CIS Controls: Prioritising cyber defence for modern security architectures

CIS controls rank 18 measures by their proven effectiveness against real-world attacks, helping organisations see what strengthens defence most.

Contents

1. What are CIS Controls?
2. List of CIS Controls
3. How to implement CIS Controls
4. Deployment scenarios
5. Audit & certification
6. Mapping

Key takeaways: CIS Controls

• Prioritised checklist of 18 measures designed to strengthen defence against real-world cyber attacks
• Action-oriented guidance that helps security teams move beyond theoretical compliance requirements
• Three implementation groups to support different security maturity levels and resource profiles
• Security awareness training that supports CIS Control 14 and helps reduce human risk
• Compatibility with the cis controls framework, NIST 2.0, ISO 27001 and NIS2

What are CIS Controls and why do security teams use them?

Before they became known as the CIS Controls, they were widely referred to as the SANS Top 20. Since then, the framework has developed into a more detailed set of prioritised security measures. It is maintained by the Center for Internet Security (CIS), with input from cybersecurity experts, practitioners and organisations around the world. The idea behind the CIS Controls is practical by design: take lessons from real attack patterns and turn them into guidance that security teams can actually work with.

That practical focus is one reason the CIS Controls are useful alongside broader enterprise security frameworks. They do not try to describe every possible improvement an organisation could make. Instead, they help teams decide what should come first: which controls reduce exposure to common attack methods, which gaps create the most risk and where limited resources are likely to have the greatest effect. For teams dealing with tight budgets, busy roadmaps and a shortage of specialist skills, that kind of prioritisation matters.

The current CIS Controls v8.1 are designed to work for organisations at different stages of security maturity, from mid-sized companies to large international enterprises. They can also make broad requirements easier to discuss in practical terms. NIS2 (Who does it apply to?) is a good example. A regulation may call for “appropriate measures”, but security teams still have to translate that into decisions about assets, access rights, logging, training, backups and incident response. The CIS Controls give those decisions more structure. They are not legal advice, but they can help connect regulatory expectations with concrete technical and organisational safeguards.

CIS Controls list: the 18 measures in CIS Controls v8.1

The current version, CIS Controls v8.1, includes 18 Controls. A simple list can quickly feel overwhelming, so it helps to group the measures by theme. Below, we structure the CIS Controls list into the established clusters: Basic, Foundational and Organizational. This makes the CIS Controls framework easier to scan and shows where organisations can start.

Basic cluster: inventory & control

This is where cyber hygiene starts. If you do not know what is connected to your environment, it is difficult to protect it.

• CIS Control 1: Inventory and Control of Enterprise Assets
  Create a complete overview of hardware devices across your environment, so unknown or unauthorised assets can be identified and addressed.
• CIS Control 2: Inventory and Control of Software Assets
  The same principle applies to software. Organisations need visibility into applications and operating systems, so they can reduce the use of unauthorised or unnecessary software.
• CIS Control 3: Data Protection
  Identify where sensitive data is stored, classify it appropriately and define secure handling and deletion processes to reduce the risk of unwanted exposure.

Foundational cluster: technical defence and infrastructure

This cluster focuses on hardening systems, managing access and improving visibility across the technical environment.

