking Free

Configuration Management

Tool Use Case Cost
Ansible Server configuration Open source
Terraform Infrastructure as code Open source
Chef/Puppet Configuration management Varies

Vulnerability Management

Tool Use Case Cost
Dependabot Dependency scanning Free
Snyk Application security Freemium
Qualys/Tenable Infrastructure scanning Varies

Identity Management

Tool Use Case Cost
Okta/Auth0 SSO and MFA Per user
1Password/Bitwarden Password management Per user
AWS IAM/Azure AD Cloud identity Included

Progression to IG2 and IG3

After completing IG1, consider progression:

When to Move to IG2

Consider IG2 when:

  • IG1 is fully implemented and maintained
  • You have dedicated IT staff
  • Customer requirements demand it
  • You're pursuing SOC 2 or ISO 27001
  • Your risk profile has increased

IG2 Priority Areas

Focus on these IG2 additions first:

  1. Vulnerability scanning (7.5, 7.6)
  2. Centralized logging (8.9)
  3. Security event alerting (13.1)
  4. Formal incident response process (17.4)
  5. Penetration testing (18.1, 18.2)

When to Move to IG3

Consider IG3 when:

  • IG2 is fully implemented
  • You have dedicated security staff
  • You handle highly sensitive data
  • You face sophisticated threats
  • Regulatory requirements demand it

Ready to implement CIS Controls? Talk to our team for expert guidance on building your security program.

Sources

← PreviousCIS Benchmarks: Hardening Your InfrastructureNext →CIS Controls Compliance Checklist
Back to CIS Controls guides