What is the Center for Internet Security?
The Center for Internet Security (CIS) is a non-profit organisation founded in 2000 that develops best practices for securing IT systems and data. CIS is best known for two products — the CIS Controls (a prioritised set of cybersecurity actions) and the CIS Benchmarks (detailed configuration guidelines for specific technologies). Both are used by tens of thousands of organisations worldwide and are freely available.
What are CIS Controls?
The CIS Controls are a prioritised set of actions that collectively form a defence-in-depth approach to cybersecurity. Originally developed by the SANS Institute and transferred to CIS in 2015, the Controls are designed to be actionable — each control directly addresses a real-world attack technique documented in threat intelligence data.
Version 8, released in May 2021, reorganised the controls from 20 to 18, consolidated several overlapping controls, and added coverage for cloud and mobile environments. CIS Controls v8 is one of the most practical starting points for any organisation building a cybersecurity programme because it is explicitly prioritised — organisations can start with the most impactful controls first.
| Standard Body | Center for Internet Security (CIS) |
| Current Version | v8 (May 2021) |
| Mandatory or Voluntary | Voluntary — free to use |
| Geography | Global |
| Official Resource | cisecurity.org/controls |
Implementation Groups
CIS Controls v8 introduced Implementation Groups (IGs) — a way to prioritise which controls to implement based on organisational size and risk profile. Every organisation starts with IG1.
| Group | Profile | Safeguards |
|---|---|---|
| IG1 | Small organisations with limited IT and security expertise — essential cyber hygiene | 56 safeguards |
| IG2 | Organisations with dedicated security staff handling sensitive data — builds on IG1 | 74 additional safeguards |
| IG3 | Large organisations with security experts handling critical data — full implementation | 23 additional safeguards |
The 18 CIS Controls
| Control | Name | Focus |
|---|---|---|
| CIS 1 | Inventory and Control of Enterprise Assets | Actively manage all hardware assets connected to the network |
| CIS 2 | Inventory and Control of Software Assets | Actively manage all software on the network — authorised and unauthorised |
| CIS 3 | Data Protection | Develop processes to identify, classify, securely handle, retain and dispose of data |
| CIS 4 | Secure Configuration of Enterprise Assets and Software | Establish and maintain secure configurations for all assets and software |
| CIS 5 | Account Management | Use processes and tools to assign and manage authorisation to credentials for user accounts |
| CIS 6 | Access Control Management | Use processes and tools to create, assign, manage and revoke access credentials and privileges |
| CIS 7 | Continuous Vulnerability Management | Continuously acquire, assess and act on information about vulnerabilities in the environment |
| CIS 8 | Audit Log Management | Collect, alert, review and retain audit logs to detect, understand and recover from attacks |
| CIS 9 | Email and Web Browser Protections | Improve protections and detection for threats from email and web vectors |
| CIS 10 | Malware Defences | Prevent or control installation, spread and execution of malicious code |
| CIS 11 | Data Recovery | Establish and maintain data recovery practices to restore in-scope assets to pre-incident state |
| CIS 12 | Network Infrastructure Management | Establish and maintain secure network infrastructure — devices, connections and communications |
| CIS 13 | Network Monitoring and Defence | Operate processes and tooling to establish and maintain comprehensive network monitoring |
| CIS 14 | Security Awareness and Skills Training | Establish and maintain a security awareness programme to influence behaviour |
| CIS 15 | Service Provider Management | Develop processes to evaluate service providers who hold sensitive data or are responsible for critical IT platforms |
| CIS 16 | Application Software Security | Manage the security lifecycle of in-house developed and acquired software |
| CIS 17 | Incident Response Management | Establish a programme to prepare, detect, contain and recover from incidents |
| CIS 18 | Penetration Testing | Test effectiveness of defences by simulating attacker objectives and actions |
Securitora Assessment
CIS Controls v8 is the most practical starting point for any organisation building a cybersecurity programme from scratch. The Implementation Group structure removes the paralysis of “where do we start” — IG1 gives small organisations a clear, achievable baseline. The controls are directly tied to real attack techniques, making it easy to demonstrate business value. For larger organisations, CIS Controls complement ISO 27001 and NIST CSF by providing specific, actionable technical guidance.
| Recommended for | All organisations — especially SMEs starting their cybersecurity journey |
| Difficulty to implement | Low to Medium — IG1 is achievable for any organisation |
| Best used with | NIST CSF 2.0 · ISO 27001 · CIS Benchmarks |
| Official resource | cisecurity.org/controls → |