CIS Controls

CIS Controls (formerly known as the CIS Critical Security Controls or CIS18) are a set of 18 prioritised security controls developed by the Center for Internet Security. They provide a practical, consensus-based framework for organisations to defend against the most common cyber threats.

Back to Dictionary

What are CIS Controls?

CIS Controls are a set of 18 actionable security controls designed to help organisations of all sizes improve their cybersecurity posture. They are developed and maintained by the Center for Internet Security (CIS), a non-profit organisation, and are based on real-world threat data and input from a global community of security practitioners.

The controls are numbered in order of priority, with the first controls providing the greatest risk reduction. Each control contains a number of safeguards — specific actions that organisations should take. The framework is designed to be complementary to other standards such as ISO 27001 Annex A and NIS2.

The 18 CIS Controls

The current version (CIS Controls v8.1) comprises the following 18 controls:

1. Inventory and Control of Enterprise Assets
2. Inventory and Control of Software Assets
3. Data Protection
4. Secure Configuration of Enterprise Assets and Software
5. Account Management
6. Access Control Management
7. Continuous Vulnerability Management
8. Audit Log Management
9. Email and Web Browser Protections
10. Malware Defences
11. Data Recovery
12. Network Infrastructure Management
13. Network Monitoring and Defence
14. Security Awareness and Skills Training
15. Service Provider Management
16. Application Software Security
17. Incident Response Management
18. Penetration Testing

Implementation Groups (IG1–IG3)

CIS Controls are organised into three Implementation Groups (IGs) to help organisations prioritise implementation based on their size, resources and risk profile:

IG1 — Essential Cyber Hygiene: The minimum set of safeguards every organisation should implement. IG1 is designed for small to medium-sized organisations with limited IT resources and represents the starting point for all organisations.
IG2 — Expanded Controls: Builds on IG1 with additional safeguards for organisations managing more complex IT environments or handling sensitive data. Suitable for organisations with dedicated IT staff.
IG3 — Comprehensive Security: The full set of CIS safeguards, intended for organisations with mature security programmes and the resources to address sophisticated threats.

Start with IG1: CIS recommends that all organisations — regardless of size — begin by implementing the IG1 safeguards. These 56 safeguards address the most common attack vectors and provide significant risk reduction for a relatively modest investment.

CIS Controls vs ISO 27001

CIS Controls and ISO 27001 are complementary rather than competing frameworks. ISO 27001 provides a management system approach with a focus on governance, risk assessment and continuous improvement. CIS Controls offer a more prescriptive, technically focused set of actions. Many organisations use CIS Controls as a practical implementation guide alongside their ISO 27001 Statement of Applicability.

Frequently Asked Questions about CIS Controls

What are CIS Controls?

CIS Controls (CIS18) are a set of 18 prioritised security controls developed by the Center for Internet Security. They provide actionable, consensus-based best practices for defending against the most common cyber threats.

What are Implementation Groups (IGs)?

Implementation Groups are three tiers (IG1, IG2, IG3) that help organisations prioritise CIS Controls based on their size, resources and risk profile. IG1 represents essential cyber hygiene for all organisations, IG2 adds controls for more complex environments, and IG3 covers the full set of safeguards.

How many safeguards are in IG1?

IG1 contains 56 safeguards across the 18 CIS Controls. These represent the minimum set of actions every organisation should implement to defend against the most common cyber attacks.

Can CIS Controls be used alongside ISO 27001?

Yes. CIS Controls and ISO 27001 are complementary. ISO 27001 provides the governance and management system framework, whilst CIS Controls offer prescriptive technical guidance. Many organisations map CIS Controls to their ISO 27001 Annex A controls.

Are CIS Controls free to use?

Yes. The CIS Controls framework is freely available from the Center for Internet Security. CIS also provides free companion resources such as mappings to other frameworks, implementation guides and self-assessment tools.