ELI5: What are CIS Controls?
Think of a to-do list for staying safe online, sorted from “do this first” to “do this later.” The CIS Controls are that list for companies — the most important safety steps ranked in order so you start with the basics.
Definition
The CIS Controls (Center for Internet Security Controls), formerly known as the SANS Top 20, are a prioritized set of cybersecurity best practices designed to help organizations defend against the most common and impactful attack techniques. The controls are organized into three implementation groups (IG1, IG2, IG3) based on organizational size and maturity, allowing organizations to start with the most essential controls and expand over time.
Key Details
- Currently at version 8; organized into 18 control categories (down from 20 in v7)
- Implementation Group 1 (IG1) covers essential cyber hygiene for all organizations
- IG2 and IG3 add progressively more sophisticated controls for larger and more mature organizations
- CIS also publishes CIS Benchmarks — detailed technical hardening guides for specific platforms
- Exam tip: CIS Controls are a voluntary framework; they complement regulatory compliance but do not replace it
Connections
- Parent: regulations-and-frameworks — CIS Controls are a widely adopted security framework
- See also: benchmarks-vs-frameworks
- See also: nist-cybersecurity-framework-csf