Table of Contents
- Module 1: Understanding the CIS Controls
- Module 2: Planning Your CIS Implementation
- Module 3: Implementing the CIS Controls
- Module 4: Maintaining and Assessing the CIS Controls
- Module 5: Case Study — Implementing the CIS Controls at Globomantics
- Summary
Module 1: Understanding the CIS Controls
What Are Security Controls?
Security controls are measures or safeguards implemented to protect an organization’s information assets — its systems, data, equipment, facilities, people, and processes — from harm, danger, or malicious activity. Before examining the CIS Controls specifically, it is useful to review the general vocabulary used to classify controls, since this vocabulary recurs throughout the CIS Controls framework.
There are three basic control types commonly recognized in cybersecurity (note that different sources may categorize these slightly differently; the concepts below are a general framework):
| Control Type | Also Known As | Typical Examples |
|---|---|---|
| Administrative | Managerial controls | Policies, procedures, standards, guidelines |
| Technical | Logical controls | Firewalls, encryption systems, authentication mechanisms |
| Physical | Operational controls | Chain-link fencing, guards, gates, CCTV systems, guard dogs |
In addition to control type, controls are also classified by control function — what the control actually does to protect an asset:
| Control Function | Description | Example |
|---|---|---|
| Deterrent | Visible controls meant to make a would-be attacker “think twice.” Deterrent controls are a subset of preventative controls. | A visible CCTV camera |
| Preventative | Stops a malicious act from occurring, whether or not the target is aware of the control | A firewall rule blocking access to a prohibited site — the user doesn’t need to know the rule exists for it to work |
| Detective | Identifies that a security event happened | Audit trails, intrusion detection alarms, network logs |
| Compensating | A substitute control used when a primary control fails or is otherwise unavailable, reducing risk even though it isn’t as strong as the primary control | Building a temporary wall when a storm damages a section of perimeter fencing and a full fence replacement isn’t immediately affordable |
| Corrective | A short-term, temporary fix for an immediate security issue (in contrast to the more permanent compensating control) | Posting a guard at a broken section of fence overnight until it can be repaired |
| Recovery | Restores the organization, facility, or asset to normal operations after an incident or disaster | Restoring backed-up data to a server damaged during a disaster |
These control functions can overlap. For example, a data backup could reasonably be classified as both a recovery control (it restores lost data) and a preventative control (it prevents permanent data loss). Rather than trying to force every control into a single, rigid function, treat these categories as descriptive labels that can apply in combination.
flowchart TD
A[Security Control] --> B{Control Type}
B --> B1[Administrative / Managerial<br/>Policies, procedures, standards]
B --> B2[Technical / Logical<br/>Firewalls, encryption, auth]
B --> B3[Physical / Operational<br/>Fencing, guards, CCTV]
A --> C{Control Function}
C --> C1[Deterrent<br/>Visible, discourages action]
C --> C2[Preventative<br/>Stops the act from happening]
C --> C3[Detective<br/>Identifies that it happened]
C --> C4[Compensating<br/>Substitute when primary fails]
C --> C5[Corrective<br/>Temporary immediate fix]
C --> C6[Recovery<br/>Restores operations post-incident]
C1 -.subset of.-> C2
What Are the CIS Controls?
The CIS Controls are a comprehensive set of security controls promoted by the Center for Internet Security (CIS) that organizations use to secure their information assets — systems, data, and more. The CIS Controls are one of two components of the CIS Best Security Practices; the other component is the CIS Benchmarks (covered later in this document).
Key facts about the CIS Controls:
- They are designed to cover the most critical areas that organizations need to protect against malicious entities such as hackers.
- They are designed to provide real security, not simply to “check a box” for compliance — although they can certainly support compliance efforts as well.
- They are organized into 18 top-level control areas (e.g., inventorying assets).
- Those 18 areas are broken down into 153 individual controls (also called safeguards).
- The 153 safeguards are spread across three Implementation Groups (IGs), which prioritize and scale the controls according to an organization’s size and complexity (covered in depth in Module 2).
