CIS Critical Security Controls: The Complete Guide

CIS Controls are a framework of actions that organizations can take to improve their overall security posture. These controls are organized into categories and updated frequently to address emerging threats and technologies. The Center for Internet Security (CIS) defines CIS Critical Security Controls as:

“A prioritized set of Safeguards to mitigate the most prevalent cyberattacks against systems and networks.”

In this article, we’ll look deeper into all 18 controls.

What is the Center for Internet Security (CIS)?

The Center for Internet Security (CIS) is a nonprofit organization focusing on enhancing the cybersecurity readiness and resilience of public and private sector entities. They’re well known for developing CIS Controls,  though a few other projects and initiatives undertaken by them include:

• CIS Benchmarks
• CIS-CAT Pro
• Multi-State Information Sharing and Analysis Center (MS-ISAC)
• Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC)

The organization developed critical security controls in 2008, but the latest update (Version 8.1) was released in 2024.

(Read about ISACs, aka Information Sharing & Analysis Centers.)

CIS Critical Control version 8.1: an overview

The latest version, CIS Critical Controls 8.1 provide a prioritized set of actions you can take to improve the state of cybersecurity of your company. The controls that we are going to discuss will focus on:

• Access control
• System configuration
• Vulnerability management

By aligning to these controls, you'll better protect your organization from common cyber threats. Also, since the framework requires minimal resources, it is cost-effective for mid-level or small organizations.

Does 8.1 support backward compatibility?

CIS Controls 8.1 offers backward compatibility with older versions. If your organization is using a prior version,  you can implement 8.1 controls by mapping your existing controls to the updated set. Although the updates will reflect the current security trends, the structure will remain the same. Now, let's discuss some notable features.

Features of CIS critical control version 8.1

Focus on cloud and hybrid environments: Version 8.1 focuses on the importance of security management in cloud or hybrid environments. It makes asset security easier: on cloud, on-premises, and in hybrid infrastructure.

Alignment to industry standard frameworks: CIS controls align with different major industry standard frameworks, including:

• NIST Cybersecurity Framework 
• GDPR
• HIPAA
• ISO/IEC 27001
• PCI DSS

Shift to task-based focus: CIS controls v8.1 shifted to task-based focus and away from role-based. This flexibility prioritizes important security tasks over predefined roles. Now, organizations can adapt their control over evolving responsibilities and dynamic hybrid or cloud environments.

Benefits of implementing CIS critical security controls

Here’s why CIS Controls are valuable and how they can help your organization:

• Prioritization. With CIS Controls, you have a proper list of security actions that can help you focus your efforts on the most critical and impactful security measures for your organization. You can first identify the most important areas to address to effectively allocate resources.
• Risk reduction. With controls around asset management and addressing common attack vectors, organizations tend to reduce their risk exposure to threats.
• Standardization. With CIS Controls comes a standardized set of security practices to help establish a common language and baseline for security across different sectors within your organization.
• Measurable progress. The CIS Controls give a clear roadmap to measure your organization’s progress in implementing security measures. This helps keep track of the security maturity, identify gaps, and prioritize ongoing improvements.
• Industry-standard regulations. CIS controls address security requirements and help you to check if you are complying with regulatory standards like PCI DSS, GDPR, or HIPAA.
• Legal support. CIS controls provide your organization with a more structured approach towards security, thus helping you to meet state and legal compliance.

CIS Controls v8.1: The 18 CIS Critical Security Controls

Consider CIS controls your foundation of security measures to protect systems against malicious activities. Can you do more when it comes to cybersecurity? Always. But this gives you a strong foundation.

Here’s a deeper dive into each control:

1) Inventory and control of enterprise assets

This control focuses on keeping track of all the devices and software in an organization's on-premise as well as cloud or hybrid environment. It lets CyberSec experts maintain an up-to-date inventory of authorized devices (like computers, servers, cloud-based assets, and mobile devices) and software (applications, operating systems, etc.) to track the total assets managed within the organization.

With this control, you can also identify and manage any unauthorized devices or software that may pose security risks. By maintaining a comprehensive inventory, organizations can monitor and control their assets, making it easier to ensure the security of their physical and virtual environment.

Organizations need to understand which data is important to them so they can enact security measures to protect it. By managing their assets effectively using this control, they can determine which parts of their business house or handle this important data.

