Definition and purpose

The CIS Controls are a recommended set of actions aimed at preventing, detecting, and mitigating system vulnerabilities and cyberattacks. Their purpose is to provide a systematic and prioritized approach to cybersecurity, starting from foundational basic measures and progressing to more advanced techniques. By offering a roadmap of key protections with the biggest impact, the CIS Controls help organizations improve their cyber defense mechanisms.

Governing Body

The governing body for the CIS framework is the Center for Internet Security (CIS), a non-profit entity that promotes cybersecurity readiness and response.

Last updated

The CIS Controls are updated periodically based on the evolving threat landscape and technological advancements. The most recent update was released in March 2023.

Applies to

The CIS Controls are sector-agnostic and can be applied across various industries and organization types, including government, private sector, and non-profits. Their universal applicability is one of the reasons they are widely adopted and recommended.

Controls and requirements

The CIS Controls are grouped into three categories: Basic, Foundational, and Organizational. Here's a brief list:

Basic Controls

• Inventory and Control of Hardware Assets
• Inventory and Control of Software Assets
• Continuous Vulnerability Management
• Controlled Use of Administrative Privileges
• Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• Maintenance, Monitoring, and Analysis of Audit Logs

Foundational Controls

• Email and Web Browser Protections
• Malware Defenses
• Limitation and Control of Network Ports, Protocols, and Services
• Data Recovery Capabilities
• Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
• Boundary Defense
• Data Protection
• Controlled Access Based on the Need to Know
• Wireless Access Control
• Account Monitoring and Control

Organizational Controls

• Implement a Security Awareness and Training Program
• Application Software Security
• Incident Response and Management
• Penetration Tests and Red Team Exercises

Please refer to the official CIS Benchmarks List for a detailed list of controls and requirements.

Audit type, frequency, and duration

While CIS doesn't dictate a specific audit mechanism, organizations often undertake internal or third-party assessments to gauge their compliance with the CIS Controls.

Frequency of these assessments can vary based on organizational risk appetite, regulatory requirements, or cybersecurity maturity. However, an annual assessment is generally recommended to account for evolving threats and technological changes.

The duration of the audit or assessment largely depends on the organization's size, complexity, and scope of assessment but could range from a few days to several weeks.