CIS Controls — 18 prioritised security controls

An 80-person machinery manufacturer is hit by a ransomware attack through an unpatched VPN appliance. After the incident, the managing director asks the head of IT: “Which ten measures would have prevented this — and which of them are we missing?” The head of IT presents a list of 56 specific Safeguards from CIS Implementation Group 1, 22 of which are absent. Within nine months they are all in place. A concrete list makes concrete decisions possible. The CIS Controls are strongest where abstract frameworks take too long to arrive in the IT workshop.

The CIS Controls (formerly SANS Top 20) are a prioritised catalogue of 18 security controls published by the US-based Center for Internet Security. The current version 8.1 (June 2024) comprises 18 Controls containing a total of 153 Safeguards (individual measures). In contrast to generic frameworks, each Safeguard is specifically worded and directly actionable.

What does the standard cover?

The 18 Controls are ordered by effectiveness against real attacks — the first Controls prevent the most common attack vectors. Each Control consists of several Safeguards and is assigned to one or more Implementation Groups.

The 18 Controls (v8.1)

CIS 1 — Inventory and control of hardware assets: Which devices are on the network?
CIS 2 — Inventory and control of software assets: Which software is running, authorised and unauthorised?
CIS 3 — Data protection: classification, encryption, data flow monitoring.
CIS 4 — Secure configuration of enterprise assets and software: hardening beyond the shipping defaults.
CIS 5 — Account management: manage user accounts, deactivate inactive ones.
CIS 6 — Access control management: govern privileged access, enforce multi-factor authentication.
CIS 7 — Continuous vulnerability management: patching, scanning, prioritisation.
CIS 8 — Audit log management: collect, protect and analyse logs.
CIS 9 — Email and web browser protection: filtering, secure configuration, awareness.
CIS 10 — Malware defences: EDR, signature and behavioural analysis.
CIS 11 — Data recovery: backups, regular restore tests.
CIS 12 — Network infrastructure management: secure network architecture, segmentation.
CIS 13 — Network monitoring and defence: IDS/IPS, behavioural analysis.
CIS 14 — Awareness and skill training: training for employees.
CIS 15 — Service provider management: governance of external providers.
CIS 16 — Application software security: secure development, code reviews, SAST/DAST.
CIS 17 — Incident response management: incident management with roles and exercises.
CIS 18 — Penetration testing: regular offensive security tests.

Implementation Groups

Group	Number of Safeguards	Target audience
IG1	56	Small organisations, limited IT resources, primarily protection against opportunistic attacks
IG2	130 (incl. IG1)	Mid-sized organisations with IT staff, confidential data, multiple locations
IG3	153 (incl. IG1+IG2)	Large organisations with security teams, targeted threats, regulatory requirements

Every Safeguard is assigned to exactly one IG tier — either “IG1, IG2, IG3”, “IG2, IG3” or “IG3” only. The assignment follows the logic: which measures are appropriate for which threat level?

Assessment and implementation practice

CIS CSAT (Controls Self Assessment Tool). Web-based, free-of-charge tool for self-assessment per Safeguard with a maturity scale (Policy defined, Implemented, Automated, Reported). Results can be exported as a heatmap and roadmap.

CIS RAM (Risk Assessment Method). Methodology to prioritise CIS Controls implementation against the organisation’s own risk profile. Useful for tackling the Safeguards most relevant to your risks first, rather than treating all of them equally.

CIS Benchmarks. More than 100 platform-specific configuration hardening guides — Windows Server, RHEL, Ubuntu, Microsoft 365, AWS, Kubernetes, Docker and others. Benchmarks are closely linked to CIS Control 4 (Secure Configuration).

CIS Hardened Images. Pre-built cloud images (AWS, Azure, GCP) based on the Benchmarks, available commercially.

Mapping to other standards

Standard	Relation to CIS Controls
ISO/IEC 27001 / 27002	CIS provides an official mapping; CIS Safeguards give practical shape to many ISO Annex A controls
NIST CSF	Detailed mapping of CIS Safeguards to CSF subcategories available
NIST SP 800-53	CIS Safeguards map to SP 800-53 controls as the technical implementation
PCI DSS	Many PCI DSS requirements can be evidenced directly with CIS Safeguards
TISAX / VDA ISA	CIS Safeguards as the technical implementation of ISA controls
NIS 2	The Article 21 measures of NIS 2 can be structured well via CIS Safeguards
HIPAA Security Rule	Mapping available for healthcare organisations in the US

Implementation effort

SMEs (10-50 people, IG1): 3-9 months build, thereafter 0.1-0.3 FTE for maintenance. Many Safeguards can be implemented using existing tools (M365, standard EDR, MDM) without additional cost.

Mid-sized organisations (50-500 people, IG2): 9-18 months build, 0.5-2 FTE for maintenance. Investments in vulnerability scanners, SIEM, dedicated EDR and identity solutions are typical.

Large organisations (>500 people, IG3): 18-36 months build, several FTEs in a security operations team. Penetration tests, threat intelligence feeds, incident response retainers and red team exercises are added.

Recurring costs: vulnerability scanner licences, EDR/SIEM licences, annual penetration tests, awareness platform, time for regular restore tests, patch cycles and configuration reviews.

ISO/IEC 27001: International ISMS standard; CIS Controls provide concrete technical implementation of the Annex A controls.
NIST CSF: Overarching governance framework; CIS Controls supply the operational implementation layer.
BSI IT-Grundschutz: German standard with similarly detailed measures; partially overlapping.
TISAX: Automotive industry standard; CIS Controls as a technical complement to ISA controls.

Sources

CIS Controls v8.1 — official page with download
CIS Controls Self Assessment Tool (CSAT) — free-of-charge assessment tool
CIS Benchmarks — platform-specific configuration guides
CIS RAM v2.1 — risk assessment method for prioritisation

Frequently asked questions

Which Implementation Group fits my organisation?

IG1 is the mandatory programme for every organisation: 56 Safeguards that defend against typical cyber attacks on small businesses. IG2 (130 Safeguards in total) applies to mid-sized organisations with IT staff and confidential business data. IG3 (all 153 Safeguards) targets large organisations with security expertise and threat profiles that include targeted attacks. The assignment depends on resources, data sensitivity and the threat model -- not on headcount alone.

Are the CIS Controls certifiable?

There is no formal certification against the CIS Controls themselves. The Center for Internet Security does offer self-assessment tools (CIS CSAT) and, for selected platforms, the CIS Benchmarks with specific configuration recommendations. Audit firms run CIS Controls maturity assessments as a consulting service. In practice the CIS Controls are often used as a technical complement to an ISO 27001 or NIST CSF programme.

What are the CIS Benchmarks and how do they fit in?

The CIS Benchmarks are detailed, platform-specific configuration recommendations -- for Windows, Linux, AWS, Microsoft 365 or Kubernetes, for example. More than 100 Benchmarks exist today. They give practical shape to several Controls (especially CIS Control 4: Secure Configuration). Many vendor tools can scan automatically against Benchmarks. The Benchmarks are available free of charge as PDFs; tooling integration and machine-readable formats are in some cases reserved for CIS SecureSuite members.