What is CIS Controls?

The so-called CIS Controls (also known as CIS Critical Security Controls) are published by the Center for Internet Security and regularly updated. Essentially, it's a list of measures designed to improve a company's IT security. The primary goal is to prevent commonly occurring cyber threats. The latest edition was published in August 2024 as CIS Controls 8.1.

Why are CIS Controls important?

IT security is not a simple topic. CIS Controls 8.1 provides a catalog of measures that any company - regardless of size - can implement step by step. The result is a continuously decreasing probability of successful cyber attacks. The CIS Controls are also designed to be implemented with minimal effort - at least in the first set of measures. From an IT security expert's perspective, the CIS Controls provide a solid guideline for efficiently using typically limited resources.

Who uses CIS Controls?

The CIS Controls have established themselves as a quasi-standard worldwide. Accordingly, organizations worldwide use it. CIS Controls is therefore well-suited for both SMEs and large corporations. They are also suitable for government agencies, educational institutions, and non-profit organizations.

Where can you get CIS Controls?

The easiest way is through the CIS website. There you'll always find the latest version of CIS Controls. After a free registration, you can download relevant material. Primarily, you get a PDF containing all relevant information. For anyone wanting to implement the measures, an Excel file is also provided, listing the measures that can be worked through.

Structure of CIS Controls 8.1

In the current version, CIS Controls are divided into 18 categories. For example, category 16 is "Application Software Security". Here you'll find 14 measures that should be implemented. Each measure is also assigned to an implementation group. There are 3 groups: IG1, IG2, IG3.

What are Implementation Groups (IG) within CIS Controls?

1. IG1:
   This group contains all essential measures that should definitely be implemented - regardless of company size or type.
2. IG2:
   This group contains measures relevant for medium and large companies - especially if there is personnel responsible for IT security. Generally, some measures here require specialized personnel and access to specific software.
3. IG3:
   The focus here is on companies that have multiple experts who can cover various areas of IT security. This includes measures relevant for very large companies. If topics like penetration tests or CIA Triad are routine, you should engage with IG3.

It's important to mention that IG2 contains the measures from IG1. Similarly, IG3 contains the measures from IG1 and IG2. In total, it makes sense to implement all measures from IG1 first to cover the basics. Then focus on IG2. IG3 is the final step. Afterwards, the path would be clear for ISO 27001 or similar certifications.

What measures are included in CIS Controls?

Version 8.1 of CIS Controls contains 18 categories with a total of 153 measures - a rough summary can be found in the following list:

1. Inventory and Control of Enterprise Assets:
   Refers to identifying, managing, and monitoring all physical and virtual devices in the enterprise network to prevent unauthorized or unknown devices.
2. Inventory and Control of Software Assets:
   Includes managing and monitoring all software applications to ensure that only approved, secure, and supported software is installed on enterprise systems.
3. Data Protection:
   Refers to protecting sensitive data through encryption, access controls, and data classification to ensure confidential information is securely stored and transmitted.
4. Secure Configuration of Enterprise Assets and Software:
   Ensures all enterprise systems and software are securely configured and known vulnerabilities and unnecessary services are minimized.
5. Account Management:
   Refers to managing user accounts and permissions, including using unique passwords and deactivating inactive accounts, to minimize the risk of account takeovers.
6. Access Control Management:
   Focuses on managing access to systems and data, including the use of multi-factor authentication (2FA/MFA) and role-based access controls (RBAC).
7. Continuous Vulnerability Management:
   Includes identifying, assessing, and remedying vulnerabilities in software and systems through regular scans and automated patch management.
8. Audit Log Management:
   Collects, stores, and analyzes audit logs to detect suspicious activities and ensure events are properly monitored and documented.
9. Email and Web Browser Protections:
   Implements security measures for email clients and web browsers to block phishing, malware, and harmful websites that can enter the company through these channels.
10. Malware Defenses:
    Includes implementing and managing anti-malware software, regular signature updates, and scanning for malware to protect systems from viruses and other threats.
11. Data Recovery:
    Refers to regularly backing up and protecting data (see Backups) and the ability to recover data in case of incidents like ransomware attacks or hardware failures.
12. Network Infrastructure Management:
    Focuses on secure operation and management of a company's network components, including firewalls, switches, and routers, to protect the network from threats.
13. Network Monitoring and Defense:
    Implements monitoring mechanisms like Intrusion Detection and Prevention Systems (IDS/IPS) to monitor network activities and detect and defend against potential attacks in real-time.
14. Security Awareness and Skills Training:
    Ensures all employees regularly receive security practice training to recognize and respond appropriately to social engineering, phishing, and other security threats.
15. Service Provider Management:
    Refers to managing and monitoring third-party providers (e.g., cloud services) to ensure they meet the company's security requirements and don't pose additional risks.
16. Application Security:
    Focuses on secure software development processes, implementing security checks at code level, and managing third-party components to minimize vulnerabilities in applications.
17. Incident Response Management:
    Includes preparing and coordinating measures to respond to security incidents, designating a response team, and conducting regular exercises to prepare for potential security incidents.
18. Penetration Testing:
    Includes conducting regular penetration tests to identify vulnerabilities in systems and networks and verify the effectiveness of existing security measures.