Information security is more important than ever. Practically every business should pursue an information security framework in order to meet its legal obligations, protect its business assets, and secure its customers' personal information.
The Center for Internet Security (CIS) Controls are an excellent starting point for any organization wish to improve its information security practices. The CIS Controls are flexible, versatile, and easy to understand.
Our guide to the CIS Controls lists every control and subcontrol together with additional notes and guidance on implementation, to help you get started on your road towards compliant and secure information management.
What customers say about TermsFeed:
This really is the most incredible service that most website owners should consider using.
Easy to generate custom policies in minutes & having the peace of mind & protection these policies can offer is priceless. Will definitely recommend it to others. Thank you.
- Bluesky's review for TermsFeed. Read all our testimonials here.
With TermsFeed, you can generate:
- 1. What are the CIS Controls?
- 1.1. What are CIS Subcontrols?
- 1.2. What are CIS Controls Implementation Groups?
- 2. The 20 CIS Controls
- 2.1. CIS Control 1: Inventory and Control of Hardware Assets
- 2.2. CIS Control 2: Inventory and Control of Software Assets
- 2.3. CIS Control 3: Continuous Vulnerability Management
- 2.4. CIS Control 4: Controlled Use of Administrative Privileges
- 2.5. CIS Control 5: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- 2.6. CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- 2.7. CIS Control 7: Email and Web Browser Protections
- 2.8. CIS Control 8: Malware Defenses
- 2.9. CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
- 2.10. CIS Control 10: Data Recovery Capabilities
- 2.11. CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- 2.12. CIS Control 12: Boundary Defense
- 2.13. CIS Control 13: Data Protection
- 2.14. CIS Control 14: Controlled Access Based on the Need to Know
- 2.15. CIS Control 15: Wireless Access Control
- 2.16. CIS Control 16: Account Monitoring and Control
- 2.17. CIS Control 17: Implement a Security Awareness and Training Program
- 2.18. CIS Control 18: Application Software Security
- 2.19. CIS Control 19: Incident Response and Management
- 2.20. CIS Control 20: Penetration Tests and Red Team Exercises
- 3. Summary
What are the CIS Controls?
The CIS Controls are a set of 20 categories of security measures that your organization can implement on its journey towards better information security.
The CIS Controls are not legally mandatory, however they are considered a good "baseline" for information security.
For example, under the California Consumer Privacy Act (CCPA), businesses are expected to maintain a "reasonable" level of security. The Act doesn't specify what "reasonable" means. But in a California Data Breach Report, the California Attorney-General at the time stated that meeting all 20 CIS Controls represents a minimum reasonable level of security.
What are CIS Subcontrols?
Each of the 20 CIS Controls contains between five and 13 Subcontrols. These are specific means of implementing each control. Organizations can work through the CIS subcontrols according to their business priorities and needs.
What are CIS Controls Implementation Groups?
The CIS Controls Implementation Groups are three types of organizations, categorized according to their size and resources.
- Implementation Group 1: Small to medium-sized organizations with limited IT and cybersecurity expertise
- Implementation Group 2: Organizations that employ individuals responsible for managing and protecting IT infrastructure, hosting multiple departments with differing risk profiles
- Implementation Group 3: Organizations that employ security experts specializing in the different facets of cybersecurity (e.g., risk management, penetration testing, application security)
Each subcontrol is graded according to which Implementation Group should implement it.
All Implementation Groups should aim to implement the simpler and more commonplace Subcontrols, whereas only organizations in Implementation Group 3 will need to implement the more obscure or complicated subcontrols.
The 20 CIS Controls
Here's a list of the 20 CIS Controls, together with their associated subcontrols. We've also provided notes on some of the Subcontrols, and listed the recommended Implementation Groups.
