CIS Controls are a framework of actions that organizations can take to improve their overall security posture. These controls are organized into categories and updated frequently to address emerging threats and technologies. The Center for Internet Security (CIS) defines CIS Critical Security Controls as:
“A prioritized set of Safeguards to mitigate the most prevalent cyberattacks against systems and networks.”
In this article, we’ll look deeper into all 18 controls.
The Center for Internet Security (CIS) is a nonprofit organization focusing on enhancing the cybersecurity readiness and resilience of public and private sector entities. They’re well known for developing CIS Controls, though a few other projects and initiatives undertaken by them include:
The organization developed critical security controls in 2008, but the latest update (Version 8.1) was released in 2024.
(Read about ISACs, aka Information Sharing & Analysis Centers.)
The latest version, CIS Critical Controls 8.1 provide a prioritized set of actions you can take to improve the state of cybersecurity of your company. The controls that we are going to discuss will focus on:
By aligning to these controls, you'll better protect your organization from common cyber threats. Also, since the framework requires minimal resources, it is cost-effective for mid-level or small organizations.
CIS Controls 8.1 offers backward compatibility with older versions. If your organization is using a prior version, you can implement 8.1 controls by mapping your existing controls to the updated set. Although the updates will reflect the current security trends, the structure will remain the same. Now, let's discuss some notable features.
Focus on cloud and hybrid environments: Version 8.1 focuses on the importance of security management in cloud or hybrid environments. It makes asset security easier: on cloud, on-premises, and in hybrid infrastructure.
Alignment to industry standard frameworks: CIS controls align with different major industry standard frameworks, including:
Shift to task-based focus: CIS controls v8.1 shifted to task-based focus and away from role-based. This flexibility prioritizes important security tasks over predefined roles. Now, organizations can adapt their control over evolving responsibilities and dynamic hybrid or cloud environments.
Here’s why CIS Controls are valuable and how they can help your organization:
Consider CIS controls your foundation of security measures to protect systems against malicious activities. Can you do more when it comes to cybersecurity? Always. But this gives you a strong foundation.
Here’s a deeper dive into each control:
This control focuses on keeping track of all the devices and software in an organization's on-premise as well as cloud or hybrid environment. It lets CyberSec experts maintain an up-to-date inventory of authorized devices (like computers, servers, cloud-based assets, and mobile devices) and software (applications, operating systems, etc.) to track the total assets managed within the organization.
With this control, you can also identify and manage any unauthorized devices or software that may pose security risks. By maintaining a comprehensive inventory, organizations can monitor and control their assets, making it easier to ensure the security of their physical and virtual environment.
Organizations need to understand which data is important to them so they can enact security measures to protect it. By managing their assets effectively using this control, they can determine which parts of their business house or handle this important data.
This control lets you manage the software installed on both enterprise assets and cloud-based applications. By effectively managing software assets, you help prevent unauthorized software, so you don't unintentionally introduce security risks and vulnerabilities.
Having a comprehensive inventory of software keeps your organization’s system safe. And to protect your organization from severe attacks, you should update and patch your software frequently.
But here's the catch: if you don't know what software you have, it's hard to identify if any of it is vulnerable, or if you're breaking any licensing rules.
Here’s how you can follow and implement this control:
Data is no longer confined within a company's boundaries. Data's in the cloud, on portable devices at users' homes. It's often shared with partners or online services hosted anywhere in the world. (That's often what those lengthy terms of services spell out.)
When hackers breach a company's infrastructure, one of their goals is to locate and steal data. Companies may not be aware that sensitive information is leaving their system because they are not monitoring the data flow.
To address this issue, you should implement data encryption when transmitting data and leaving data at rest. This not only helps protect against data breaches but is also a requirement imposed by regulations for most types of controlled data. Data monitoring is another technique that's becoming more common.
Here’s how you can follow and implement this control:
Out of the box, most enterprise assets and software come with default settings focused on easy setup and user-friendliness rather than security. These are great for getting started quickly, but these default settings can leave your system vulnerable to attacks.
