CIS Controls: A Practical Security Framework
The CIS Controls provide a prioritized set of security actions to defend against cyberattacks. Learn how Implementation Groups help small businesses start with the essentials.
Why CIS Controls matter
Here's the frustrating reality of security frameworks: most of them were designed for enterprises with dedicated security teams, compliance departments, and seemingly unlimited budgets.
The CIS Controls are different.
The Center for Internet Security (CIS) Controls are a prioritized, prescriptive set of security best practices specifically designed to help organizations defend against the most common and damaging cyberattacks. They're not theoretical—they're based on actual attack data and real-world experience.
More importantly for small businesses: CIS provides Implementation Groups that tell you exactly where to start based on your organization's size and risk profile. No more trying to implement 200 controls when you really only need to focus on 56.
What the CIS Controls are
The CIS Controls (currently version 8) consist of 18 control areas with 153 individual safeguards. These are organized by priority:
The 18 CIS Control Areas
| # | Control | Description |
|---|---|---|
| 1 | Inventory and Control of Enterprise Assets | Know what devices are on your network |
| 2 | Inventory and Control of Software Assets | Know what software is running |
| 3 | Data Protection | Protect sensitive data at rest and in transit |
| 4 | Secure Configuration of Assets and Software | Harden default configurations |
| 5 | Account Management | Manage credentials and access |
| 6 | Access Control Management | Enforce least privilege |
| 7 | Continuous Vulnerability Management | Find and fix vulnerabilities |
| 8 | Audit Log Management | Record and review security events |
| 9 | Email and Web Browser Protections | Secure common attack vectors |
| 10 | Malware Defenses | Prevent and detect malicious code |
| 11 | Data Recovery | Ensure backups and restoration |
| 12 | Network Infrastructure Management | Secure network devices |
| 13 | Network Monitoring and Defense | Detect network-based attacks |
| 14 | Security Awareness and Skills Training | Train your people |
| 15 | Service Provider Management | Manage third-party risk |
| 16 | Application Software Security | Secure custom applications |
| 17 | Incident Response Management | Prepare for and handle incidents |
| 18 | Penetration Testing | Test your defenses |
The controls are numbered by priority. Controls 1–6 are considered foundational—you should implement these before moving to others.
Implementation Groups: Your starting point
This is where CIS Controls shine for small businesses: Implementation Groups (IGs).
IGs define which safeguards are appropriate for different organization types. Instead of trying to implement everything, you focus on what matters for your size and risk:
Implementation Group 1 (IG1)
For: Small to medium organizations with limited IT expertise and resources
Profile:
- Small IT staff (or outsourced IT)
- Low data sensitivity (basic business data)
- No dedicated security team
- Limited budget for security tools
Safeguards: 56 foundational safeguards across all 18 controls
Focus: Basic cyber hygiene that protects against common attacks
This is where most small businesses should start—and for many, IG1 provides sufficient protection.
Implementation Group 2 (IG2)
For: Organizations with moderate IT complexity and some dedicated security resources
Profile:
- Dedicated IT staff
- More sensitive data (customer data, financial records)
- Some compliance requirements
- Budget for security tools
Safeguards: 74 additional safeguards (130 total)
Focus: Defense against more sophisticated threats
Implementation Group 3 (IG3)
For: Organizations with significant security requirements
Profile:
- Dedicated security team
- Highly sensitive or regulated data
- Significant compliance requirements
- Mature security program
Safeguards: 23 additional safeguards (153 total)
Focus: Defense against advanced threats
Why small businesses should start with CIS
Several factors make CIS Controls ideal for small organizations:
Prescriptive, not abstract
Many frameworks tell you what to achieve but not how. CIS Controls are specific:
- Not: "Implement access control"
- Instead: "Disable dormant accounts after 45 days of inactivity" (IG1 safeguard 5.3)
This specificity makes implementation clearer.
Prioritized by attack data
CIS Controls are ordered based on what actually stops attacks. The first controls address the most common attack techniques. By implementing in order, you're addressing the highest-risk areas first.
Free to access
The CIS Controls document is freely available. No expensive framework licenses required. Small businesses can download the controls and start implementing immediately.