CIS Control 1: Inventory and Control of Hardware Assets
Subcontrol | Name | Notes | Implementation Groups |
1.1 | Utilize an Active Discovery Tool | Identify and keep track of devices on your network | 2, 3 |
1.2 | Use a Passive Asset Discovery Tool | Automatically updates asset inventory | 3 |
1.3 | Use DHCP Logging to Update Asset Inventory | Dynamic Host Configuration Protocol (DHCP) logging | 2, 3 |
1.4 | Maintain Detailed Asset Inventory | Catalog all assets that can store or process information | 1, 2, 3 |
1.5 | Maintain Asset Inventory Information | Record network address, hardware address, machine name, data asset owner, network status, and department for each asset | 2, 3 |
1.6 | Address Unauthorized Assets | Remove, quarantine, or update unauthorized assets | 1, 2, 3 |
1.7 | Deploy Port Level Access Control | Implement port-level access control to 802.1x standards | 2, 3 |
1.8 | Utilize Client Certificates to Authenticate Hardware Assets | - | 3 |
CIS Control 2: Inventory and Control of Software Assets
Subcontrol | Name | Notes | Implementation Groups |
2.1 | Maintain Inventory of Authorized Software | Keep an up-to-date list of software used for any business purpose on any business system | 1, 2, 3 |
2.2 | Ensure Software is Supported by Vendor Applications | - | 1, 2, 3 |
2.3 | Utilize Software Inventory Tools Applications | Use inventory tools to automate software documentation | 2, 3 |
2.4 | Track Software Inventory Information Applications | Track the name, version, publisher, and install date of all software, including operating systems | 2, 3 |
2.5 | Integrate Software and Hardware Asset Inventories | Enable the tracking of software inventories from a single location | 3 |
2.6 | Address Unapproved Software | Ensure you remove unauthorized software | 1, 2, 3 |
2.7 | Utilize Application Whitelisting | Only allow authorized software to run | 3 |
2.8 | Implement Application Whitelisting of Libraries | Only allow authorized software libraries to load into a system process | 3 |
2.9 | Implement Application Whitelisting of Scripts | - | 3 |
2.10 | Physically or Logically Segregate High-Risk Applications | - | 3 |
CIS Control 3: Continuous Vulnerability Management
Subcontrol | Name | Notes | Implementation Groups |
3.1 | Run Automated Vulnerability Scanning Tools | - | 2, 3 |
3.2 | Perform Authenticated Vulnerability Scanning | Scan for vulnerabilities with either local agents or remote scanners with elevated privileges | 2, 3 |
3.3 | Protect Dedicated Assessment Accounts | Use a specific account for vulnerability scans | 2, 3 |
3.4 | Deploy Automated Operating System Patch Management | - | 1, 2, 3 |
3.5 | Deploy Automated Software Patch Management | - | 1, 2, 3 |
3.6 | Compare Back-to-Back Vulnerability Scans | - | 2, 3 |
3.7 | Utilize a Risk-Rating Process | - | 2, 3 |
CIS Control 4: Controlled Use of Administrative Privileges
Subcontrol | Name | Notes | Implementation Groups |
4.1 | Maintain Inventory of Administrative Accounts | - | 2, 3 |
4.2 | Change Default Passwords | - | 1, 2, 3 |
4.3 | Ensure the Use of Dedicated Administrative Accounts | Do not use admin accounts for secondary activities, e.g. web browsing, email | 1, 2, 3 |
4.4 | Use Unique Passwords | - | 2, 3 |
4.5 | Use Multifactor Authentication For All Administrative Access | - | 2, 3 |
4.6 | Use of Dedicated Machines For All Administrative Tasks | Use a non-network-connected, dedicated device for admin tasks | 3 |
4.7 | Limit Access to Script | Scripting tools like Python should only be available to administrative or development users, and as needed | 2, 3 |
4.8 | Log and Alert on Changes to Administrative Group Membership | - | 2, 3 |
4.9 | Log and Alert on Unsuccessful Administrative Account Login | Issue alerts following failed login attempts to admin accounts | 2, 3 |
