Organizations today face a variety of threats, which can make cybersecurity seem daunting. How can they protect against so many types of cyber attacks with limited resources?

The CIS Critical Security Controls® (CIS Controls®) are meant to help organizations address this specific challenge. The CIS Controls are a prioritized set of actions that organizations can take to help defend themselves and their data against common cyber attack vectors.

Let’s take a closer look at what these Controls are, why your organization should implement them, and how.

What are the CIS Controls?

The CIS Controls are a set of best practices for cybersecurity developed by the Center for Internet Security, Inc. (CIS®). These Controls aim to help organizations identify, manage, and mitigate the most prevalent cyber threats against systems and networks. They are designed to be comprehensive enough to protect and defend cybersecurity programs for any size enterprise but also prescriptive enough to ease implementation. 

Each CIS Control is broken down into CIS Safeguards, or measurable actions. Each Safeguard describes an action that organizations can take to help defend against common cyber attacks, including malware, ransomware, web application attacks, insider threats and misuse, and targeted intrusions, among others.

The CIS Controls are continuously updated as part of CIS's ongoing commitment to ensuring that organizations remain resilient against rapidly changing cyber threats. Let’s take a look at the latest iteration below.

CIS Controls v8.1

CIS Controls v8.1 represents the latest evolution in cybersecurity standards to improve an enterprise's cybersecurity posture. Released in June 2024, this latest iteration addresses the increasing complexities and vulnerabilities in today's cyber landscape by incorporating new asset classes and introducing a governance security function. 

CIS Controls v8.1 is an iterative update to version 8.0, refining and enhancing the Controls to better address current cybersecurity challenges. Below are the key aspects and improvements introduced in CIS Controls v8.1:

• Revised asset classes and CIS Safeguard descriptions: Version 8.1 adds Documentation as an asset class, bringing the total to six. These six — Devices, Software, Data, User, Network, Documentation — better match the specific domains of an enterprise's environment that CIS Controls apply to. As a result of this addition and other minor revisions to the asset classes, some Safeguard descriptions were also updated for greater detail, practicality, and/or clarity.
• Included new and expanded glossary definitions for certain terms used throughout the Controls: As a result of the new and revised asset classes and Safeguard descriptions, there are several new or updated glossary definitions in v8.1. New glossary terms include API, data, documentation, Internet of Things (IoT), network, plan, and sensitive data. 
• Updated alignment to NIST CSF 2.0: Since they were first released, the CIS Controls have continuously been updated to align with evolving industry standards and frameworks. The recent release of NIST CSF 2.0 helped orchestrate this latest version of the Controls, which includes updated mappings and Safeguards that align with changes made in NIST CSF 2.0.
• The addition of a “Governance” security function: In v8.1, Governance is added as a security function, bringing the total to six. (The other five are Identify, Protect, Detect, Respond, Recover.) In this latest revision, governance topics are specifically identified as recommendations that can be implemented to enhance the governance of a cybersecurity program. This will help organizations better identify the governing pieces of the program in order to steer it toward achieving their enterprise goals and equip organizations with the evidence needed to demonstrate compliance. 

Why Implement the CIS Controls?

The CIS Controls aim to streamline the process of designing, implementing, measuring, and managing enterprise security. Below are some key reasons to implement the Controls.  

1. Enhance your cybersecurity posture

CIS Controls provide a comprehensive framework for protecting against a wide range of cyber threats. By following these best practices, organizations can strengthen their defenses, reduce vulnerabilities, and enhance their overall security posture. The Controls cover essential areas such as data protection, access control management, and incident response, ensuring a holistic but simplified approach to cybersecurity.

2. Tailor your approach to cybersecurity

CIS Controls are designed to be scalable and flexible, making them suitable for organizations of all sizes and industries. Version 8.1 contains 18 Controls and 153 Safeguards, which are categorized into three Implementation Groups (IGs). IGs are self-assessed categories based on the organization's risk profile and available resources. This categorization allows organizations to adopt a tailored and prioritized approach, implementing Controls that are appropriate for their specific needs and capabilities rather than requiring them to implement all 18 Controls and 153 Safeguards at once.