Implementing inventory and control

• Create and keep a thorough inventory of all assets within the organization.
• Deal with any unauthorized assets.
• Make use of a tool that actively discovers assets.
• Update the enterprise asset inventory by logging information through the Dynamic Host Configuration Protocol (DHCP).

2) Inventory and control of software assets

This control lets you manage the software installed on both enterprise assets and cloud-based applications. By effectively managing software assets, you help prevent unauthorized software, so you don't unintentionally introduce security risks and vulnerabilities.

Having a comprehensive inventory of software keeps your organization’s system safe. And to protect your organization from severe attacks, you should update and patch your software frequently.

But here's the catch: if you don't know what software you have, it's hard to identify if any of it is vulnerable, or if you're breaking any licensing rules.

How to get started with software asset control

Here’s how you can follow and implement this control:

• Create and manage your software inventory. Start with asset and app discovery.
• Keep all software up-to-date and in line with official support.
• Minimize or remove any software that you're not supposed to have.
• Ise automated tools to keep track of your software inventory.
• Allow only approved software, software libraries, and scripts to run on your systems.

3) Data protection

Data is no longer confined within a company's boundaries. Data's in the cloud, on portable devices at users' homes. It's often shared with partners or online services hosted anywhere in the world. (That's often what those lengthy terms of services spell out.)

When hackers breach a company's infrastructure, one of their goals is to locate and steal data. Companies may not be aware that sensitive information is leaving their system because they are not monitoring the data flow.

To address this issue, you should implement data encryption when transmitting data and leaving data at rest. This not only helps protect against data breaches but is also a requirement imposed by regulations for most types of controlled data. Data monitoring is another technique that's becoming more common. 

Data protection safeguards

Here’s how you can follow and implement this control:

• Set up and maintain a system for managing data.
• Keep track of all the data you have.
• Control who can access the data by setting permissions.
• Make sure data is stored for the right amount of time.
• Safely get rid of data you no longer need.
• Protect data on devices used by end-users.
• Create and keep a system for organizing data by importance.
• Document how data moves within your organization.
• Encrypt data stored on removable devices.
• Encrypt sensitive data during transfer.
• Encrypt sensitive data while it's at rest or stored.
• Separate data processing and storage based on how sensitive it is.
• Use a solution to prevent data loss.
• Keep a record of who accesses sensitive data.

4) Secure configuration of enterprise assets and software

Out of the box, most enterprise assets and software come with default settings focused on easy setup and user-friendliness rather than security. These are great for getting started quickly, but these default settings can leave your system vulnerable to attacks.

Attackers can exploit basic controls, default passwords, pre-configured DNS settings, and outdated protocols. That's why changing away from default settings is so important. So, this control focuses on establishing secure configurations for hardware (devices and systems) and software components used physically within the organization as well as hybrid or cloud environments.

How to manage asset and software configuration

Here’s how you can follow and implement this control:

• Set up and keep a secure configuration system.
• Set up and maintain a secure configuration system for network infrastructure.
• Enable automatic session locking on company assets.
• Set up and oversee a firewall on servers.
• Set up and oversee a firewall on user devices.

5) Account management

Unauthorized access to your assets or data is most likely to occur when someone with valid user credentials, whether from inside or outside the organization is involved, rather than relying on traditional hacking techniques.

Those with administrative accounts in your organization are core targets since the attackers can use their accounts to create additional accounts or modify assets in a way that makes them susceptible to further breaches.

This control suggests you closely manage user access privileges, password policies, and account activity. And by doing so, you can ensure that only authorized individuals can access specific systems or data based on their roles and responsibilities. In version 8.1, this control focuses more on monitoring accounts that interact with SaaS applications or cloud services.

Key aspects of account management

Here’s how you can follow and implement this control:

• Create and maintain an inventory of accounts.
• Use different passwords for each account.
• Deactivate unused accounts.
• Limit administrative powers to specific administrator accounts.
• Establish and manage an inventory of service accounts.
• Consolidate account management in one central place.

6) Access control management

While CIS Control 5 is about managing user accounts, access control management focuses on controlling the level of access user accounts have in your organization. It guides about restricting access to critical systems and sensitive data based on the principle of least privilege.

Per this control, account users should only have access to the data or assets relevant to their job and have strong authentication measures in place for sensitive data. By implementing these measures, you reduce the risk of unauthorized access and potential misuse of resources in your organization.

Implementing PAM (Privileged Access Management) will limit access to critical data and systems based on the user's role, reducing the risk of insider threat. For an extra layer of security, you can implement Multi-Factor Authentication. MFA will prevent access attempts by unauthorized users in case of compromised credentials. Thereby lowering the risk of common attacks like password spraying or phishing.