CIS Control 5: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Subcontrol | Name | Notes | Implementation Groups |
5.1 | Establish Secure Configurations | Document a standardized set of security configurations for all software | 1, 2, 3 |
5.2 | Maintain Secure Images | Maintain secure images or templates for all new and existing systems | 2, 3 |
5.3 | Securely Store Master Images | - | 2, 3 |
5.4 | Deploy System Configuration Management Tools | Automatically enforce and redeploy standard configuration settings at regular intervals | 2, 3 |
5.5 | Implement Automated Configuration Monitoring Systems | Use an SCAP-compliant configuration monitoring system | 2, 3 |
CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
Subcontrol | Name | Notes | Implementation Groups |
6.1 | Utilize Three Synchronized Time Sources | To ensure consistent time-stamping in logs, use at least three independent time sources. | 2, 3 |
6.2 | Activate audit logging | Enable local logging on all systems and networking devices | 1, 2, 3 |
6.3 | Enable Detailed Logging | Log data including event source, date, user, timestamp, source addresses, destination addresses, etc. | 2, 3 |
6.4 | Ensure adequate storage for logs | - | 2, 3 |
6.5 | Central Log Management | Aggregate logs centrally for analysis and review | 2, 3 |
6.6 | Deploy SIEM or Log Analytic tool | Use Security Information and Event Management (SIEM) or log analytic tool for log correlation and analysis | 2, 3 |
6.7 | Regularly Review Logs | - | 2, 3 |
6.8 | Regularly Tune SIEM | - | 3 |
CIS Control 7: Email and Web Browser Protections
Subcontrol | Name | Notes | Implementation Groups |
7.1 | Ensure Use of Only Fully Supported Browsers and Email Clients | - | 1, 2, 3 |
7.2 | Disable Unnecessary or Unauthorized Browser or Email Client Plugins | Regularly review authorized plugins and extensions and delete as necessary | 2, 3 |
7.3 | Limit Use of Scripting Languages in Web Browsers and Email Clients | - | 2, 3 |
7.4 | Maintain and Enforce Network-Based URL Filters | Enforce URL filters across in-office and remote settings | 2, 3 |
7.5 | Subscribe to URL-Categorization Service | Subscribe to a URL-categorization service that automatically blocks unauthorized categories of websites | 2, 3 |
7.6 | Log all URL requests | - | 2, 3 |
7.7 | Use of DNS Filtering Services | - | 1, 2, 3 |
7.8 | Implement DMARC and Enable Receiver-Side Verification | Enable DMARC verification and SPF to protect against spoofing | 2, 3 |
7.9 | Block Unnecessary File Types | Block unnecessary email attachments | 2, 3 |
7.10 | Sandbox All Email Attachments | - | 3 |
CIS Control 8: Malware Defenses
Subcontrol | Name | Notes | Implementation Groups |
8.1 | Utilize Centrally Managed Anti-malware Software | - | 2, 3 |
8.2 | Ensure Anti-Malware Software and Signatures are Updated | - | 1, 2, 3 |
8.3 | Enable Operating System Anti-Exploitation Features/ Deploy Anti-Exploit Technologies | Use systems such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) | 2, 3 |
8.4 | Configure Anti-Malware Scanning of Removable Devices | Scan USB devices (etc) when connected to your systems | 1, 2, 3 |
8.5 | Configure Devices Not To Auto-Run Content | - | 1, 2, 3 |
8.6 | Centralize Anti-Malware Logging | - | 2, 3 |
8.7 | Enable DNS Query Logging | - | 2, 3 |
8.8 | Enable Command-Line Audit Logging | Use command-line audit logging on command shells e.g. Microsoft PowerShell and Bash | 2, 3 |
CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
Subcontrol | Name | Notes | Implementation Groups |
9.1 | Associate Active Ports, Services, and Protocols to Asset Inventory | - | 2, 3 |
9.2 | Ensure Only Approved Ports, Protocols and Services Are Running | Only allow necessary ports, protocols, and services | 2, 3 |
9.3 | Perform Regular Automated Port Scans | - | 2, 3 |
9.4 | Apply Host-Based Firewalls or Port Filtering | Use default-deny settings to drop prohibited traffic | 1, 2, 3 |