Maps to other frameworks
CIS provides mappings to NIST CSF, NIST 800-53, ISO 27001, PCI DSS, and other frameworks. If you later need SOC 2 or ISO certification, your CIS work transfers.
Evidence-based
The controls are maintained by a global community of security practitioners and updated based on current threat intelligence. You're not implementing theoretical security—you're implementing what works.
IG1: The essential safeguards for small businesses
Here's what Implementation Group 1 covers across key control areas:
Asset management (Controls 1-2)
| Safeguard | What to do |
|---|---|
| 1.1 | Establish and maintain an inventory of enterprise assets |
| 1.2 | Address unauthorized assets |
| 2.1 | Establish and maintain a software inventory |
| 2.2 | Ensure authorized software is supported |
| 2.3 | Address unauthorized software |
Why it matters: You can't protect what you don't know about. Asset discovery is foundational.
Data protection (Control 3)
| Safeguard | What to do |
|---|---|
| 3.1 | Establish and maintain a data management process |
| 3.2 | Establish and maintain a data inventory |
| 3.3 | Configure data access control lists |
| 3.4 | Enforce data retention |
| 3.6 | Encrypt data on end-user devices |
Why it matters: Data is the target. Knowing where it is and protecting it is critical.
Account management (Controls 5-6)
| Safeguard | What to do |
|---|---|
| 5.1 | Establish and maintain an inventory of accounts |
| 5.2 | Use unique passwords |
| 5.3 | Disable dormant accounts |
| 5.4 | Restrict administrator privileges |
| 6.1 | Establish an access granting process |
| 6.2 | Establish an access revoking process |
| 6.3 | Require MFA for externally-exposed applications |
| 6.4 | Require MFA for remote network access |
| 6.5 | Require MFA for administrative access |
Why it matters: Compromised credentials are the #1 attack vector. Strong account management is essential.
Backup and recovery (Control 11)
| Safeguard | What to do |
|---|---|
| 11.1 | Establish and maintain a data recovery process |
| 11.2 | Perform automated backups |
| 11.3 | Protect recovery data |
| 11.4 | Establish and maintain an isolated recovery environment |
| 11.5 | Test data recovery |
Why it matters: When ransomware hits (or disasters strike), backups are your lifeline.
Security awareness (Control 14)
| Safeguard | What to do |
|---|---|
| 14.1 | Establish and maintain a security awareness program |
| 14.2 | Train workforce on authentication best practices |
| 14.3 | Train workforce on data handling |
| 14.4 | Train workforce on cause of unintentional exposure |
| 14.5 | Train workforce on social engineering attacks |
| 14.6 | Train workforce on incident recognition and reporting |
Why it matters: Your people are both your biggest vulnerability and your best defense.
Building a CIS-based security program
Here's how to practically implement CIS Controls:
Step 1: Assess your current state
Before implementing, understand where you are:
- Which IG1 safeguards do you already meet?
- Which are partially implemented?
- Which are completely missing?
A gap assessment gives you this visibility. See: Questionnaire-Based Gap Assessment
Step 2: Prioritize by control number
CIS Controls are numbered by priority. Focus on lower-numbered controls first:
- Start with Controls 1-2 (Asset Inventory)
- Move to Controls 3-4 (Data Protection, Secure Configuration)
- Then Controls 5-6 (Account and Access Management)
- Continue through remaining controls
Step 3: Document with policies
Each control area should have supporting policies:
- Controls 1-2: Asset management policy
- Controls 3: Data classification and protection policy
- Controls 5-6: Access control policy, authentication policy
- Control 7: Vulnerability management policy
- Control 8: Logging and monitoring policy
- Control 11: Backup and recovery policy
- Control 14: Security awareness training policy
- Control 17: Incident response policy
See: How to Create Cybersecurity Policies
Step 4: Implement technical controls
Deploy the technologies required for each safeguard:
- Endpoint protection and management
- Vulnerability scanning
- MFA for critical systems
- Backup solutions
- Logging and monitoring tools
- Email security
Step 5: Establish ongoing processes
CIS Controls require continuous effort:
- Regular asset inventory updates
- Periodic access reviews
- Ongoing vulnerability scanning and patching
- Security awareness training cadence
- Incident response testing
CIS Controls vs. other frameworks
How do CIS Controls compare to frameworks you might be considering?