Attackers can exploit basic controls, default passwords, pre-configured DNS settings, and outdated protocols. That's why changing away from default settings is so important. So, this control focuses on establishing secure configurations for hardware (devices and systems) and software components used physically within the organization as well as hybrid or cloud environments.
Here’s how you can follow and implement this control:
Unauthorized access to your assets or data is most likely to occur when someone with valid user credentials, whether from inside or outside the organization is involved, rather than relying on traditional hacking techniques.
Those with administrative accounts in your organization are core targets since the attackers can use their accounts to create additional accounts or modify assets in a way that makes them susceptible to further breaches.
This control suggests you closely manage user access privileges, password policies, and account activity. And by doing so, you can ensure that only authorized individuals can access specific systems or data based on their roles and responsibilities. In version 8.1, this control focuses more on monitoring accounts that interact with SaaS applications or cloud services.
Here’s how you can follow and implement this control:
While CIS Control 5 is about managing user accounts, access control management focuses on controlling the level of access user accounts have in your organization. It guides about restricting access to critical systems and sensitive data based on the principle of least privilege.
Per this control, account users should only have access to the data or assets relevant to their job and have strong authentication measures in place for sensitive data. By implementing these measures, you reduce the risk of unauthorized access and potential misuse of resources in your organization.
Implementing PAM (Privileged Access Management) will limit access to critical data and systems based on the user's role, reducing the risk of insider threat. For an extra layer of security, you can implement Multi-Factor Authentication. MFA will prevent access attempts by unauthorized users in case of compromised credentials. Thereby lowering the risk of common attacks like password spraying or phishing.
(MFA and PAM are great ways to get ahead of common attacks such as password spraying.)
Here’s how you can follow and implement this control:
Continuous vulnerability management is the practice of assessing and addressing vulnerabilities in your on-premise or cloud-based systems and applications. It emphasizes the importance of defenders regularly assessing their environment to identify vulnerabilities before attackers can exploit them.
Cyber defenders face ongoing challenges from attackers who seek out weaknesses in their infrastructure to exploit and gain entry. That’s why the defenders (AKA the blue team) should have access to up-to-date information about potential threats, such as software updates, patches, and security advisories.
(Related reading: the most common vulnerability types.)
Here’s how you can follow and implement this control:
Audit records sometimes are the sole proof of a successful attack. Attackers know that some organizations maintain audit logs for compliance reasons, yet they don’t examine them often. Exploiting this knowledge, attackers conceal their whereabouts, malicious software, and actions on compromised machines.
Due to non-existent log analysis procedures, threat actors gain control over victim machines for extended periods without the targeted organization being aware of their presence.
That’s why this control focuses on reviewing and retaining detailed logs of activities and events within an organization's systems and networks. By analyzing audit logs, you can detect suspicious or unauthorized activities, identify potential security incidents, and respond promptly to mitigate their impact.
Here’s how to follow and implement this control:
Email and web browsers are prime targets for both malicious software and social engineering tactics. That’s why this control emphasizes preventing phishing attacks, malware infections, and other web-based threats.
Attackers target web browsers and email clients because of direct interaction with users within a company. They create deceptive content to trick users into sharing their login credentials, revealing sensitive information, or providing an entry point for unauthorized access.
Here’s how you can follow and implement this control:
Malicious software, like viruses or trojans, poses a significant and hazardous risk in the realm of internet threats. It infiltrates enterprises through vulnerabilities found in end-user devices, email attachments, webpages, cloud services, mobile devices, and removable media.
That's why organizations should implement malware defenses across all possible entry points and enterprise assets. These defenses help identify, prevent, or manage the presence of malicious software or code by thwarting the execution of harmful applications, code, or scripts on enterprise assets.
Here’s how you can follow and implement this control:
When attackers gain access to systems, they may modify settings, create new accounts, and install unauthorized software or scripts. These actions are difficult to detect because attackers may replace legitimate applications with malicious ones or use seemingly normal account names.