9.5 | Implement Application Firewalls | - | 3 |
CIS Control 10: Data Recovery Capabilities
Subcontrol | Name | Notes | Implementation Groups |
10.1 | Ensure Regular Automated BackUps | - | 1, 2, 3 |
10.2 | Perform Complete System Backups | Use processes such as imaging to back up entire systems | 1, 2, 3 |
10.3 | Test Data on Backup Media | Perform data restoration to ensure backups are working | 2, 3 |
10.4 | Ensure Protection of Backups | Use physical security or encryption to secure backups in storage | 1, 2, 3 |
10.5 | Ensure Backups Have At least One Non-Continuously Addressable Destination | - | 1, 2, 3 |
CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Subcontrol | Name | Notes | Implementation Groups |
11.1 | Maintain Standard Security Configurations for Network Devices | Maintain and document standard security configurations | 2, 3 |
11.2 | Document Traffic Configuration Rules | Documents all configuration rules in a configuration management system with a specific business reason for each rule | 2, 3 |
11.3 | Use Automated Tools to Verify Standard Device Configurations and Detect Changes | Automatically compare all network device configuration against approved security configurations | 2, 3 |
11.4 | Install the Latest Stable Version of Any Security-Related Updates on All Network Devices | - | 1, 2, 3 |
11.5 | Manage Network Devices Using Multi-Factor Authentication and Encrypted Sessions | - | 2, 3 |
11.6 | Use Dedicated Machines For All Network Administrative Tasks | Use a segregated machine without internet access for admin tasks | 2, 3 |
11.7 | Manage Network Infrastructure Through a Dedicated Network | Manage network infrastructure via network connections using separate VLANs or entirely different physical connectivity | 2, 3 |
CIS Control 12: Boundary Defense
Subcontrol | Name | Notes | Implementation Groups |
12.1 | Maintain an Inventory of Network Boundaries | - | 1, 2, 3 |
12.2 | Scan for Unauthorized Connections across Trusted Network Boundaries | - | 2, 3 |
12.3 | Deny Communications with Known Malicious IP Addresses | - | 2, 3 |
12.4 | Deny Communication over Unauthorized Ports | Deny communication over unauthorized TCP or UDP ports | 1, 2, 3 |
12.5 | Configure Monitoring Systems to Record Network Packets | - | 2, 3 |
12.6 | Deploy Network-Based IDS Sensors | Deploy network-based Intrusion Detection Systems (IDS) | 2, 3 |
12.7 | Deploy Network-Based Intrusion Prevention Systems | - | 3 |
12.8 | Deploy NetFlow Collection on Networking Boundary Devices | - | 2, 3 |
12.9 | Deploy Application Layer Filtering Proxy Server | Ensure that all inbound and outbound traffic passes through an authenticated application layer proxy configured to filter unauthorized connections | 3 |
12.10 | Decrypt Network Traffic at Proxy | Decrypt network traffic prior to analyzing the content, except where URLs are whitelisted | 3 |
12.11 | Require All Remote Login to Use Multi-Factor Authentication | - | 2, 3 |
12.12 | Manage All Devices Remotely Logging into Internal Network | Enforce your security policies against remote network logins to your internal network | 3 |
CIS Control 13: Data Protection
Subcontrol | Name | Notes | Implementation Groups |
13.1 | Maintain an Inventory of Sensitive Information | See our article Conducting a GDPR Data Audit | 1, 2, 3 |
13.2 | Remove Sensitive Data or Systems Not Regularly Accessed by Organization | Disconnect rarely-used sensitive data systems from the network | 1, 2, 3 |
13.3 | Monitor and Block Unauthorized Network Traffic | - | 3 |
13.4 | Only Allow Access to Authorized Cloud Storage or Email Providers | - | 2, 3 |
13.5 | Monitor and Detect Any Unauthorized Use of Encryption | - | 3 |
13.6 | Encrypt the Hard Drive of All Mobile Devices | Use whole-disk encryption software | 1, 2, 3 |
13.7 | Manage USB Devices | Maintain an inventory of all USB devices | 2, 3 |
