CIS Controls
A set of 18 prioritised security actions developed by the Center for Internet Security - a practical guide to defending against the most common attacks.
What are CIS Controls?
CIS Controls (formerly CIS Critical Security Controls, SANS Top 20) is a list of 18 prioritised security actions developed by the Center for Internet Security in collaboration with experts worldwide. Unlike frameworks such as NIST CSF or ISO 27001 that define “what” needs to be done, CIS Controls also specify “how” and in what order.
CIS Controls v8 divides controls into three Implementation Groups (IGs). IG1 - a minimum set of 56 safeguards (Basic Cyber Hygiene), suitable for small organisations with limited resources. IG2 - 130 safeguards for organisations with greater complexity. IG3 - all 153 safeguards for organisations that are targets of advanced actors.
The controls cover areas including hardware and software asset inventory, vulnerability management, administrative privilege control, secure configuration, logging and monitoring, email and browser protection, malware defence, data recovery and penetration testing.
Why does it matter?
CIS Controls is one of the most practical security frameworks - it focuses on actions that deliver the greatest impact relative to effort. IG1 (Basic Cyber Hygiene) enables small organisations to implement fundamental safeguards without major investment. CIS Controls are also mapped to regulatory requirements (NIS2, PCI DSS, HIPAA), making compliance demonstration easier.
Related topics
Related terms
Related SEQRED services
Need help in this area?
Our experts will help you assess the risk and plan next steps.