A guide to CIS Critical Security Controls

For organizations of all sizes in every industry, cyber crime is a serious and evolving threat. As reported by Forbes, 2020 was a record-breaking year for data breaches and cyber attacks. With the pandemic presenting new opportunities for attackers, 78% of IT teams say they lack confidence in their cybersecurity posture according to a recent IDG survey.

As cybersecurity budgets rise in an attempt to mitigate the risk, IT teams are grappling with the question of how best to use these resources. Industry-recognized cybersecurity frameworks, such as NIST and CIS CSC, provide an excellent starting point—but with so many options available, which one should be prioritized?


Why cybersecurity should start with CIS CSC

When selecting a cybersecurity framework, an organization’s size, industry, and risk level should all be taken into account. However, the Center for Internet Security Critical Security Controls for Effective Cyber Defense (CIS CSC)—also known as the CIS Top 20 Security Controls—is a universally advantageous place to start.

Although the National Institute of Security and Technology’s Cybersecurity Framework (NIST CSF) is more comprehensive than CIS CSC, it is also far more complex, making it out of reach for most organizations without a compliance and security team. CIS CSC, on the other hand, consists of 20 straightforward, actionable controls that are applicable to organizations of any size and industry. 

CIS CSC is regularly updated by government and private industry security experts around the world, making it a well recognized and comprehensive cybersecurity roadmap. It focuses on real-world risks and the technical controls that mitigate those risks. The controls are prioritized based on the current threat landscape, making them an ideal starting point for organizations that need to improve their cybersecurity posture with limited resources.


CIS Controls explained

The CIS standards are divided into three levels: Basic (1-6), Foundational (7-16), and Organizational (17-20). Here is a CIS Controls summary:

Basic Foundational Organizational
1. Inventory and control of hardware assets 7. Email and web browser protections 17. Implementation of a security awareness and training program
2. Inventory and control of software assets 8. Malware defenses 18. Application software security
3. Continuous vulnerability management 9. Limitation and control of network ports, protocols, and services 19. Incident response and management
4. Controlled use of administrative privileges 10. Data recovery capabilities 20. Penetration testing and red team exercises
5. Secure configuration for hardware and software on mobile devices, laptops, workstations, and servers 11. Secure configuration for network devices, such as firewalls, routers, and switches
6. Maintenance, monitoring, and analysis of audit logs 12. Boundary defense
13. Data protection
14. Controlled access based on the need to know
15. Wireless access control
16. Account monitoring and control


The CIS security benefits will be felt by any organization that fulfills the controls. Let’s look at the three categories. The Basic Controls for CIS compliance focus on having the necessary assets, keeping those assets secure, and controlling administrative access to systems. Since the steps are prioritized in order, organizations should start by meeting these six essential controls. 

You can then move onto the 10 Foundational CIS Controls, which provide technical best practices that are applicable to any business. Finally, the Organizational Controls cover people, processes, detection, and response—all important components of robust cybersecurity.

For organizations bound by industry regulations such as HIPAA, CMMC, or PCI DSS, the CIS security controls lay the foundation for meeting these standards. This makes meeting the CIS guidelines a worthwhile endeavor for any organization.


How to implement CIS CSC

To begin implementing the CIS framework, you should first identify your gaps and risks. You can perform a simple gap analysis on the CIS website: CIS CSAT. This powerful, free self-assessment tool enables IT teams to track and prioritize their implementation of the CIS Critical Security Controls for Effective Cyber Defense. It covers the documentation, implementation, automation, and reporting of controls, and can be carried out collaboratively between different team members.

Implementation and alignment with CIS is unique for each organization. Thankfully it shares many commonalities with the NIST CSF and many other gold standard cybersecurity frameworks. If you have any questions about CIS, CIS Controls or the NIST CSF, give us a call

Scroll to Top
its umbrella news announcment large

Umbrella and IT Solutions Join Forces

We are pleased to announce a new partnership with IT Solutions Consulting, a managed services provider headquartered in Fort Washington, PA. IT Solutions has a robust reputation in the IT industry and is backed by 25+ years of experience. Together, we’ll continue to deliver top-tier service with our combined team of technology professionals under the IT Solutions name. Click here for more details.