13.8 | Manage System's External Removable Media's Read/Write Configurations | Prohibit systems from writing to removable devices unless necessary | 3 |
13.9 | Encrypt Data on USB Storage Devices | - | 3 |
CIS Control 14: Controlled Access Based on the Need to Know
Subcontrol | Name | Notes | Implementation Groups |
14.1 | Segment the Network Based on Sensitivity | Locate all sensitive information on separated Virtual Local Area Networks (VLANs) | 2, 3 |
14.2 | Enable Firewall Filtering Between VLANs | - | 2, 3 |
14.3 | Disable Workstation to Workstation Communication | - | 2, 3 |
14.4 | Encrypt All Sensitive Information in Transit | - | 2, 3 |
14.5 | Utilize an Active Discovery Tool to Identify Sensitive Data | - | 3 |
14.6 | Protect Information through Access Control Lists | Usewith file system, network share, claims, application, or database specific access control lists | 1, 2, 3 |
14.7 | Enforce Access Control to Data through Automated Tools | Use an automated tool, such as host-based Data Loss Prevention (DLP) software | 3 |
14.8 | Encrypt Sensitive Information at Rest | - | 3 |
14.9 | Enforce Detail Logging for Access or Changes to Sensitive Data | Use tools such as File Integrity Monitoring or Security Information and Event Monitoring | 3 |
CIS Control 15: Wireless Access Control
Subcontrol | Name | Notes | Implementation Groups |
15.1 | Maintain an Inventory of Authorized Wireless Access Points | - | 2, 3 |
15.2 | Detect Wireless Access Points Connected to the Wired Network | - | 2, 3 |
15.3 | Use a Wireless Intrusion Detection System | - | 2, 3 |
15.4 | Disable Wireless Access on Devices if Not Required | - | 3 |
15.5 | Limit Wireless Access on Client Devices | Only allow access to authorized wireless networks on company devices | 3 |
15.6 | Disable Peer-to-Peer Wireless Network Capabilities on Wireless Clients | - | 2, 3 |
15.7 | Leverage the Advanced Encryption Standard (AES) to Encrypt Wireless Data | - | 1, 2, 3 |
15.8 | Use Wireless Authentication Protocols that Require Mutual, Multi-Factor Authentication | E.g. Extensible Authentication Protocol-Transport Layer Security (EAP/TLS) | 3 |
15.9 | Disable Wireless Peripheral Access of Devices | - | 2, 3 |
15.10 | Create Separate Wireless Network for Personal and Untrusted Devices | - | 1, 2, 3 |
CIS Control 16: Account Monitoring and Control
Subcontrol | Name | Notes | Implementation Groups |
16.1 | Maintain an Inventory of Authentication Systems | - | 2, 3 |
16.2 | Configure Centralized Point of Authentication | Use as few centralized points of authentication as possible, including network, security, and cloud systems | 2, 3 |
16.3 | Require Multi-Factor Authentication | - | 2, 3 |
16.4 | Encrypt or Hash all Authentication Credentials | - | 2, 3 |
16.5 | Encrypt Transmittal of Username and Authentication Credentials | - | 2, 3 |
16.6 | Maintain an Inventory of Accounts | - | 2, 3 |
16.7 | Establish Process for Revoking Access | Ensure you can easily revoke account access when a person leaves your organization or no longer requires access | 2, 3 |
16.8 | Disable Any Unassociated Accounts | - | 1, 2, 3 |
16.9 | Disable Dormant Accounts | Set a prescribed period of inactivity | 1, 2, 3 |
16.10 | Ensure All Accounts Have An Expiration Date | Require account renewal after a predetermined date | 2, 3 |
16.11 | Lock Workstation Sessions After Inactivity | - | 1, 2, 3 |
16.12 | Monitor Attempts to Access Deactivated Accounts | - | 2, 3 |
16.13 | Alert on Account Login Behavior Deviation | Log and alert unusual login times, locations, or durations | 3 |
CIS Control 17: Implement a Security Awareness and Training Program
Subcontrol | Name | Notes | Implementation Groups |
17.1 | Perform a Skills Gap Analysis | Build a baseline education roadmap for employees | 2, 3 |
17.2 | Deliver Training to Fill the Skills Gap | - | 2, 3 |