CIS Controls vs. NIST CSF
| Factor | CIS Controls | NIST CSF |
|---|---|---|
| Approach | Prescriptive | Outcome-based |
| Specificity | High (specific safeguards) | Lower (flexible guidance) |
| Prioritization | Built-in (IGs) | User-defined |
| Certification | No (self-assessment) | No (self-assessment) |
| Best for | Organizations wanting clear direction | Organizations wanting flexibility |
Many organizations use CIS Controls as how to implement NIST CSF's what.
See: NIST Cybersecurity Framework
CIS Controls vs. SOC 2
| Factor | CIS Controls | SOC 2 |
|---|---|---|
| Type | Security framework | Audit attestation |
| Audit required | No | Yes (CPA firm) |
| Output | Self-assessment | Formal report |
| Customer expectation | Internal use | External assurance |
| Cost | Low | Medium-high |
CIS Controls are internal guidance; SOC 2 provides external proof. Many companies use CIS internally while pursuing SOC 2 for customers.
See: SOC 2 Compliance
CIS Controls vs. ISO 27001
| Factor | CIS Controls | ISO 27001 |
|---|---|---|
| Type | Security controls | Management system |
| Certification | No | Yes |
| Scope | Security-focused | Broader governance |
| Recognition | High (especially US) | High (especially global) |
| Implementation time | Weeks to months | Months to year+ |
CIS Controls can serve as the technical control set within an ISO 27001 ISMS.
See: ISO 27001 Compliance
Frequently asked questions
Is CIS certification available?
Not directly. CIS Controls are a framework, not a certification standard. However, CIS offers the CIS Controls Self Assessment Tool (CIS-CSAT) for tracking implementation, and some organizations pursue assessments against CIS Controls for internal validation.
How long does IG1 implementation take?
For a small organization (50 people or fewer) with basic IT infrastructure, achieving reasonable IG1 compliance typically takes 3–6 months. This includes assessment, policy development, technical implementation, and training.
Do I need specialized tools?
Not necessarily. Many IG1 safeguards can be implemented with:
- Native features of your existing systems
- Free or low-cost tools
- Process and documentation changes
IG2 and IG3 typically require more specialized security tools.
How do CIS Controls help with other compliance?
CIS provides mapping documents showing how controls align with:
- NIST CSF
- NIST 800-53
- ISO 27001/27002
- PCI DSS
- HIPAA
If you implement CIS Controls, you've made progress toward multiple frameworks simultaneously.
Should I start with CIS if I eventually need SOC 2?
Yes. CIS Controls address most of the technical controls required for SOC 2 Security. Starting with CIS builds a strong foundation, and the work directly transfers when you pursue SOC 2 attestation.
What about CIS Benchmarks?
CIS Benchmarks are separate from CIS Controls. Benchmarks are specific secure configuration guides for operating systems, cloud platforms, and applications. They complement CIS Controls—particularly Control 4 (Secure Configuration).
Where CyberPolicify fits
CIS Controls provide excellent guidance, but they still require significant work to implement—policies to write, assessments to conduct, documentation to maintain.
CyberPolicify makes CIS implementation practical for small businesses:
CIS-aligned policy generation
Generate policies that directly address CIS Control requirements. Our AI creates documentation tailored to your environment and mapped to specific CIS safeguards.
Implementation Group-based assessment
Run gap assessments against your target Implementation Group. Identify exactly which safeguards you've implemented and which need work—without reading through 153 safeguards yourself.
Priority-based remediation
Get remediation recommendations in CIS priority order. Focus on the controls that matter most based on attack data and your organization's risk profile.
Cross-framework mapping
See how your CIS implementation maps to SOC 2, NIST CSF, and ISO 27001. Build toward multiple compliance goals with a single effort.
Built for resource-constrained teams
We know you don't have a dedicated security team. Our platform helps you implement CIS Controls efficiently, with minimal time and expertise required.
CIS Controls are the most practical starting point for small business security. CyberPolicify helps you get there faster.
Generate documentation mapped to frameworks
Start with policies and procedures aligned to the framework, then close gaps with a clear plan.