(MFA and PAM are great ways to get ahead of common attacks such as password spraying.)

Access control management safeguards

Here’s how you can follow and implement this control:

1. Set up a process to grant access.
2. Set up a process to revoke access.
3. Ensure Multi-Factor Authentication (MFA) is used for applications accessible from outside the organization (especially cloud or hybrid-based applications).
4. Ensure the use of MFA for accessing the network remotely.
5. Ensure the use of MFA for administrative access.
6. Create and keep a list of systems that verify and authorize users.
7. Consolidate access control in a central location.
8. Establish and manage access control based on specific roles.

7) Continuous vulnerability management

Continuous vulnerability management is the practice of assessing and addressing vulnerabilities in your on-premise or cloud-based systems and applications. It emphasizes the importance of defenders regularly assessing their environment to identify vulnerabilities before attackers can exploit them.

Cyber defenders face ongoing challenges from attackers who seek out weaknesses in their infrastructure to exploit and gain entry. That’s why the defenders (AKA the blue team) should have access to up-to-date information about potential threats, such as software updates, patches, and security advisories.

(Related reading: the most common vulnerability types.)

Applying continuous vulnerability management

Here’s how you can follow and implement this control:

• Set up and maintain a system to identify and address vulnerabilities in your organization.
• Set up and maintain a process to fix identified issues.
• Use automated tools to keep your operating systems up to date with the latest patches.
• Use automated tools to update applications with the latest patches.
• Use automated tools to scan your internal company assets for potential vulnerabilities.
• Use automated tools to scan your external-facing company assets for potential vulnerabilities.
• Take action to fix any vulnerabilities that are detected.

8) Audit log management

Audit records sometimes are the sole proof of a successful attack. Attackers know that some organizations maintain audit logs for compliance reasons, yet they don’t examine them often. Exploiting this knowledge, attackers conceal their whereabouts, malicious software, and actions on compromised machines.

Due to non-existent log analysis procedures, threat actors gain control over victim machines for extended periods without the targeted organization being aware of their presence.

That’s why this control focuses on reviewing and retaining detailed logs of activities and events within an organization's systems and networks. By analyzing audit logs, you can detect suspicious or unauthorized activities, identify potential security incidents, and respond promptly to mitigate their impact.

Audit log management safeguards

Here’s how to follow and implement this control:

• Set up and maintain a system for managing audit logs.
• Gather the audit internal logs as well as logs from cloud-based services or providers.
• Make sure you have enough storage space for the audit logs.
• Ensure that all devices have synchronized time.
• Collect thorough and detailed audit logs.
• Gather logs for DNS queries.
• Gather audit logs for URL requests.
• Gather audit logs for command-line activities.
• Consolidate all the audit logs in a central location.
• Keep the audit logs for a specified duration.
• Regularly review the audit logs.
• Obtain logs from the service provider.

9) Email and web browser protections

Email and web browsers are prime targets for both malicious software and social engineering tactics. That’s why this control emphasizes preventing phishing attacks, malware infections, and other web-based threats.

Attackers target web browsers and email clients because of direct interaction with users within a company. They create deceptive content to trick users into sharing their login credentials, revealing sensitive information, or providing an entry point for unauthorized access.

Email and web browser protections

Here’s how you can follow and implement this control:

• Use only web browsers and email programs that are officially supported.
• Utilize services that filter and block harmful websites through the Domain Name System (DNS).
• Use content inspection and DNS filtering tools for cloud-based email services.
• Keep and enforce filters on your network that block access to suspicious or unsafe URLs.
• Limit the use of browser and email extensions that are unnecessary or not authorized.
• Set up and enforce DMARC (Domain-based Message Authentication, Reporting, and Conformance) to enhance email security.
• Prevent the downloading or opening of unnecessary file types that could pose a risk.
• Set up and maintain protections on your email server to defend against malware attacks.

10) Malware defense

Malicious software, like viruses or trojans, poses a significant and hazardous risk in the realm of internet threats. It infiltrates enterprises through vulnerabilities found in end-user devices, email attachments, webpages, cloud services, mobile devices, and removable media.

That's why organizations should implement malware defenses across all possible entry points and enterprise assets. These defenses help identify, prevent, or manage the presence of malicious software or code by thwarting the execution of harmful applications, code, or scripts on enterprise assets.