17.3 | Implement a Security Awareness Program | - | 1, 2, 3 |
17.4 | Update Awareness Content Frequently | - | 2, 3 |
17.5 | Train Workforce on Secure Authentication | - | 1, 2, 3 |
17.6 | Train Workforce on Identifying Social Engineering Attacks | E.g. phishing, Business Email Compromise, vishing | 1, 2, 3 |
17.7 | Train Workforce on Sensitive Data Handling | - | 1, 2, 3 |
17.8 | Train Workforce on Causes of Unintentional Data Exposure | - | 1, 2, 3 |
17.9 | Train Workforce Members on Identifying and Reporting Incidents | - | 1, 2, 3 |
CIS Control 18: Application Software Security
Subcontrol | Name | Notes | Implementation Groups |
18.1 | Establish Secure Coding Practices | - | 2, 3 |
18.2 | Ensure Explicit Error Checking is Performed for All In-House Developed Software | - | 2, 3 |
18.3 | Verify That Acquired Software is Still Supported | - | 2, 3 |
18.4 | Only Use Up-to-Date And Trusted Third-Party Components | - | 3 |
18.5 | Use Only Standardized and Extensively Reviewed Encryption Algorithms | - | 2, 3 |
18.6 | Ensure Software Development Personnel are Trained in Secure Coding | - | 2, 3 |
18.7 | Apply Static and Dynamic Code Analysis Tools | - | 2, 3 |
18.8 | Establish a Process to Accept and Address Reports of Software Vulnerabilities | Provide a way for external entities to contact your security group | 2, 3 |
18.9 | Separate Production and Non-Production Systems | Developers should not have unmonitored access to production environments | 2, 3 |
18.10 | Deploy Web Application Firewalls (WAFs) | - | 2, 3 |
18.11 | Use Standard Hardening Configuration Templates for Databases | You should also test all systems that are part of critical business processes | 2, 3 |
CIS Control 19: Incident Response and Management
Subcontrol | Name | Notes | Implementation Groups |
19.1 | Document Incident Response Procedures | Ensure you have written incident-response plans | 1, 2, 3 |
19.2 | Assign Job Titles and Duties for Incident Response | - | 2, 3 |
19.3 | Designate Management Personnel to Support Incident Handling | - | 1, 2, 3 |
19.4 | Devise Organization-wide Standards for Reporting Incidents | See our article GDPR Data Protection Policy | 2, 3 |
19.5 | Maintain Contact Information For Reporting Security Incidents | - | 1, 2, 3 |
19.6 | Publish Information Regarding Reporting Computer Anomalies and Incidents | - | 1, 2, 3 |
19.7 | Conduct Periodic Incident Scenario Sessions for Personnel | - | 2, 3 |
19.8 | Create Incident Scoring and Prioritization Schema | - | 3 |
CIS Control 20: Penetration Tests and Red Team Exercises
Subcontrol | Name | Notes | Implementation Groups |
20.1 | Establish a Penetration Testing Program | Include wireless, client-based, and web application attacks | 2, 3 |
20.2 | Conduct Regular External and Internal Penetration Tests | - | 2, 3 |
20.3 | Perform Periodic Red Team Exercises | - | 3 |
20.4 | Include Tests for Presence of Unprotected System Information and Artifacts | E.g. network diagrams, configuration files, penetration test reports, e-mails, passwords | 2, 3 |
20.5 | Create Test Bed for Elements Not Typically Tested in Production | - | 2, 3 |
20.6 | Use Vulnerability Scanning and Penetration Testing Tools in Concert | - | 2, 3 |
20.7 | Ensure Results from Penetration Test are Documented Using Open, Machine-readable Standards | E.g. SCAP | 3 |
20.8 | Control and Monitor Accounts Associated with Penetration Testing | - | 2, 3 |
Summary
Looking to improve your organization's information security standards? The CIS Controls are the perfect place to start.
Read through our list of CIS Subcontrols and rank them according to your business needs. Implement each one on a priority basis. This will put you on the path to better information security.
Read our article on Protecting Personal Data in Your Business for more information and ideas.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.