- The current version at the time of this course is CIS Controls version 8, published in May 2021.
flowchart LR
CIS[CIS Best Security Practices] --> Controls[CIS Controls<br/>18 Control Areas / 153 Safeguards]
CIS --> Benchmarks[CIS Benchmarks<br/>Platform Configuration Guides]
Controls --> IG1[Implementation Group 1]
Controls --> IG2[Implementation Group 2]
Controls --> IG3[Implementation Group 3]
Background and History of the CIS Controls
The CIS Critical Security Controls have an extensive history:
| Year | Milestone |
|---|---|
| 2008 | Originally developed following compromises of U.S. government systems. The NSA, together with community supporters from both government and industry, developed the initial control set. |
| — | Handed over to the SANS Institute, which maintained, expanded, and revised them. They became popularly known in the security community as the SANS Top 20. |
| 2013 | SANS handed the controls to the Council on Cyber Security. |
| 2015 | The controls found their permanent home with the Center for Internet Security (CIS). |
| 2019 | Version 7.1 introduced Implementation Groups, making the controls easier to prioritize, easier to implement for smaller organizations, and scalable. |
| 2021 (May) | Version 8 was released. |
flowchart LR
Y2008[2008<br/>NSA + community<br/>develop initial controls] --> SANS[SANS Institute<br/>SANS Top 20]
SANS --> Y2013[2013<br/>Council on<br/>Cyber Security]
Y2013 --> Y2015[2015<br/>Center for Internet<br/>Security - permanent home]
Y2015 --> Y2019[2019<br/>v7.1<br/>Implementation Groups introduced]
Y2019 --> Y2021[2021<br/>v8 released - May 2021]
The controls have evolved over time but have consistently maintained cutting-edge relevance to cybersecurity: as new threats emerge, the controls are updated to counter them.
Purpose of the CIS Controls
The CIS Controls serve three main purposes:
- Secure assets — protect data, systems, facilities, and people.
- Ensure compliance with governance — many governance vehicles (HIPAA, PCI-DSS, NIST, ISO, etc.) require organizations to secure data using a formalized control structure. Implementing the CIS Controls helps demonstrate compliance with those requirements.
- Reduce risk — without security controls, organizations don’t have visibility into their actual risk level (though it can be assumed to be high). Implementing safeguards reduces that risk.
flowchart TD
Purpose[CIS Controls Purpose] --> P1[Secure Assets<br/>Systems, data, facilities, people]
Purpose --> P2[Ensure Compliance<br/>HIPAA, PCI, NIST, ISO, etc.]
Purpose --> P3[Reduce Risk<br/>Provide visibility and mitigation]
Even if an organization already operates under a different governance framework (such as HIPAA or NIST), the CIS Controls can complement — or in some cases substitute for — the controls required by those other frameworks.
CIS Control Concepts: Areas, Safeguards, and Implementation Groups
The CIS Controls are organized as follows:
- 18 control areas (e.g., Data Protection, Account Management).
- 153 individual controls (safeguards) spread across those 18 areas.
- 3 Implementation Groups (IGs) that build on a base set of critical controls and progressively add more depth, detail, and security.
The Implementation Groups are cumulative:
| Implementation Group | Controls Added | Cumulative Total |
|---|---|---|
| IG1 | 56 baseline controls | 56 |
| IG2 | +74 additional controls | 130 |
| IG3 | +23 additional controls | 153 |
In other words, to fully achieve IG2, an organization must implement all 56 IG1 controls plus the 74 additional IG2 controls. To fully achieve IG3, an organization must implement all 130 IG1+IG2 controls plus the 23 additional IG3 controls.
flowchart TD
subgraph IG3["Implementation Group 3 (153 total)"]
direction TB
subgraph IG2["Implementation Group 2 (130 total)"]
direction TB
subgraph IG1["Implementation Group 1 (56 total)"]
Base[56 Basic Cyber Hygiene Controls]
end
Add2[+74 Additional Controls]
end
Add3[+23 Additional Controls]
end
We will cover the Implementation Groups in much greater depth in Module 2, including why they exist and how they apply to organizations of different sizes.
