It’s been over a month since I last posted on my blog. I was busy finishing up my Master’s Degree, and time just flew by! My goal is to write a blog post at least once a month, and so far, I have kept that streak. Hopefully, now that I am done with school, I can commit to one post per week.
That said, this post is about CIS Controls, formerly known as Critical Security Controls (CSCs).
What are CIS Controls?
CIS Controls are the Center for Internet Security (CIS) Controls, and are a prioritized set of cybersecurity best practices developed by a global community of cybersecurity experts. They are designed to help organizations mitigate the most common or frequent cyber threats and help improve their cybersecurity posture.
The CIS Controls are organized into three IGs, and no, those are not Instagram posts, they are implementation groups (IGs). These implementation groups allow organizations to adopt them based on their resources and risk profile. For example:
- IG1 – Basic Cyber Hygiene (for small/less complex organizations)
- IG2 – Foundational Cybersecurity (for medium-sized businesses)
- IG3 – Advanced Security Measures (for large or high-risk enterprises)
You can look at the breakdown of the 18 CIS Controls (currently version 8.1, as of this post) below:
| Control Name | Purpose |
| Inventory and Control of Enterprise Assets | Maintain visibility into hardware devices connected to the organization. |
| Inventory and Control of Software Assets | Track and control the installation of authorized software to reduce vulnerabilities. |
| Data Protection | Safeguard sensitive data through encryption, access controls, and secure disposal. |
| Secure Configuration of Enterprise Assets and Software | Harden systems by removing default settings and reducing attack surfaces. |
| Account Management | Enforce least privilege and remove inactive or orphaned accounts. |
| Access Controls Management | Define and enforce who can access what resources and when. |
| Continuous Vulnerability Management | Regularly scan and remediate vulnerabilities. |
| Audit Log Management | Collect, review, and retain logs for detection and investigation. |
| Email and Web Browser Protections | Secure these commonly exploited interfaces. |
| Malware Defenses | Deploy anti-malware tools and regularly update them. |
| Data Recovery | Ensure reliable and secure backups exist and are tested regularly. |
| Network Infrastructure Management | Secure routers, switches, and other network devices. |
| Securing Awareness and Skills Training | Train users to recognize and avoid common threats. |
| Securing Operations Center (SOC) Procedures | Implement and document response processes and alert handling. |
| Service Provider Management | Assess and manage risks from third-party providers. |
| Application Software Security | Integrate security into the software development lifecycle (SDLC). |
| Incident Response Management | Plan for and practice incident detection, reporting, and recovery. |
| Penetration Testing | Validate security controls through regular testing and red teaming. |
Some tips for implementing these controls:
- Start with IG1: Focus on the most critical controls like asset inventory, account management, and secure configuration.
- Use the CIS Controls Self-Assessment Tool (CSAT): Available for free to help organizations evaluate and track their implementation maturity.
- Involve Leadership and IT: Successful adoption requires buy-in from both technical and executive leadership.
- Document Everything: Good records support compliance, audits, and continuous improvement.
Organizations can benefit from implementing the CIS Controls because they focus on real-world threats and recommend actions based on attack patterns. Also, with its tiered implementation groups (IG1-IG3), the framework scales from small businesses to large enterprises.
The CIS Controls also align with many frameworks like NIST CSF, ISO 27001, HIPAA, and PCI DSS, which help in regulatory compliance and security audits. In addition, the CIS Controls are developed and maintained by a global community of practitioners, ensuring they stay current with evolving threats.
Some of these controls are simple to use and follow, yet I have seen organizations that do not follow simple steps as removing default settings from systems or testing backups to make sure they work. By following these controls, you can avoid those simple mistakes.
You can download the CIS Controls here.
I hope you found this post helpful and informative. Thanks for stopping by!
CyberCasta 
Leave a comment