Malware defense safeguards

Here’s how you can follow and implement this control:

• Install and keep up-to-date antivirus software.
• Set up automatic updates for antivirus signatures.
• Use cloud-enabled and centralized anti-malware or anti-virus software.
• Turn off the automatic opening of removable media.
• Schedule regular automatic scans of removable media for viruses.
• Activate features that protect against software vulnerabilities.
• Manage antivirus software from a central location.
• Utilize antivirus software that detects suspicious behavior.

11) Data recovery

When attackers gain access to systems, they may modify settings, create new accounts, and install unauthorized software or scripts. These actions are difficult to detect because attackers may replace legitimate applications with malicious ones or use seemingly normal account names.

That’s why you should have up-to-date backups or copies of your data and systems to restore your enterprise assets and data to a known, trusted state.

Data recovery safeguards

Here’s how you can follow and implement this control:

• Set up and keep a plan for recovering data, especially for the data stored in a hybrid or cloud-based virtual environment.
• Use automated tools to make backups.
• Safeguard the data used for recovery.
• Ensure that there is a recovery process to restore the data stored in cloud.
• Create and manage a separate copy of the recovery data.
• Check if the data recovery process works correctly.

(Data recovery is a key aspect of any disaster recovery plan.)

12) Network infrastructure management

Attackers look for weak default configurations, gaps, or inconsistencies in firewall rules, routers, and switches, they then exploit these vulnerabilities to breach defenses and gain unauthorized access to networks and intercept data during transmission.

To defend against such attacks, your organization should have a secure network infrastructure. This control recommends establishing, implementing, and managing network devices to prevent attackers from exploiting vulnerable network services and access points.

Network infrastructure management best practices

Here’s how you can follow and implement this control:

• Make sure your network is kept current.
• Set up and maintain a secure network structure.
• Manage your network infrastructure securely.
• Create and keep architecture diagrams.
• Consolidate network authentication, authorization, and auditing in one place.
• Use secure protocols for managing and communicating on the network.
• Ensure remote devices connect to an enterprise's authentication infrastructure through a VPN.
• Secure the configuration of virtual networks and firewalls of your cloud enviroment.
• Allocate dedicated computing resources for all administrative tasks and keep them maintained.

13) Network monitoring and defense

Security tools are only effective if they’re part of a continuous monitoring process that enables staff to receive timely alerts and respond swiftly to security incidents. Organizations relying solely on technology without considering other factors encounter more false positives, as they overly depend on alerts generated by their tools.

This control reommends that continuously monitor network traffic, identify suspicious activities, and respond promptly to mitigate the impact.

Network monitoring and defense safeguards

Here’s how you can follow and implement this control:

• Consolidate the alerting system for security events.
• Set up a system that detects unauthorized activities on both the network and individuals' devices. 
• Implement measures to filter and control traffic flow between different network parts.
  
• Manage and control access to assets from remote locations.
• Ensure that you are constantly monitoring traffic on cloud and hybrid environments
• Gather logs that capture the flow of network traffic.
• Set up a system that prevents unauthorized activities on both the network and individuals' devices.
• Implement access control at the port level.
• Apply filters to monitor and control the application layer of network traffic.
• Adjust alert thresholds about security events to optimize effectiveness.

14) Security awareness and skills training

The actions of users impact whether an organization's security program succeeds or fails. It’s much easier for an attacker to trick a user into clicking a link or opening an email attachment, for instance, than to exploit a network vulnerability directly.

Users can cause incidents by:

• Mishandling sensitive data.
• Sending sensitive information to the wrong person.
• Losing a portable device.
• Using weak passwords or reusing passwords from public sites.

That's why you should establish and maintain a security awareness program that promotes a security-conscious mindset and provides the necessary skills to reduce cybersecurity risks for the organization.

Getting started with security awareness and skills training

Here’s how you can follow and implement this control:

• Establish and maintain a program to raise security awareness.
• Educate employees to identify social engineering attacks.
• Provide training to employees on the best practices for authentication.
• Teach employees the best practices for handling data.
• Educate employees on the causes of unintentional data exposure.
• Train employees to recognize and report security incidents.
• Educate employees specifically about the risks of cloud data, remote working, and off-premise access.
• Instruct employees on identifying and reporting missing security updates for enterprise assets.
• Educate employees about the risks of connecting to and transmitting enterprise data over insecure networks.
• Conduct role-specific training sessions to enhance security awareness and skills.