Who Should Implement the CIS Controls?
The CIS Controls are broadly applicable — they are not restricted to any particular type or size of organization:
- Any size organization — small, medium, or large. Small organizations or those without dedicated security staff can benefit from implementing at minimum the 56 basic cyber hygiene controls in IG1.
- Any organization with sensitive data — the controls become more detailed and in-depth as you move into IG3, designed to protect more sensitive data types. Any data of value to an organization can be considered sensitive.
- Any organization with compliance requirements — the CIS control set maps closely to, and is frequently cross-mapped with, other control sets such as NIST and PCI-DSS. Organizations already using another framework can map their existing controls to CIS, or vice versa.
- Any industry — government, government contractors, nonprofits, service businesses, manufacturing, and more. It does not matter what industry an organization is in; the CIS Controls are designed to protect systems and data broadly. Government agencies with NIST Framework requirements can still benefit, since CIS maps to those NIST requirements as well.
mindmap
root((Who Benefits<br/>from CIS Controls))
Organization Size
Small
Medium
Large
Data Sensitivity
Any valuable data
Highly sensitive data -> IG3
Compliance Drivers
HIPAA
PCI-DSS
NIST
ISO/IEC 27001
Industry
Government / Contractors
Nonprofits
Service businesses
Manufacturing
Module 1 Recap
This module covered the foundations of the CIS Controls: what they are, their history (from the 2008 NSA-driven origins through the SANS Top 20, the Council on Cyber Security, and their permanent home at CIS), their three purposes (securing assets, ensuring compliance, and reducing risk), and the basic control concepts — 18 control areas, 153 individual controls, and 3 cumulative Implementation Groups. It also covered which organizations should implement the controls: essentially any organization, regardless of size, industry, or existing governance requirements.
Module 2: Planning Your CIS Implementation
This module goes deeper into the design and construction of the CIS Controls, examines the Implementation Groups in more detail, introduces the CIS Benchmarks, and discusses the considerations involved in planning a CIS Controls implementation.
The 18 CIS Control Areas in Depth
As of version 8 (May 2021), the CIS Controls are organized into 18 control areas, spread across the three Implementation Groups. Importantly, the controls are not spread evenly across the IGs — some control areas have no representation at all in IG1. The individual controls within a single control area also vary in depth, detail, and implementation complexity; this variability is precisely why the Implementation Groups exist — to let organizations implement a basic, manageable set of controls regardless of size or available resources.
The 18 control areas and their total number of individual safeguards are:
| # | Control Area | Total Safeguards | Notes from Narration |
|---|---|---|---|
| 1 | Inventory and Control of Enterprise Assets | 5 | IG1: 2, IG2 adds 2 (cumulative 4), IG3 adds 1 (cumulative 5) |
| 2 | Inventory and Control of Software Assets | 7 | IG1: 3, IG2 adds 3 (cumulative 6), IG3 adds 1 (cumulative 7) |
| 3 | Data Protection | 14 | Distribution not itemized in this course — consult the CIS Controls Navigator for full per-safeguard IG mapping |
| 4 | Secure Configuration of Enterprise Assets and Software | 12 | See note above |
| 5 | Account Management | 6 | See note above |
| 6 | Access Control Management | 8 | See note above |
| 7 | Continuous Vulnerability Management | 7 | See note above |
| 8 | Audit Log Management | 12 | See note above |
| 9 | Email and Web Browser Protections | 7 | See note above |
| 10 | Malware Defenses | 7 | Spread across all three IGs (used as an example area in this course) |
| 11 | Data Recovery | 5 | See note above |
| 12 | Network Infrastructure Management | 8 | See note above |
| 13 | Network Monitoring and Defense | 11 | IG1: 0 — no controls in this area appear in IG1. IG2 adds 6, IG3 adds 5 more |
| 14 | Security Awareness and Skills Training | 9 | See note above |
| 15 | Service Provider Management | 7 | See note above |
| 16 | Application Software Security | 14 | See note above |
| 17 | Incident Response Management | 9 | See note above |
| 18 | Penetration Testing | 5 | IG1: 0 — spread only across IG2 and IG3 |
Total: 153 individual safeguards across 18 control areas.
