The CIS controls, previously known as the SANS Critical Security Controls, are a recommended set of actions developed by the Center for Internet Security to enable organisations to thwart the most pervasive cybersecurity threats they are likely to face. The latest version of these controls, version 8, reduces their number from 20 to 18 and organises them according to the activities involved, rather than who is responsible for managing each component. Every organisation needs to protect their network infrastructure and take steps to reduce its vulnerability to cyber-attacks; the CIS controls provide a blueprint for achieving this reliably.

Equally, any business or organisation that outsources some or all of its IT management to a third party should be aware of the CIS controls and why it’s always preferable to partner with service providers who are CIS compliant.

What are the CIS controls, and what are their benefits?

The goal of the CIS Controls is to provide a universal starting point for enterprises to improve their cybersecurity policies. The Center for Internet Security describes the CIS Controls as “must-do, do-first” defensive actions. By working through the list and ensuring that every item on it is implemented, enterprises can ensure they have effective cyber defences in place.

Development began on the original CIS controls in 2008. The first set of controls were devised by a grass-roots consortium that included businesses, government agencies, and other institutions from around the world. Since then, the CIS Controls have been maintained by the community via an informal peer-review process. As the nature of the cybersecurity threats facing businesses continues to evolve, so too must the best practices used to mitigate their impact and defend against them.

Why should organisations implement the CIS Controls?

From the perspective of a business looking to improve their own cybersecurity and reduce their vulnerability, the CIS controls provide an excellent starting point for implementing a comprehensive security policy. Adherence to the CIS standard shows that organisations take their cybersecurity seriously and are actively working to identify and neutralise potential threats before they have a chance to cause damage. Any business that is entrusted to handle other people’s personal data has an obligation to ensure they keep that data safe and out of the hands of hackers and criminals.

In 2016, then California Attorney General Kamala Harris summarised the CIS controls best: “The set of 20 Controls constitutes a minimum level of security – a floor – that any organization that collects or maintains personal information should meet.”

What are the CIS Controls?

There are currently 18 CIS Controls that organisations need to implement to meet the CIS standards;

CIS Control 1: Inventory and Control of Enterprise Assets

Organisations should actively manage every end-user device connected to their network.

CIS Control 2: Inventory and Control of Software Assets

The active management of all software on the network, including operating systems and individual applications.

CIS Control 3: Data Protection

Ensuring the safety and integrity of data stored on the network.

CIS Control 4: Secure Configuration of Enterprise Assets and Software

Ensuring software and end-user devices are configured securely.

CIS Control 5: Account Management
CIS Control 6: Access Control Management

Management of user credentials and authorisation to ensure secure access control across the network.

CIS Control 7: Continuous Vulnerability Management

Identifying and monitoring vulnerabilities.

CIS Control 8: Audit Log Management

Collect, review, and maintain event logs to help understand and recover from attacks.

CIS Control 9: Email Web Browser and Protections

Improve threat protection and detection via these common attack vectors.

CIS Control 10: Malware Defenses

Ensure adequate antivirus monitoring to identify and neutralise malware.

CIS Control 11: Data Recovery

Ensure robust data backup processes to enable swift and complete recovery following a cyber attack.

CIS Control 12: Network Infrastructure Management
CIS Control 13: Network Monitoring and Defense

Ensure network infrastructure is monitored and maintained.

CIS Control 14: Security Awareness and Skills Training

Provide adequate staff training so they can identify social engineering and phishing attacks.

CIS Control 15: Service Provider Management

Carefully vet third-party service providers and ensure any outside partners have robust cybersecurity policies.

CIS Control 16: Application Software Security

Making sure that no applications run on the network pose a security risk or create vulnerabilities.

CIS Control 17: Incident Response Management

Developing plans for a rapid and robust response to any security incidents.

CIS Control 18: Penetration Testing

Simulating attacks on your own network to identify weak points and fix any vulnerabilities.

Every enterprise can benefit from implementing CIS Controls. Businesses that adhere to the CIS standards are more secure and make more reliable partners.