What are CIS Controls?
If you're building a security program for your organization, you've likely encountered references to CIS Controls. This guide explains what they are, why they matter, and how they can help you establish a practical, prioritized approach to cybersecurity.
CIS Controls are a set of prioritized cybersecurity best practices developed by the Center for Internet Security. Originally known as the SANS Top 20, they've evolved into the most widely adopted framework for technical security controls. Unlike compliance frameworks such as SOC 2 or ISO 27001, CIS Controls focus specifically on what to do technically to defend against real-world cyber attacks.
Key Takeaways
| Point | Summary |
|---|---|
| What they are | 18 prioritized security controls with 153 safeguards, developed by the Center for Internet Security |
| Primary purpose | Provide actionable, prioritized guidance for defending against common cyber attacks |
| Implementation Groups | Three tiers (IG1, IG2, IG3) that help organizations start with fundamentals and scale up |
| Cost | Framework is free to access; implementation costs vary based on scope |
| Relationship to compliance | Often used alongside SOC 2, ISO 27001, or NIST CSF to implement technical controls |
Quick Answer: CIS Controls are 18 prioritized security best practices that tell you exactly what to implement to protect your organization from cyber attacks. They're free, practical, and designed to be implemented incrementally starting with the most essential safeguards (IG1). Most startups should begin with IG1's 56 safeguards, which address the most common attack vectors.
Why CIS Controls Matter
Practical and Actionable
Unlike high-level frameworks that describe security outcomes, CIS Controls specify concrete actions. For example, rather than stating "implement access controls," CIS Control 6 specifies exactly how to manage access, including specific safeguards like establishing an access granting process and requiring MFA for administrative access.
Prioritized by Risk
The controls are ordered by priority based on real-world attack data. This means organizations can start with Control 1 (Inventory and Control of Enterprise Assets) and work their way through, knowing they're addressing the most impactful areas first.
Defense-Focused
CIS Controls were developed by analyzing actual cyber attacks and identifying which defensive measures would have prevented them. Each control directly maps to defending against common attack techniques documented in frameworks like MITRE ATT&CK.
Community-Developed
The controls are maintained by a global community of security practitioners, not by a single vendor or consultancy. This ensures they remain vendor-neutral, practical, and grounded in real-world experience.
The 18 CIS Controls
CIS Controls v8, released in 2021, organizes security practices into 18 controls:
| Control | Name | Focus |
|---|---|---|
| 1 | Inventory and Control of Enterprise Assets | Know what devices you have |
| 2 | Inventory and Control of Software Assets | Know what software you run |
| 3 | Data Protection | Classify and protect sensitive data |
| 4 | Secure Configuration of Enterprise Assets and Software | Harden your systems |
| 5 | Account Management | Manage user accounts properly |
| 6 | Access Control Management | Control who can access what |
| 7 | Continuous Vulnerability Management | Find and fix vulnerabilities |
| 8 | Audit Log Management | Collect and review logs |
| 9 | Email and Web Browser Protections | Secure common attack vectors |
| 10 | Malware Defenses | Prevent and detect malware |
| 11 | Data Recovery | Ensure you can recover from incidents |
| 12 | Network Infrastructure Management | Secure your network |
| 13 | Network Monitoring and Defense | Detect threats on your network |
| 14 | Security Awareness and Skills Training | Train your people |
| 15 | Service Provider Management | Manage third-party risk |
| 16 | Application Software Security | Secure your applications |
| 17 | Incident Response Management | Prepare for and handle incidents |
| 18 | Penetration Testing | Test your defenses |
For a detailed breakdown of each control and its safeguards, see our complete CIS Controls v8 list.
Implementation Groups: Starting Where You Are
One of the most practical aspects of CIS Controls is the Implementation Group model. Rather than overwhelming organizations with all 153 safeguards at once, Implementation Groups provide a roadmap:
| Group | Target Organizations | Safeguards | Focus |
|---|---|---|---|
| IG1 | Small organizations, limited IT resources | 56 | Essential cyber hygiene |
| IG2 | Organizations with IT staff, increased risk | 74 additional (130 total) | Expanded protection |
| IG3 | Enterprises, high-risk environments | 23 additional (153 total) | Advanced protection |
IG1: Essential Cyber Hygiene
IG1 is designed for small to medium organizations that may not have dedicated security staff. These 56 safeguards address the most common and impactful threats while remaining achievable for resource-constrained teams.
IG1 covers fundamentals like:
- Hardware and software inventory
- Secure configuration baselines
- Access control basics
- Data backup and recovery
- Security awareness training
For most startups and SMBs, implementing IG1 provides substantial protection against the majority of cyber threats. Learn more in our Implementation Groups guide.
IG2: Building on the Foundation
IG2 is appropriate for organizations with dedicated IT staff managing enterprise-level complexity. It adds safeguards for:
- More detailed logging and monitoring
- Vulnerability management processes
- Additional access control requirements
- Network security enhancements
IG3: Advanced Protection
IG3 targets organizations handling highly sensitive data or facing sophisticated threats. It includes:
- Penetration testing requirements
- Advanced network defense
- Comprehensive security testing
- Advanced incident response capabilities
CIS Controls vs Other Frameworks
CIS Controls vs SOC 2
| Aspect | CIS Controls | SOC 2 |
|---|---|---|
| Purpose | Implementation guidance | Compliance attestation |
| Output | Security improvements | Audit report |
| Focus | What to implement | What to prove |
| Cost | Free framework | €10,000-50,000 for audit |
| Audience | Security teams | Customers, prospects |
CIS Controls and SOC 2 are complementary. CIS Controls tell you what to implement; SOC 2 lets you prove you've implemented it. Many organizations use CIS Controls to build their security program and SOC 2 to demonstrate it externally. See our detailed CIS Controls vs SOC 2 mapping.
