CIS Controls: Prioritisation and defence strategies for modern security architectures

The CIS Controls rank 18 measures according to their proven effectiveness against real-world attacks, providing clear answers to the question: What really protects you?

Contents

1. What are CIS Controls?
2. List of CIS Controls
3. Implementation
4. Use cases
5. Audit & certification
6. Mapping

Overview: CIS Controls

• A prioritised checklist with 18 measures for the effective defence against real-world cyber attacks
• An action-oriented focus instead of purely theoretical compliance requirements
• Division into three Implementation Groups for tailored security levels
• Targeted reduction of human risks through cyber security awareness training
• Compatibility and mapping with frameworks such as NIST 2.0, ISO 27001 and NIS2

What are CIS Controls and why are they the industry standard?

Originally known as the SANS Top 20, today’s CIS Controls have evolved far beyond their beginnings. Behind the framework is the Center for Internet Security (CIS), which doesn’t make decisions in an ivory tower but rather draws on the collective intelligence of a global community. The principle is simple but effective: analyse real attacks and deduce which lines of defence would actually have held.

Unlike many other enterprise security frameworks, these controls are based on empirical evidence. The central question is not ‘What could we do?’ but ‘What must we do to stop the most dangerous attack vectors immediately?’. This prioritisation is the core of the framework. In an era of limited budgets and a shortage of skilled workers, it provides the necessary focus.

It doesn’t matter whether it’s a medium-sized business or an international corporation – its applicability is universal. Especially in the context of the NIS2 directive (Who is affected?), its practical value becomes apparent: where legal texts often speak vaguely of ‘appropriate measures’, the CIS Controls provide the technical translation. Those who follow this standard not only build robust defences, but also create a solid foundation for compliance requirements.

List of CIS Controls

The current version, V8.1, comprises 18 Controls. A mere list can quickly seem overwhelming, which is why it helps to sort the measures thematically. Here, we divide them into the established clusters: Basic, Foundational and Organisational. This creates an overview and shows where you should start.

Basic cluster: Fundamental inventory & control

This is about basic hygiene. If you don’t know your network, you can’t protect it.

• CIS Control 1 (Inventory and Control of Enterprise Assets): Get a complete overview of all hardware devices to identify unauthorised assets immediately.
• CIS Control 2 (Inventory and Control of Software Assets): The same applies to software: only authorised applications and operating systems should be allowed to run.
• CIS Control 3 (Data Protection): Where are your crown jewels? Identify and classify sensitive data – and ensure secure deletion routines before information is unintentionally leaked.

Foundational cluster: Technical defence & infrastructure

Now it gets technical: this section is about hardening systems and not letting attackers in in the first place.

• CIS Control 4 (Secure Configuration of Enterprise Assets and Software): Unfortunately, the factory settings of laptops, servers or firewalls are often anything but secure. Replace them with hardened configurations that you can rely on.
• CIS Control 5 (Account Management): Keep track of all user accounts throughout their entire life cycle so that no orphaned accounts are left behind.
• CIS Control 6 (Access Control Management): Rights should always be assigned according to the need-to-know principle. So, only give employees the exact access they really need for their work.
• CIS Control 7 (Continuous Vulnerability Management): Security vulnerabilities don’t wait. Scan your systems continuously and apply patches promptly to close attack surfaces.
• CIS Control 8 (Audit Log Management): Without logs, you are groping in the dark. Clean audit log management is crucial for detecting attacks early and being able to trace exactly what happened later on.
• CIS Control 9 (Email and Web Browser Protections): Email and web browsers remain the main gateways for malicious code. Put a stop to this here.
• CIS Control 10 (Malware Defences): Leave nothing to chance: control centrally which software may be installed or executed at all.
• CIS Control 11 (Data Recovery): When ransomware strikes, a functioning, isolated backup is often your only salvation. Test the restore process regularly.
• CIS Control 12 (Network Infrastructure Management): Secure routers, switches and other network devices.
• CIS Control 13 (Network Monitoring and Defence): Without visibility, you are blind. Proactively monitor your network traffic to be able to detect anomalies.

Organisational cluster: Organisational measures & response

Technology can do a lot, but not everything. That is why more and more enterprise security frameworks are focusing on people and processes.

• CIS Control 14 (Security Awareness & Skills Training): A strong firewall is of little help if phishing emails are simply clicked through. Build a genuine security culture with security awareness training.

• CIS Control 15 (Service Provider Management): Keep an eye on the security of your supply chain and third-party providers.
• CIS Control 16 (Application Software Security): Pay attention to security throughout the entire life cycle of software you develop yourself or purchase.
• CIS Control 17 (Incident Response Management): When it happens, every minute counts. A central Human Risk Management Dashboard makes your employees’ reporting rates measurable and integrates the human factor as an active early warning system.
• CIS Control 18 (Penetration Testing): Regularly put your defences to the test with simulated attacks.

