CIS controls: An overview

April 19, 2023
Big data. Information concept. 3D render

With cyberattacks becoming increasingly widespread and hackers constantly on the prowl to exploit weaknesses in your network, it’s time to consider adopting a robust cybersecurity framework to avert a major disaster. CIS controls are growing in popularity as the standard that companies worldwide are implementing to secure their networks. These controls are a prioritized set of effective safeguards that can repel common cyberattacks, such as web application hacking, insider and privilege misuse, malware, ransomware and targeted intrusions.

CIS controls: Background

The Center for Internet Security (CIS) was founded in 2000 as a non-profit organization providing knowledge, resources and tools to help businesses build resilient cybersecurity.

The CIS controls are a crucial part of the framework and provide a highly effective set of defensive actions for organizations to withstand common security incidents. These controls are organized into three implementation groups (IGs) and 153 safeguards based on the size and complexity of the organization.

Implementation Groups

Implementation Groups (IGs) assist businesses and organizations in prioritizing CIS controls based on their size, resources and risk profile. There are three IGs in the latest version:

IG1 – Designed for small to medium-sized businesses with limited IT and cybersecurity expertise. This group contains 56 safeguards and is dedicated to protecting IT assets and personnel.   

IG2 – Designed for medium-sized organizations with more complex IT infrastructures, this group comprises 74 additional safeguards and builds upon the 56 safeguards identified in IG1.

IG3 – Designed for large organizations with complex IT infrastructures and security programs, this group comprises an additional 23 safeguards. It builds upon the safeguards identified in IG1 (56) and IG2 (74), totaling 153 safeguards. Safeguards selected for IG3 must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks.

CIS controls v8

The latest update to CIS controls, version 8, was released in 2021 and includes significant changes to the framework, reflecting the changing nature of cybersecurity threats.

CIS controls v8 combines controls by activity rather than by who manages the devices. Physical devices, fixed boundaries and security implementation islands are now less important. As a result, the number of controls has gone down from 20 to 18.

The controls for the new version of CIS Controls are:

  1. Inventory and Control of Organizational Assets
  2. Inventory and Control of Software Assets
  3. Data Protection
  4. Secure Configuration of Assets and Organizational Software
  5. Account Management
  6. Access Control Management
  7. Ongoing Vulnerability Management
  8. Audit Log Management
  9. Email and Web Browser Protection
  10. Malware Defenses
  11. Data recovery
  12. Network Infrastructure Management
  13. Network Monitoring and Defense
  14. Security Awareness and Skills Training
  15. Service Provider Management
  16. Application Software Security
  17. Incident Response Management
  18. Intrusion Test (Pentest)

Who uses CIS controls?

Organizations of all sizes and types, from small businesses to large enterprises worldwide, have found CIS controls effective. Here is a list of a few government entities, organizations and companies that have implemented CIS controls:

  • The Federal Reserve Bank of Richmond
  • Corden Pharma
  • Citizens Property Insurance
  • Butler Health System
  • University of Massachusetts
  • The states of Idaho, Colorado, and Arizona; The cities of Oklahoma, Portland and San Diego
  • Exostar, an e-business founded jointly by BAE Systems, The Boeing Co, Lockheed Martin, Raytheon and Rolls-Royce PLC

Steps to achieve compliance

To become compliant with the CIS controls, organizations need to take the following basic steps:

Step 1: Determine your implementation group

The first step in achieving CIS compliance is to determine your implementation group. Based on the size and complexity of the organization, you can identify the right set of controls. Assessing your or your client’s IT infrastructure, security program and available resources will help you choose the right implementation group and the appropriate number of safeguards.

Step 2: Implement the CIS controls

Once you have determined your implementation group, the next step is to implement the CIS controls. The controls are organized into 18 categories that cover various aspects of cybersecurity. Organizations can use CIS controls as a roadmap to improve their cybersecurity posture. The controls are prioritized to help organizations focus on the most critical areas first.

You can implement the CIS controls in a phased manner, tackling some controls and sub-controls early and implementing others later. Accelerate the implementation process by dividing the work among various team members or teams.

Step 3: Continuously monitor and assess your cybersecurity posture

Improving your cybersecurity posture is an ongoing process. Organizations should continuously monitor and assess their cybersecurity posture to identify new threats and vulnerabilities. This will help you stay ahead of the curve and ensure you are prepared to respond to new threats when they emerge.

Ensure CIS compliance with Compliance Manager GRC

With Compliance Manager GRC, you can use all your current IT security tools, software and systems to meet the requirements of CIS v8 framework while maintaining compliance with all your other IT requirements, regardless of source.

The built-in Standard Management Template lets you quickly determine whether you can “check the boxes” for every control, identify the gaps and automatically prepare all the documents you need to comply with the regulation.

Here are a few of the value-added features you get:

  • Rapid baseline assessments – Quickly identify gaps required for certification.
  • Technical risk assessments – Full risk assessment that meets the CIS v8 framework requirement.
  • Auditor’s checklist – Easy access for auditors to quickly satisfy their reporting requirements.
  • Plan of action & milestones – Tracking and management of things you need to do to be compliant.
  • Policies & procedures manual – Required documentation of everything you need to do.
  • Automated documentation & storage – Helps speed up the audit process of the Center for Internet Security standard.

To learn more, request a demo.