3. Allocate your resources efficiently

The CIS Controls are designed to prioritize the most critical security actions, making it easier for organizations to focus their efforts where they matter most. This prioritization helps in allocating resources efficiently, addressing the most significant risks first, and achieving meaningful security improvements without overwhelming the organization with too many simultaneous tasks.

4. Continuously improve over time

CIS Controls emphasize continuous monitoring, measurement, and improvement of security practices. By regularly assessing the effectiveness of the Controls you implement and updating them as needed, organizations can stay ahead of emerging threats and maintain a robust cybersecurity posture over time. This proactive approach helps in adapting to the evolving cyber threat landscape and ensures long-term resilience.

5. Manage security cost-effectively

By addressing the most critical vulnerabilities and improving incident response capabilities, the CIS Controls can help organizations minimize the likelihood and financial and operational impact of cyber attacks. Additionally, the prioritized nature of the Controls ensures that resources are used efficiently, providing maximum security benefits with optimal investment.

6. Demonstrate a reasonable level of security

In the United States, there is no national, statutory, cross-sector minimum standard for information security. Instead, multiple U.S. states require organizations to implement a “reasonable” level of security. While there are multiple ways to do this, several of these state laws and regulations specifically mention the CIS Controls as a way of demonstrating a reasonable level of security. 

7. Simplify multi-framework compliance

The CIS Controls don’t just include foundational security measures that any organization can use to achieve essential cyber hygiene and protect themselves against a cyber attack. They also map to and are referenced by multiple legal, regulatory, and policy frameworks, including PCI DSS, NIST CSF, NIST 800-171, NIST 800-53, HIPAA, GDPR, and ISO 27001. Implementing the Controls can help organizations achieve compliance with these standards and regulations, reducing duplicate work.

CIS Controls List

Below is a high-level overview of the 18 CIS Controls in version 8.1. For a more detailed overview of the Controls and the Safeguards, asset types, and security functions within each Control.

CIS Implementation Groups 

First introduced in CIS v7.1, IGs are designed to help organizations with varying resources and risk exposure to implement the CIS Controls as well as to create and manage an effective cyber defense program. 

Each IG identifies which of the 18 Controls and 153 Safeguards are reasonable to implement for an organization with a similar risk profile and resources. These are self-assessed categories. Meaning, organizations classify themselves to better focus their cybersecurity resources and expertise when implementing the CIS Controls. 

Implementation Group 1

Suitable for organizations with limited IT and cybersecurity expertise, this IG focuses on essential cyber hygiene practices to protect against common threats.

IG1 enterprises will likely:

• Store and process low-sensitivity data, like employee and financial information
• Be an SMB with limited resources dedicated to protecting IT assets and personnel
• Have small or home office commercial off-the-shelf (COTS) hardware and software to defend against attacks
• Need to thwart general, non-targeted attacks
• Be primarily concerned with preventing downtime

Consisting of 15 Controls and 56 Safeguards, this set represents the minimum standard of information security for all enterprises. Since every enterprise should start with IG1 to guard against the most common cyber attacks, this group is considered the “on-ramp” to the CIS Controls. 

Implementation Group 2

Suitable for organizations with increased operational complexity, this IG includes all the Controls and Safeguards identified in IG1 as well as three additional Controls and 74 additional Safeguards that address a wider range of threats and vulnerabilities.

IG2 enterprises will likely:

• Store and process sensitive client or enterprise information
• Have dedicated individuals who are responsible for managing and protecting IT infrastructure
• Need enterprise-grade technology and specialized expertise to properly install and configure some of the Safeguards
• Support multiple departments with different risk profiles and regulatory compliance burdens
• Be primarily concerned with preventing a data breach that could result in a loss of public confidence

In total, IG2 comprises all 18 Controls and 130 Safeguards. 

Implementation Group 3

Designed for large enterprises with sophisticated IT environments and advanced cybersecurity capabilities, this IG comprises all Controls and Safeguards identified in IG1 and IG2 as well as 23 additional Safeguards that provide comprehensive protection against advanced persistent threats (APTs) and other high-level risks.

