CIS Controls
What is CIS Controls?
CIS ControlsA prioritized set of best-practice cybersecurity safeguards maintained by the Center for Internet Security to defend against the most common cyberattacks.
The CIS Controls are a community-developed framework of prioritized cybersecurity safeguards published by the Center for Internet Security (CIS). The current version 8.1 defines 18 controls, organized into 153 safeguards and three Implementation Groups (IG1, IG2, IG3) that scale with an organization's size and risk profile. Controls cover topics such as inventory of enterprise assets, secure configuration, account management, data protection, and incident response. Although not a legal mandate, the CIS Controls are widely used as a practical roadmap and are mapped to many regulations and frameworks (NIST CSF, ISO/IEC 27001, PCI DSS) to simplify multi-framework compliance.
● Examples
- 01
An SMB adopting IG1 safeguards to build a baseline security programme.
- 02
A vendor mapping its product to specific CIS safeguards in marketing materials.
● Frequently asked questions
What is CIS Controls?
A prioritized set of best-practice cybersecurity safeguards maintained by the Center for Internet Security to defend against the most common cyberattacks. It belongs to the Compliance & Frameworks category of cybersecurity.
What does CIS Controls mean?
A prioritized set of best-practice cybersecurity safeguards maintained by the Center for Internet Security to defend against the most common cyberattacks.
How do you defend against CIS Controls?
Defences for CIS Controls typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for CIS Controls?
Common alternative names include: CIS Top 18, SANS Top 20 (legacy).