You do not need to memorize this exact distribution. CIS publishes a downloadable chart on the CIS Controls site showing the complete distribution of controls across the Implementation Groups. The important takeaway is that the distribution is uneven — some areas (like Network Monitoring and Defense, and Penetration Testing) have zero representation in IG1 because they typically require more mature security programs and dedicated resources to implement.
Each individual control (safeguard) within an area is numbered using a <area>.<safeguard> scheme — for example, safeguards 1.1, 1.2, 1.3, and so on within the “Inventory and Control of Enterprise Assets” area. Each safeguard also carries a name and an indicator of which Implementation Group(s) it belongs to.
flowchart TD
CIS8[CIS Controls v8<br/>153 Safeguards] --> A1[1. Inventory & Control<br/>of Enterprise Assets - 5]
CIS8 --> A2[2. Inventory & Control<br/>of Software Assets - 7]
CIS8 --> A3[3. Data Protection - 14]
CIS8 --> A4[4. Secure Configuration - 12]
CIS8 --> A5[5. Account Management - 6]
CIS8 --> A6[6. Access Control Management - 8]
CIS8 --> A7[7. Continuous Vulnerability Mgmt - 7]
CIS8 --> A8[8. Audit Log Management - 12]
CIS8 --> A9[9. Email & Web Browser Protections - 7]
CIS8 --> A10[10. Malware Defenses - 7]
CIS8 --> A11[11. Data Recovery - 5]
CIS8 --> A12[12. Network Infrastructure Mgmt - 8]
CIS8 --> A13[13. Network Monitoring & Defense - 11]
CIS8 --> A14[14. Security Awareness & Skills Training - 9]
CIS8 --> A15[15. Service Provider Management - 7]
CIS8 --> A16[16. Application Software Security - 14]
CIS8 --> A17[17. Incident Response Management - 9]
CIS8 --> A18[18. Penetration Testing - 5]
Understanding the Three Implementation Groups
Implementation Groups (IGs) were established with version 7.1. Their purpose is to allow the CIS Controls to be prioritized and scaled according to the needs and resources of the organization.
| Implementation Group | Description | Cumulative Safeguards | Target Organization |
|---|---|---|---|
| IG1 | Basic cyber hygiene. The first 56 safeguards. Designed so that even a small organization with limited resources can implement them. Studies suggest these controls alone account for most of the security issues organizations face, and implementing them can significantly reduce risk. | 56 | Any organization, especially small organizations with limited resources — these are the minimum controls every organization should implement |
| IG2 | Adds 74 additional controls. Assists in managing security for enterprise-level IT infrastructure. | 130 | Medium to large companies with more mature security programs and greater resources |
| IG3 | Adds 23 additional safeguards above IG1+IG2. | 153 (all controls) | Organizations with highly sensitive data to protect that want to be forward-thinking about preventing or mitigating advanced attacks |
Because with 153 total safeguards a full implementation can seem daunting, the Implementation Groups let an organization prioritize and scale the rollout — starting, at minimum, with IG1.
An example of the kind of controls found only in IG3 (the 23 additional safeguards beyond IG1+IG2) includes things like:
- Allow-listing of scripts
- Use of data loss prevention (DLP) solutions
- Application-layer filtering
These represent the advanced depth, detail, and complexity expected of a mature organization with a large, dedicated IT and cybersecurity staff — capabilities a smaller organization with only one or two IT staff may not be able to support.
flowchart LR
Org1[Small Organization<br/>Limited resources] --> IG1[IG1: 56 Controls<br/>Basic Cyber Hygiene]
Org2[Medium/Large Organization<br/>Enterprise IT infrastructure] --> IG2[IG2: 130 Controls<br/>IG1 + 74 additional]
Org3[Organization with<br/>Highly Sensitive Data] --> IG3[IG3: 153 Controls<br/>IG1 + IG2 + 23 additional]
IG1 -.baseline for.-> IG2
IG2 -.baseline for.-> IG3
Using the CIS Benchmarks
The CIS Benchmarks are configuration guides for specific platforms — operating systems (Windows, Linux, and older OS versions), applications, and devices. They complement the CIS Controls by telling you exactly how to configure a system securely.