• CIS Control 4: Secure Configuration of Enterprise Assets and Software
  Default settings on laptops, servers, cloud services or firewalls are not always secure enough. Replace them with hardened configurations that reflect your organisation’s risk profile.
• CIS Control 5: Account Management
  Maintain visibility over user accounts throughout their full lifecycle, from creation to deactivation, so unused or orphaned accounts do not become an avoidable risk.
• CIS Control 6: Access Control Management
  Permissions should always be granted according to the need-to-know principle. So only give employees exactly the access they really need for their work.
• CIS Control 7: Continuous Vulnerability Management
  Security vulnerabilities don’t wait. Scan your systems continuously and apply patches promptly to close attack vectors.
• CIS Control 8: Audit Log Management
  Logs rarely feel urgent until an incident begins. When they are collected consistently and reviewed in context, they help teams trace suspicious activity and understand what happened.
• CIS Control 9: Email and Web Browser Protections
  Email and browsers are part of daily work, which also makes them common routes for attack. Use filtering, secure configuration and user protection measures to limit the impact of malicious links, attachments and websites.
• CIS Control 10: Malware Defenses
  Define how malicious code is detected, blocked and contained across your environment. That also means setting clear rules for which software may be installed or run.
• CIS Control 11: Data Recovery
  Backups are only useful if recovery works when it matters. Test restores regularly and protect backup copies from tampering, deletion or ransomware encryption.
• CIS Control 12: Network Infrastructure Management
  Network devices can drift out of a secure state over time. Routers, switches and similar components need controlled configurations, active monitoring and ongoing maintenance.
• CIS Control 13: Network Monitoring and Defense
  Network monitoring is about spotting unusual behaviour early enough to investigate it. The goal is to identify patterns, anomalies or signs of compromise before they turn into a larger incident.

Organisational cluster: people, processes and response

Technology matters, but it is only part of the picture. More enterprise security frameworks now put stronger emphasis on people, processes and operational readiness.

• CIS Control 14: Security Awareness and Skills Training
  A strong firewall is not enough if employees are not prepared for phishing and social engineering. Security awareness training helps build a stronger security culture and supports safer behaviour across the organisation.
• CIS Control 15: Service Provider Management
  Keep visibility over suppliers, service providers and third parties, especially where they have access to systems, data or critical processes.
• CIS Control 16: Application Software Security
  Build security into the full software lifecycle, whether applications are developed internally, purchased or managed by external providers.
• CIS Control 17: Incident Response Management
  When an incident occurs, speed and coordination matter. A Human risk management dashboard can help make employee reporting rates measurable and include the human factor as part of early warning and response processes.
• CIS Control 18: Penetration Testing
  Use simulated attacks to test how well your defences perform in practice and identify weaknesses before real attackers can exploit them.

How to implement CIS Controls: a 4-step plan

Many organisations struggle to implement a new framework because the work quickly becomes complex. The key is not to treat CIS Controls as a one-off project that will eventually be “finished”. It works far better if you run it as an ongoing cycle. You figure out your baseline, tackle the biggest threats first, deploy the fixes gradually, and then measure whether those fixes actually hold up.

1. Assess your current status

Figuring out how to implement CIS Controls starts with knowing exactly what is broken. You cannot skip this reality check. If you need a high-level picture of the organisation, CIS CSAT (Hosted) is usually the go-to tool. On the technical side, CIS-CAT Lite handles the basic scanning work. Those using the CIS SecureSuite Platform already have the heavy-duty analytics built right in.A pragmatic start does not have to be complicated. Some teams begin with simple templates or spreadsheets (such as those from CRF) to document which controls are fully implemented, partly implemented or not yet implemented. The important part is honesty: the assessment should show where gaps really exist, not where teams hope they are.

2. Prioritise based on risk

Do not try to fix every gap at once. Use the results from your assessment and compare them with your organisation’s risk profile. Your most valuable assets should guide the order of work. If customer data is one of your highest priorities, CIS Control 3: Data Protection may matter more than improving network monitoring in a low-risk subnet.

The goal is to identify the measures that can reduce the most relevant risk with realistic effort. CIS Controls v8.1 actually forces you to drop the endless wishlist approach. Instead of guessing what to fix next, you get a strict, logical sequence based entirely on real-world threat data.

3. Roll out controls in stages

Most IT departments will crash if they try to do everything simultaneously. Implementation Group 1 prevents that overload by acting as your mandatory starting line. You establish basic cyber hygiene first – locking down the most obvious vulnerabilities – before anyone even looks at the advanced setups required for Implementation Group 2 or Implementation Group 3.

Start with measures that can have a direct effect on everyday risk. Secure remote access with multi-factor authentication under CIS Control 6: Access Control Management. Review local admin rights under CIS Control 5: Account Management. Protect backups from ransomware by keeping them offline, immutable or otherwise resistant to tampering under CIS Control 11: Data Recovery. These are not theoretical exercises. They are practical steps that can make common attack paths harder to exploit.

