® 
CIS Controls
Definition
The CIS Controls are a prioritized set of 18 security measures from the Center for Internet Security. They are considered a practical starting point for organizations looking to improve their cybersecurity.
The CIS Controls are a prioritised set of 18 security measures from the Center for Internet Security (CIS) providing protection against the most common cyberattacks. They are considered a practical starting point for improving cybersecurity and are freely available.
How do the CIS Controls work?
The CIS Controls are divided into three Implementation Groups (IG) based on organisational size and risk profile. IG1 (56 safeguards) contains essential measures for basic protection: minimum cyber hygiene every organisation should implement. IG2 (74 additional safeguards) is for organisations with greater risk and complexity. IG3 (23 additional safeguards) is for organisations facing advanced threats.
The 18 CIS Controls
Controls cover: hardware and software asset inventory, data protection, secure configuration, account management, access control, continuous vulnerability management, audit log management, email security, malware defences, data recovery, network device management, network monitoring, security awareness, service provider management, application security, incident response, and penetration testing.
Impact on organisations
The CIS Controls are concrete, action-oriented and free. Many organisations use them as a stepping stone to ISO 27001. Cyber insurers increasingly reference CIS Controls as minimum security standards.
Protection
Start with IG1 as minimum baseline. Prioritise based on specific threat profile. Use CIS Benchmarks for specific technical configuration guidelines.
How DEFION helps
DEFION evaluates organisational security posture against CIS Controls as part of Cyber Security Assessments.