CIS Controls vs ISO 27001
| Aspect | CIS Controls | ISO 27001 |
|---|---|---|
| Type | Control framework | Management system |
| Certification | No | Yes |
| Approach | Prescriptive (what to do) | Outcome-based (what to achieve) |
| Scope | Technical controls | Governance + controls |
CIS Controls are more prescriptive and technical, while ISO 27001 provides a broader management system approach. Organizations often use CIS Controls to implement the technical controls required by ISO 27001's Annex A. Learn more in our CIS Controls vs ISO 27001 comparison.
CIS Controls vs NIST CSF
| Aspect | CIS Controls | NIST CSF |
|---|---|---|
| Focus | Specific controls | Risk management process |
| Granularity | Detailed safeguards | High-level outcomes |
| Primary use | Implementation | Strategy and assessment |
NIST CSF provides a risk management framework (Identify, Protect, Detect, Respond, Recover), while CIS Controls provide specific implementation guidance. They're often used together: NIST CSF for overall program strategy and CIS Controls for specific implementations. See our CIS Controls vs NIST CSF comparison.
CIS Controls vs CIS Benchmarks
It's important to distinguish between CIS Controls and CIS Benchmarks:
| CIS Controls | CIS Benchmarks | |
|---|---|---|
| What they are | Security framework (18 controls) | Configuration guides (hundreds available) |
| Scope | Entire security program | Specific technologies |
| Example | "Establish and maintain secure configuration process" | "Set Windows password policy to 14 characters minimum" |
CIS Benchmarks are detailed hardening guides for specific technologies (Windows, Linux, AWS, Docker, etc.). CIS Control 4 (Secure Configuration) recommends using CIS Benchmarks to implement its safeguards. Learn more in our CIS Benchmarks guide.
Getting Started with CIS Controls
Step 1: Understand Your Organization
Before implementing controls, assess your current state:
- What assets do you have?
- What data do you handle?
- What threats are most relevant?
- What resources are available?
Step 2: Start with IG1
Unless you have specific requirements driving IG2 or IG3, start with IG1. These 56 safeguards provide the foundation and address the most common threats.
IG1 priority areas:
- Know your assets (Controls 1-2)
- Secure your configurations (Control 4)
- Manage access (Controls 5-6)
- Protect your data (Control 11 for backups)
- Train your people (Control 14)
Step 3: Map to Your Compliance Requirements
If you're pursuing SOC 2, ISO 27001, or another compliance framework, map CIS Controls to those requirements. This ensures your technical implementation satisfies multiple objectives.
Step 4: Build Incrementally
CIS Controls are designed to be implemented progressively. You don't need to achieve perfect implementation of all controls before moving forward. Start with foundational safeguards and expand coverage over time.
Common Questions
Do I need to implement all CIS Controls?
No. Start with IG1 (56 safeguards) and expand based on your risk profile and resources. Many organizations find IG1 sufficient for their needs.
Is there a CIS Controls certification?
CIS doesn't offer certification for Controls compliance. However, you can demonstrate alignment through audits like SOC 2 or internal assessments. Some organizations use CIS's Self Assessment Tool (CSAT) to evaluate and document their implementation.
How do CIS Controls relate to regulations?
CIS Controls map to many regulatory requirements (HIPAA, PCI DSS, GDPR technical requirements). Implementing CIS Controls often satisfies technical control requirements in these regulations.
How often are CIS Controls updated?
Major versions are released every few years (v7 in 2018, v8 in 2021). Updates reflect changes in the threat landscape and technology environment.
Are CIS Controls free?
Yes. The CIS Controls framework is freely available for download from the Center for Internet Security website. CIS Benchmarks are also free for non-commercial use.
Why Startups Should Care About CIS Controls
For startups and SMBs, CIS Controls offer several advantages:
Practical guidance: Instead of figuring out what to implement, you get specific recommendations backed by real-world effectiveness data.
Prioritized approach: Limited resources can focus on IG1 safeguards that address the most common threats.
Scalability: As your organization grows, you can progress to IG2 and IG3 without starting over.
Compliance foundation: Implementing CIS Controls creates a strong foundation for compliance frameworks like SOC 2 or ISO 27001.
Learn more about applying CIS Controls in resource-constrained environments in our CIS Controls for Startups guide.
Next Steps
Ready to implement CIS Controls? Explore our detailed guides:
- CIS Controls v8 Complete List - All 18 controls and 153 safeguards
- Implementation Groups Guide - Understanding IG1, IG2, and IG3
- CIS Controls Implementation Guide - How to get started
- CIS Controls Compliance Checklist - Track your progress
Need help implementing CIS Controls or mapping them to your compliance requirements? Talk to our team
Sources
- CIS Controls v8 - Official CIS Controls documentation
- CIS Controls Implementation Groups - Official IG guidance
- CIS Controls Navigator - Interactive control mapping tool
- MITRE ATT&CK - Attack techniques mapped to CIS Controls