(A strong cybersecurity awareness program should emphasize common attacks and good cyber hygiene.)

15) Service provider management

There have been countless instances where organizations have been affected by breaches caused by third parties. CIS Control 15 is designed to sort this problem. It involves managing and monitoring third-party service providers with access to an organization's systems, networks, or data.

This control recommends assessing and monitoring the security practices of service providers, with an emphasis on ensuring the protection of sensitive information and maintaining the security posture of the organization.

(Related reading: third party risk management.)

What to watch for when managing service providers

Here’s how you can follow and implement this control:

• Document all service providers you work with. 
• Develop and uphold a policy for managing service providers.
• Categorize service providers into different groups.
• Make sure that security requirements are included in service provider contracts.
• Evaluate service providers to determine their suitability.
• Keep an eye on service providers to ensure compliance and performance.
• Safely remove service providers from operations when they are no longer needed.

16) Application software security

Applications are a user-friendly platform that enables users to access and handle data according to business requirements. They reduce users' need to engage with intricate system operations, such as logging into a database to insert or modify files, which can be prone to errors.

Instead of going through a complex network and system hacking process to bypass security measures, an attacker may exploit vulnerabilities within the application itself to gain unauthorized access to data. So, you should implement secure coding practices and processes to ensure the security of custom-developed software in your organization.

Application software security safeguards

Here’s how you can follow and implement this control:

• Create and maintain a secure process for developing applications.
• Establish and maintain a system to identify and address software vulnerabilities.
• Investigate the root causes of security vulnerabilities.
• Set up and manage a list of software components from third-party sources, especially cloud-native and SaaS tools.
• Utilize updated and trusted software components from external sources.
• Create and maintain a system to rate the severity of application vulnerabilities.
• Use standardized configuration templates to strengthen the security of application infrastructure.
• Keep production and non-production systems separate.
• Provide training to developers on application security concepts and secure coding practices.
• Apply secure design principles when designing application architectures.
• Utilize pre-verified modules or services for application security components.
• Implement security checks at the code level.
• Conduct penetration testing on applications.
• Perform threat modeling to identify potential risks.

17) Incident response management

Incident response management means developing and implementing an incident response plan to address and mitigate security incidents. An incident response plan outlines the steps and procedures to be followed during a security incident. The plan consists of measures to protect, detect, respond to, and recover from threats.

Incident response is the first pillar of any incident management program. In underdeveloped organizations, the response and recovery aspects are often neglected. The only response technique employed when systems are compromised is to restore them to their original state and continue as if nothing happened.

The main objective of incident response is to identify threats within the organization, respond promptly to prevent their spread and resolve them before they can cause any damage.

Incident response management safeguards

Here’s how you can follow and implement this control:

• Choose staff members to handle incidents effectively.
• Keep updated contact information for reporting security issues.
• Create a systematic approach for reporting incidents across the organization.
• Develop and sustain a process to handle incidents promptly.
• Implement AI-based cloud monitoring services that can constantly monitor the system to check for anomalies.
• Allocate specific roles and responsibilities to team members.
• Determine effective communication methods during incident response.
• Regularly practice incident response procedures.
• Perform reviews after incidents to learn from them.
• Set and maintain predetermined levels for security incidents.

(Learn more about incident severity levels, incident metrics & best practices for incident postmortems.)

18) Penetration testing

To maintain a strong defense against threats, it's important to have a well-rounded approach that includes effective policies, governance, and technical defenses. Achieving perfection is difficult because technology is always changing and attackers are constantly developing new tactics. That's why you should regularly penetration test your organization’s security measures to uncover any weaknesses and evaluate their ability to withstand attacks

This control recommends testing the effectiveness and resilience of company assets by identifying and exploiting vulnerabilities in the systems, processes, and technology while simulating the actions and goals of an attacker.

Here’s how you can follow and implement this control:

• Set up and keep a program for testing how secure your system is from hackers.
• Conduct regular tests to see if external hackers can break into your system or if there are any potential vulnerabilities in your cloud environment.
• Fix any issues that are found during the tests.
• Confirm that your security measures are effective and working correctly.
• Conduct regular tests to check if someone inside your organization can breach your system.

Summing up the CIS critical security controls

Implement CIS controls to help your organization establish a strong defense against cyber attacks, safeguard sensitive data, and ensure the continuity of its operations. By prioritizing these controls, you can mitigate risks, detect potential vulnerabilities, and respond promptly to incidents.