Home / Blog / General / Top 20 CIS Critical Security Controls (Part 1): What are they?

April 3, 2019

Keeping one step ahead of cyber criminals requires expertise, technology and robust processes. Add the pressures of regulatory compliance and finite resources and the whole cyber security puzzle can become overwhelming.

You know you need to prioritise your defences but without a clear roadmap, you can’t help feeling you’ve left a chink in your cyber armour.

This is where the Centre for Internet Security (CIS) Controls come in. In this 4-part series, we’ll look at what these CIS Controls are and dig into how each one works to protect organisations of all types and sizes to better defend against known attacks and achieve a greater overall cybersecurity posture.

All articles in the series:

Top 20 CIS Critical Security Controls

What are CIS Critical Security Controls?

The 20 CIS critical security controls are specific actions that defend against the most prevalent cyber attacks. Think of them as an actionable list of high-priority, effective steps that form your cybersecurity groundwork. Instead of starting from scratch, you can stand on the shoulders of other cyber sec experts to get the essentials in place… and protect yourself from 85% of common cyber attacks.

Who created the CIS Controls?

In 2008, volunteer experts from a range of fields came together to develop the CIS Controls. This consortium included public and private sector teams and individuals:

  • Cyber analysts
  • Vulnerability testers
  • Solution providers
  • Consultants
  • Policymakers
  • Academics
  • Auditors
  • Users

The 20 CIS Controls they developed stop the majority of attacks; providing a framework for systems management and automation that will serve you well into the future. They’re free to access and widely adopted as best practice by government agencies and enterprises across the UK, EU and US.

Top 20 CIS controls summary

CIS Controls, Compliance Frameworks & Regulations

The CIS Controls aren’t designed to replace existing compliance or regulatory frameworks. In fact, they’re designed to map to the regulations and compliance commitments that your business needs to adhere to. They can work as a stand-alone strategy or in combination with other frameworks:

Compliance frameworks

  • NIST Cybersecurity Framework
  • NIST 800-53
  • ISO 27000 series
  • ITIL


  • GDPR

CIS Controls V7

Since cyber criminals don’t stand still, experts continue to bring their knowledge to the CIS Controls ― keeping them up-to-date with the ever-changing cyber threats of today.

CIS V7 was released in Mar 2018. The framework has been re-ordered and updated in line with new cyber security tools and threats. Outlined in three layers, the current CIS controls comprise these components:

›› 6 Basic CIS Controls:

  • Inventory and Control of Hardware Assets
  • Inventory and Control of Software Assets
  • Continuous Vulnerability Management
  • Controlled Use of Administration Privileges
  • Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
  • Maintenance Monitoring and Analysis of Audit Logs

›› Ten Foundational CIS Controls:

  • Email and Web Browser Protections
  • Malware Defences
  • Limitation and Control of Network Ports, Protocols and Services
  • Data Recovery Capabilities
  • Secure Configurations for Network Devices
  • Boundary Defence
  • Data Protection
  • Controlled Access Based on the Need to Know
  • Wireless Access Control
  • Account Monitoring Control

›› 4 Organisational CIS Controls:

  • Implement a Security Awareness and Training Program
  • Application Software Security
  • Incident Response and Management
  • Penetration Test and Red Team Exercises

Further articles in the series:

» CIS Critical Security Controls: The 6 BASIC controls (Part 2)
» The 10 Foundational CIS Critical Security Controls (Part 3)
» Understanding the Organisational CIS Critical Security Controls (Part 4)

Should I DIY our CIS Controls Management Process?

CIS critical security controls overviewThe CIS Controls are a great foundation for any organisation looking to strengthen their cyber security – and the resource is free to download!  But implementation to harden defences against attack vectors you’re likely to encounter, isn’t free. Even with the best free resources, most organisations find it a tall order keeping pace with the latest security threats, as well as managing people, process and associated technologies.

Often, a more cost-effective route is to seek external help from security experts rather than hiring, training and retaining your own 24-7 cyber security team. Whether fully outsourced, or working in partnership with internal teams, an outsourced Security Operations Centre will help you to quickly scale your security, keep pace with ever-changing threats – and ultimately make a real difference to your cyber security posture.

In the next 3 CIS articles, we dig a little deeper to help you implement as much as you can in-house and figure out whether you’d be better off with any areas being outsourced.

Related Articles:

Comtact's UK Security Operation Centre (SOC)

About Comtact Ltd.

Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).

Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.