That’s why you should have up-to-date backups or copies of your data and systems to restore your enterprise assets and data to a known, trusted state.
Here’s how you can follow and implement this control:
(Data recovery is a key aspect of any disaster recovery plan.)
Attackers look for weak default configurations, gaps, or inconsistencies in firewall rules, routers, and switches, they then exploit these vulnerabilities to breach defenses and gain unauthorized access to networks and intercept data during transmission.
To defend against such attacks, your organization should have a secure network infrastructure. This control recommends establishing, implementing, and managing network devices to prevent attackers from exploiting vulnerable network services and access points.
Here’s how you can follow and implement this control:
Security tools are only effective if they’re part of a continuous monitoring process that enables staff to receive timely alerts and respond swiftly to security incidents. Organizations relying solely on technology without considering other factors encounter more false positives, as they overly depend on alerts generated by their tools.
This control reommends that continuously monitor network traffic, identify suspicious activities, and respond promptly to mitigate the impact.
Here’s how you can follow and implement this control:
The actions of users impact whether an organization's security program succeeds or fails. It’s much easier for an attacker to trick a user into clicking a link or opening an email attachment, for instance, than to exploit a network vulnerability directly.
Users can cause incidents by:
That's why you should establish and maintain a security awareness program that promotes a security-conscious mindset and provides the necessary skills to reduce cybersecurity risks for the organization.
Here’s how you can follow and implement this control:
(A strong cybersecurity awareness program should emphasize common attacks and good cyber hygiene.)
There have been countless instances where organizations have been affected by breaches caused by third parties. CIS Control 15 is designed to sort this problem. It involves managing and monitoring third-party service providers with access to an organization's systems, networks, or data.
This control recommends assessing and monitoring the security practices of service providers, with an emphasis on ensuring the protection of sensitive information and maintaining the security posture of the organization.
(Related reading: third party risk management.)
Here’s how you can follow and implement this control:
Applications are a user-friendly platform that enables users to access and handle data according to business requirements. They reduce users' need to engage with intricate system operations, such as logging into a database to insert or modify files, which can be prone to errors.
Instead of going through a complex network and system hacking process to bypass security measures, an attacker may exploit vulnerabilities within the application itself to gain unauthorized access to data. So, you should implement secure coding practices and processes to ensure the security of custom-developed software in your organization.
Here’s how you can follow and implement this control:
Incident response management means developing and implementing an incident response plan to address and mitigate security incidents. An incident response plan outlines the steps and procedures to be followed during a security incident. The plan consists of measures to protect, detect, respond to, and recover from threats.
Incident response is the first pillar of any incident management program. In underdeveloped organizations, the response and recovery aspects are often neglected. The only response technique employed when systems are compromised is to restore them to their original state and continue as if nothing happened.
The main objective of incident response is to identify threats within the organization, respond promptly to prevent their spread and resolve them before they can cause any damage.
Here’s how you can follow and implement this control:
(Learn more about incident severity levels, incident metrics & best practices for incident postmortems.)
To maintain a strong defense against threats, it's important to have a well-rounded approach that includes effective policies, governance, and technical defenses. Achieving perfection is difficult because technology is always changing and attackers are constantly developing new tactics. That's why you should regularly penetration test your organization’s security measures to uncover any weaknesses and evaluate their ability to withstand attacks
This control recommends testing the effectiveness and resilience of company assets by identifying and exploiting vulnerabilities in the systems, processes, and technology while simulating the actions and goals of an attacker.
Here’s how you can follow and implement this control:
Implement CIS controls to help your organization establish a strong defense against cyber attacks, safeguard sensitive data, and ensure the continuity of its operations. By prioritizing these controls, you can mitigate risks, detect potential vulnerabilities, and respond promptly to incidents.
See an error or have a suggestion? Please let us know by emailing [email protected].
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.