4. Measure and automate

Knowing how to implement CIS Controls is only half the work. You also need to see whether anything is improving. Start with a few metrics that security teams and leadership can both understand: asset coverage under CIS Control 1, patching speed under CIS Control 7 and MFA coverage under CIS Control 6.
The human element should be visible as well. How do employees react when they encounter phishing? How often do they report suspicious messages? A human risk score can make these patterns easier to discuss, while a central human risk management platform can bring together data on security behaviour, reporting rates and awareness progress under CIS Control 14: Security Awareness and Skills Training. Where possible, automate the reporting so dashboards stay current without creating extra manual work.

CIS Control 14: awareness training

Request a demo

Support CIS Control 14 and strengthen your security culture against phishing

From SMEs to enterprise: Finding your scenario with CIS Controls implementation groups

One of the biggest advantages of the CIS Controls is their scalability. They adapt to exactly where you are on your security journey. Rather than pushing a one-size-fits-all agenda, the CIS Controls implementation groups (IG) help you figure out exactly which measures apply based on your current resources and risk profile.

Implementation Group 1 (IG1) – Essential cyber hygiene

This serves as the default entry point for most organisations, especially small and medium-sized enterprises (SMEs). IG1 focuses entirely on a specific subset of controls designed to block the most common, non-targeted cyber attacks. Simply mastering this basic cyber hygiene usually gets you roughly 80 percent of the way to a secure baseline.

Implementation Group 2 (IG2) – Advanced security

The moment you start managing highly sensitive data or providing IT services to third parties, the pressure increases. This is where IG2 hits the sweet spot. Reaching this level requires dedicated security staff and far more complex software solutions, as you now need to defend against advanced threats that easily bypass basic hygiene.

Implementation Group 3 (IG3) – Sophisticated threat defence

This tier is strictly for organisations operating directly in the crosshairs. If you run critical national infrastructure or handle highly classified data, you attract advanced persistent threats (APTs) looking for specific vulnerabilities. Basic hygiene will not cut it here. At this level, you have to fully deploy every single one of the CIS Controls and all associated safeguards to make your environment resilient enough to withstand targeted, highly resourced attacks.

Audit and certification: Valid proof of your CIS compliance

Unlike classic ISO 27001 certification, you do not get a badge to frame on the wall here. But you still have to prove you actually did the work.

Running CIS-CAT Pro is the fastest way to verify technical settings against the CIS Controls framework. It pulls raw configuration data directly from your machines. However, self-assessments rarely survive contact with external auditors. If you want real credibility, hire a specialised third party to rip your setup apart and document the actual maturity level. You need that external paperwork. When you sit down with cyber insurance brokers or M&A lawyers, an independent audit report proving your IG1 status ends the technical debate immediately. Internal checklists do not.

Mapping: how CIS Controls align with ISO 27001, NIST CSF and NIS2

No IT department wants to map out separate rules for every compliance standard. Finding the intersections between different enterprise security frameworks is the only way to manage the workload. Put CIS Controls vs NIST CSF 2.0 or ISO 27001 side by side, and the boundaries become obvious. ISO forces you to build an Information Security Management System (ISMS). It offers zero practical guidance on locking down your routers or scheduling your patches. CIS drops the high-level theory and hands you the exact technical settings required to satisfy those broader ISO or NIST mandates.

You see a similar pattern with IT governance models like the COBIT framework or architecture blueprints such as the TOGAF framework. They provide the structural shell, but deliberately leave the operational details blank.

The examples below show how selected CIS Controls can support discussions across different frameworks. They are not a complete or legally binding mapping.

In practice, the CIS Controls often act as a bridge between strategic requirements and day-to-day security work. They help technical teams understand which concrete measures may support a broader framework requirement. Used carefully, this can reduce duplication and support a security architecture that works both in documentation and in everyday operations.

A quick note on compliance: You are reading a technical guide, not a legally binding document. We cannot offer formal legal advice here. Always bring your own legal team or compliance officers into the loop to figure out exactly what the law requires your specific company to do.