IG3 enterprises will likely:

• Store and process highly sensitive data that, if its confidentiality, integrity, and/or availability were comprised, would cause significant harm to public welfare
• Employ experts that specialize in different facets of cybersecurity, like risk management, penetration testing, and application security
• Contain sensitive information or functions that are subject to regulatory and compliance oversight
• Need to mitigate targeted and sophisticated attacks and reduce the impact of zero-day attacks
• Be primarily concerned with protecting the availability of services and the confidentiality and integrity of sensitive data in order to protect public welfare

In total, IG3 includes all 18 Controls and 153 Safeguards.

How to Implement the CIS Controls

Implementing the CIS Controls can significantly enhance an organization’s cybersecurity posture. Here’s a detailed step-by-step guide on how to implement the Controls effectively.

1. Assess your current security posture

Before implementing the CIS Controls, conduct a thorough assessment to understand your current security posture and identify any gaps or weaknesses. This includes the following activities:

• Asset inventory: Document all hardware and software assets within the organization
• Risk assessment: Identify potential vulnerabilities and threats to these assets
• Gap analysis: Compare your current security measures against the CIS Controls to identify gaps

2. Select your Implementation Group

As mentioned above, CIS Controls v8.1 categorizes Controls into three IGs. These groups provide a scalable and flexible approach to implementing the Controls based on the organization’s risk profile and available resources.

Use the table below to determine which IG best matches your organization’s risk profile and available resources.

How the CIS Controls Fit into a Cybersecurity Program

Since the CIS Controls include foundational security measures for strengthening an organization’s cybersecurity posture, they can be a great starting point for any cybersecurity program.

Many of these foundational security measures can also help you meet requirements in other information security frameworks, helping to reduce duplicate work and speed up time-to-compliance for multiple frameworks.

Using the CIS Critical Security Controls Navigator, you can see how the CIS Controls are mapped to and referenced by multiple legal, regulatory, and policy frameworks, including but not limited to:

• Azure Security Benchmark
• CMMC v2.0
• Criminal Justice Information Services (CJIS)
• CSA Cloud Controls Matrix
• Cyber Essentials v2.2
• HIPAA
• ISACA COBIT 19
• ISO/IEC 27002:2002
• MITRE Enterprise ATT&CK v8.2
• NIST 800-171
• NIST 800-53
• NIST CSF 2.0
• NYDFS Part 500
• PCI DSS v4.0
• SOC 2

When using a compliance automation platform like Secureframe, this mapping is done automatically in-platform once you add another framework to your instance. This not only saves time and reduces the potential for human error — it also provides immediate visibility into how far along in the compliance process you already are with any additional frameworks and exactly  what gaps you need to fill to become compliant. 

A managed service provider can also help integrate the CIS Controls into a broader security program or framework when necessary.

How Secureframe can Simplify CIS Controls Implementation and Compliance with Other Frameworks

As a CIS SecureSuite® Product Vendor Member, we’ve integrated the CIS Controls content into our platform to further empower organizations and service partners to enhance their security posture and build comprehensive security programs for themselves and/or their customers.

Whether your organization is implementing the CIS Controls itself or working with a managed service provider, Secureframe can help simplify and speed up the process. 

With Secureframe, you can:

• Automate evidence collection to eliminate manual tasks like taking screenshots and organizing documentation 
• Continuously monitor your tech stack and cloud services to ensure compliance and flag nonconformities 
• Deliver and track employee training
• Simplify vendor and personnel management
• Use auditor-approved policy templates to save time spent on policy creation 
• Stay current with the latest version of the CIS Controls and other frameworks
• Map Controls and tests you put in place for CIS compliance to other frameworks to speed up time-to-compliance and reduce duplicate work

If you’re a managed service provider, you can use Secureframe’s powerful automation and AI capabilities to revolutionize how you manage security and compliance for your clients. 

To see why 97% of users reported strengthening their security and compliance posture with Secureframe, request a demo today. Or if you’re looking to become a Secureframe partner, sign up here.