Data Protection (CIS Control 3)

CIS Control 3 covers the processes and technical measures for identifying, classifying, protecting and securely disposing of an organisation’s data. The control is closely linked to GDPR data protection requirements and the principle of data minimisation.

Back to Dictionary

What does CIS Control 3 cover?

CIS Control 3 — Data Protection — addresses how organisations should handle their data throughout its lifecycle: from creation and storage through to secure disposal. The objective is to ensure that sensitive data is identified, classified and protected against unauthorised access, exfiltration and loss.

Where CIS Control 1 focuses on knowing which hardware assets you have, and CIS Control 2 on which software is installed, Control 3 turns the focus to the data itself — arguably the most valuable asset of all.

Data classification

The foundation of data protection is classification. You cannot protect data appropriately unless you know what you have and how sensitive it is. A practical classification scheme typically includes:

Public: Information that can be freely shared without risk (e.g. marketing materials).
Internal: Information intended for internal use only but not highly sensitive (e.g. internal procedures).
Confidential: Sensitive information requiring protection (e.g. personal data, financial records).
Restricted: Highly sensitive information where a breach would have severe consequences (e.g. health data, trade secrets).

Classification should drive the controls applied to each data category. Higher sensitivity demands stricter access controls, stronger encryption and more rigorous handling procedures.

Technical data protection controls

CIS Control 3 recommends several technical safeguards:

Encryption: Encrypt sensitive data both at rest and in transit. This protects data even if storage media are lost or network traffic is intercepted.
Data loss prevention (DLP): Tools and policies that detect and prevent unauthorised transfer of sensitive data outside the organisation.
Access controls: Restrict access to data based on classification level and the need-to-know principle.
Backup and recovery: Maintain regular, tested backups to ensure data can be recovered following an incident.
Logging and monitoring: Track who accesses sensitive data and detect anomalous access patterns.

Align with GDPR: CIS Control 3 aligns closely with GDPR’s requirements for appropriate technical and organisational measures (Article 32). Implementing Control 3 safeguards helps demonstrate GDPR compliance.

Secure disposal

Data protection does not end when data is no longer needed. CIS Control 3 requires secure disposal processes to ensure that sensitive data cannot be recovered from decommissioned hardware, deleted files or retired cloud instances. This includes physical destruction of storage media, cryptographic erasure and verified deletion. For organisations using data discovery tools, secure disposal closes the loop on the data lifecycle.

Frequently asked questions about CIS Control 3

Frequently Asked Questions about Data Protection (CIS Control 3)

What is CIS Control 3?

CIS Control 3 — Data Protection — covers the processes and technical controls for identifying, classifying, securely handling, storing and disposing of organisational data to prevent unauthorised access and data loss.

Why is data classification important?

Data classification is the foundation of effective data protection. Without knowing what data you have and how sensitive it is, you cannot apply appropriate security controls. Classification ensures that the most sensitive data receives the strongest protection.

What are the IG1 safeguards for CIS Control 3?

IG1 safeguards for Control 3 include establishing and maintaining a data management process, a data inventory, data retention requirements and secure disposal of data. These represent the minimum actions every organisation should take.

How does CIS Control 3 relate to GDPR?

CIS Control 3 aligns closely with GDPR Article 32, which requires appropriate technical and organisational measures to protect personal data. Implementing Control 3 safeguards such as encryption, access controls and secure disposal directly supports GDPR compliance.

What is secure data disposal?

Secure data disposal ensures that sensitive data cannot be recovered from decommissioned hardware or deleted files. Methods include physical destruction of storage media, cryptographic erasure and verified deletion using certified tools.