How to successfully implement CIS Controls: A 4-step plan

The introduction of a new framework often fails due to its complexity. The key is to see the endeavour not as a one-off ‘project’ that is finished at some point, but as an iterative process. The following steps have proven effective in practice:

1. Determine the status quo (Assessment & Gap Analysis)

Before you take any action, you need to know where you stand. For example, use the web-based CIS CSAT (Hosted) for an organisational overview and CIS-CAT Lite for initial technical scans. For CIS SecureSuite members, the integrated CIS SecureSuite Platform (formerly CSAT Pro & CIS-CAT Pro) offers in-depth analyses.

Practical tip: if you want to get started in a very pragmatic way, you can also work with simple Excel templates (e.g. from CRF) work. The only important thing is honest documentation: Which Controls are ‘fully’, ‘partially’ or ‘not at all’ implemented?

2. Prioritise based on risk

Don’t try to turn all the red lights green at the same time. Use the results from step 1 and match them with your risk profile. Concentrate on your ‘crown jewels’. If customer data is your most valuable asset, Control 3 (Data Protection) takes precedence over optimising network monitoring in an unimportant subnet. The basic objective: identify the measures that mitigate the greatest risk with the least effort.

3. Roll out gradually (Quick wins first)

Always start with Implementation Group 1 (IG1). This basic hygiene already protects against around 80 per cent of automated mass attacks and forms the foundation for everything else.

Focus on measures with an immediate effect: secure all remote access with multi-factor authentication (Control 6) and consistently revoke local admin rights from users on their end devices (Control 5). Another vital step is to protect your backups from ransomware – make sure they are stored ‘offline’ or are immutable (Control 11). These are not theoretical exercises, but steps that measurably reduce your risk level.

4. Measure & Automate (Establish KPIs)

Instead of relying on a gut feeling, you should substantiate the security status of your organisation with hard facts. Define clear KPIs for this: For example, what is the patching rate for critical updates within 14 days (Control 7)? Asset coverage is also important (Control 1) – do you really know about every device on the network? Also, check regularly how many user accounts are actually protected by MFA (Control 6).

It gets particularly exciting when it comes to the human factor: How resilient is your workforce against phishing? A Human Risk Score makes this often abstract risk tangible. A central Human Risk Management Platform provides you with measurable data on this and makes the security culture (Control 14) manageable. Try to automate all these measurements as much as possible so that your management dashboards always reflect reality.

CIS 14: Awareness Training

Jetzt Demo anfordern

Erfüllen Sie CIS Control 14 und stärken Sie Ihre Sicherheitskultur gegen Phishing.

From SMEs to enterprise: The right use case for every maturity level

A major advantage of CIS Controls V8 is that they adapt to your maturity. The so-called CIS Implementation Groups (IG) help you to categorise yourself based on your risk profile and resources.

Implementation Group 1 (IG1) – Essential Cyber Hygiene
This is the entry point for most companies, especially SMEs. IG1 focuses on a subset of the Controls that protect against the most common, non-targeted attacks. Those who master this ‘Basic Cyber Hygiene’ are often already 80% of the way there.

Implementation Group 2 (IG2) – Advanced Security
As soon as you provide IT services for third parties or manage more sensitive data, the requirements increase. Here you need specialised staff and more complex software solutions to fend off advanced threats.

Implementation Group 3 (IG3) – Sophisticated Threat Defence
The target for organisations with critical data or functions that are in the crosshairs of targeted attacks (APTs) – such as critical infrastructures (KRITIS). Full implementation of all Controls and sub-controls is expected here.

Audit & certification: Valid proof of your CIS conformity

Unlike a classic ISO 27001 certification, there is no seal that you can simply hang on the wall. But that doesn’t mean you can’t – or shouldn’t – prove conformity.

For technical validation, many use the aforementioned CIS-CAT Pro Tool, which checks settings automatically. In addition, specialised service providers offer audits that confirm the maturity level of your implementation. Such a report is worth its weight in gold: it serves as proof of due diligence towards cyber insurers, business partners or in M&A transactions. Often, a proven IG1 status is enough to build trust.

Mapping: How CIS Controls harmonise with ISO 27001, NIST CSF and NIS2

Nobody likes duplicating work. Security managers often have to reconcile different standards. The good news is that the CIS Control Mapping shows how well the technical measures fit into other enterprise security frameworks.

The comparison of CIS Controls vs NIST CSF 2.0 or CIS with ISO 27001 is particularly interesting. While the ISO standard defines the management system (ISMS), the CIS Controls provide the technical ‘ingredients’. The situation is similar with the Cobit framework (focus: IT governance) or architecture models such as the TOGAF framework. These provide the structure, but often leave operational details open.

Here you can see how the puzzle pieces fit together:

The CIS Controls often act as a translator here: they show the technician exactly what to do to meet the abstract requirement from the respective framework. Anyone who uses these synergies not only saves time, but also builds a security architecture that stands up both on paper and in reality.

Note: This article does not constitute legal advice. It is for general information purposes only and does not replace an individual legal review. For binding information on your obligations under the Cyber Resilience Act, please contact qualified legal advisors or the responsible authorities.