Center for Internet Security

The CIS Critical Security Controls are a community-developed set of prioritized cybersecurity best practices created by the Center for Internet Security (CIS). They focus on the top 18 safeguard areas most effective at reducing risk. The Controls are practical, prescriptive, and scalable—ideal for mission-driven organizations that need clear “do-this-next” guidance.

At Filament Information Security, we use CIS Controls to help schools, governments, and nonprofits establish a core security baseline quickly, then mature over time.

Who Should Use CIS?

While not mandated by law, any organization—especially resource-constrained teams—can benefit. Adopting CIS Controls helps you:

  • Block common attack paths and contain incidents quickly
  • Prove progress to boards, funders, and insurers
  • Map cleanly to other frameworks (NIST CSF, NIST 800-53, ISO 27001, HIPAA, etc.)

 

The 5 Guiding Principles

  1. Offense Informs Defense – Data-driven; aligned to real attacker behavior.
  2. Focus – Prioritizes the highest-value actions first.
  3. Feasible – Specific, practical safeguards you can actually implement.
  4. Measurable – Clear outcomes and metrics to track maturity.
  5. Aligned – Mappable to regulatory and governance frameworks.

 

The 18 CIS Controls

  1. Inventory of Enterprise Assets – Know every device you’re defending.
  2. Inventory of Software Assets – Only approved software runs.
  3. Data Protection – Classify, handle, retain, and dispose securely.
  4. Secure Configuration – Harden systems/apps from the start.
  5. Account Management – Govern all identities and credentials.
  6. Access Control Management – Least privilege, reviewed regularly.
  7. Continuous Vulnerability Management – Find & fix weaknesses fast.
  8. Audit Log Management – Collect, review, and retain logs.
  9. Email & Web Browser Protections – Reduce phishing/web risks.
  10. Malware Defenses – Prevent, detect, and respond to malware.
  11. Data Recovery – Testable backups and reliable restoration.
  12. Network Infrastructure Management – Secure, segmented, maintained.
  13. Network Monitoring & Defense – Detect and respond in real time.
  14. Security Awareness & Skills Training – Build a security-first culture.
  15. Service Provider Management – Govern third-party risk.
  16. Application Software Security – Secure the SDLC and dependencies.
  17. Incident Response Management – Prepare, practice, and improve.
  18. Penetration Testing – Validate defenses through ethical attacks.

 

Implementation Groups (IGs)

CIS organizes safeguards into three Implementation Groups, so you can right-size the program:

  • IG1 (Essential Cyber Hygiene): Small/lean teams; stop common, non-targeted attacks. (~56 safeguards)
  • IG2: More complex environments; multiple departments and sensitive data. (~74 safeguards)
  • IG3: Advanced programs; targeted threats and high-sensitivity data. (additional safeguards beyond IG2)

 

CIS Benchmarks & Hardened Images

  • CIS Benchmarks: Detailed configuration guidance (Windows, Linux, cloud services, databases, network gear, etc.) with Level 1 (low impact), Level 2 (defense-in-depth), and optional STIG-aligned profiles.
  • CIS Hardened Images: Cloud VM images pre-configured to CIS Benchmarks (AWS, Azure, GCP, Oracle). Useful for rapid, consistent secure deployments.

 

Practical Steps to Get Started

  1. Establish Scope & Goals – Define systems, data, and risk priorities.
  2. Assess Against IG1 – Identify quick wins and gaps.
  3. Plan the Next 90 Days – Implement highest-value safeguards first.
  4. Measure & Communicate – Track a small, meaningful metric set.
  5. Iterate – Advance toward IG2/IG3 as needs evolve.

Frequently Asked Questions

Who oversees CIS Controls?
The Center for Internet Security (CIS)—a nonprofit coalition of public/private experts—maintains the Controls and Benchmarks.

Do we have to be “CIS compliant”?
No legal requirement. CIS is voluntary, but widely respected and often encouraged by insurers and auditors.

How do we implement CIS?
Start with IG1 safeguards, close priority gaps, then layer IG2/IG3. Use Benchmarks for secure configuration and measure progress regularly.

What are the benefits of adopting CIS Controls?
Rapid risk reduction, clear prioritization, measurable progress, and strong mapping to other frameworks (NIST CSF, 800-53, ISO 27001, HIPAA).

What are CIS Benchmarks vs. CIS Controls?
Controls = what to do (prioritized safeguards). Benchmarks = how to harden specific platforms (detailed config guidance). Hardened Images apply Benchmarks out-of-the-box in cloud.

Are the CIS Controls free?
Yes. The Controls and Benchmarks are publicly available; some additional content may require a CIS account.

Who created the Controls and when?
Originally developed by a community working group (SANS/CAG roots), now maintained by CIS; regularly updated to reflect current threats.

Will our program get outdated?
CIS publishes updates; if you review safeguards and Benchmarks at least annually, your program stays current.

Can CIS replace other frameworks?
CIS can stand alone for baseline security, or map to NIST CSF/800-53/ISO/HIPAA. Many orgs use CIS for execution under NIST CSF for strategy.

What’s the difference between NIST and CIS?
NIST CSF = strategic framework (organizes outcomes). CIS = prioritized, prescriptive safeguards. They complement each other.

Any examples or training?
CIS publishes implementation resources and community guidance. Filament can provide workshops, assessments, and implementation roadmaps tailored to your environment.

Our Services

vCISO and Fractional Security Analysts

vCISO and Fractional Security Analysts

Enhance security leadership and strategy with experienced professionals through one-time projects or continued engagements.
Learn More
Gap and Risk Assessments

Gap and Risk Assessments

Identify vulnerabilities and gaps in your security posture with our comprehensive assessments designed to not disrupt your operations.

Learn More
Framework Deployment Programs

Framework Deployment Programs

Establish security frameworks through a comprehensive year-long assessment and training program, either individually or with a cohort of your peers.

Learn More
GRC Platform

Apptega GRC Platform

Make the most of Apptega’s powerful Governance, Risk, and Compliance (GRC) tool to effectively manage and maintain your security program utilizing its user-friendly interface.

Learn More
Implementation Support

Implementation Support

Certified assistance in planning and implementing best practices and solutions to mature your security posture.
Learn More
Penetration Testing

Penetration Testing

A security analyst will attempt to find and exploit vulnerabilities in your systems to identify where in your defenses attackers could target
Learn More
Penetration Testing

Vulnerability Scanning

Identify security vulnerabilities in your systems and networks then generating reports to prioritize and remediate potential threats.
Learn More

The Team

Art Provost
Art Provost
Keri Kunkle
Art Provost
Art Provost
Art Provost
Art Provost
Art Provost
Learn About Our Experts

Expert Help is On the Way

Schedule a Free Discovery Call

Explore your organization’s future with a quick conversation with Filament Information Security services.

Contact us today to learn more about how we can help you achieve your security goals.