Key facts:
- Available for free as PDF documents.
- CIS members can obtain them in machine-readable formats such as XCCDF, enabling automated configuration and assessment.
- Can be applied manually or through automated scripting.
- Used to build CIS Hardened Images — pre-built, securely configured virtual machine images (covered further in Module 3).
Walkthrough example — CIS Benchmark for Microsoft Windows 10 Enterprise, Password Policy:
The benchmark’s table of contents lists configuration categories such as Password Policy, Account Lockout Policy, and Local Policies. Drilling into a specific setting shows the following structure:
| Field | Example Content |
|---|---|
| Setting | Ensure Minimum password length is set to 14 or more character(s) |
| Description | Explanation of what the setting does and why it matters |
| Notes | Additional context or caveats |
| Remediation | The exact steps to configure the setting |
| Registry/GPO Path | Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length |
| Default Value | 7 characters on domain members, 0 characters on standalone servers |
| Recommended Value | 14 characters |
| Mapped Control | Reference to the corresponding CIS Control/safeguard |
Manually applying every benchmark setting this way would be a long, cumbersome process for an entire operating system — which is why automated tooling (via the XCCDF format or third-party products) is the recommended approach for larger-scale deployments.
flowchart TD
Bench[CIS Benchmark] --> Format{Available Format}
Format -->|Free| PDF[PDF Document]
Format -->|CIS Membership| XCCDF[XCCDF / Machine-Readable]
PDF --> Manual[Manual Configuration]
XCCDF --> Auto[Automated Configuration<br/>via Scripts / Tools]
Manual --> Hardened[Securely Configured System]
Auto --> Hardened
Hardened --> Images[Used to Build<br/>CIS Hardened Images]
Planning the CIS Control Implementation
Before implementing the CIS Controls, an organization should ask itself several key questions and consider a set of planning strategies.
Key planning questions:
- What is our current security posture? Do we have effective, risk-reducing controls in place already?
- Do we need additional resources (money, qualified personnel, equipment)? (Almost every organization does.)
- What are our governance requirements — HIPAA, PCI-DSS, NIST RMF, or others?
- Have we inventoried our business processes — the critical processes, and the systems, equipment, and information that support them?
- What are our data sensitivity requirements? Have sensitivity/criticality levels been assigned to systems and data supporting critical business processes?
Recommended implementation strategies:
- Start with IG1. These are the basic cyber hygiene controls that every organization needs, regardless of size or resources — get these “quick wins” implemented first.
- Prioritize by speed and effectiveness. Distinguish “quick wins” (e.g., removing unnecessary administrative privileges from users, which costs no money though it may cause user friction) from higher-cost, higher-effort controls (e.g., purchasing and configuring new equipment, requiring dedicated qualified staff).
- Mitigate what you can’t fully implement. If a specific control cannot be implemented, consider strengthening other controls or adding compensating controls to reduce the associated risk instead of simply accepting the gap.
- Leverage existing governance frameworks. If under mandatory governance (HIPAA, PCI-DSS, etc.), leverage controls you already have in place, and map them to the CIS Controls (or vice versa) rather than duplicating work.
flowchart TD
Start([Begin Planning]) --> Q1{Current Security<br/>Posture?}
Q1 --> Q2{Governance<br/>Requirements?}
Q2 --> Q3{Business Processes<br/>Inventoried?}
Q3 --> Q4{Data Sensitivity<br/>Assigned?}
Q4 --> S1[Strategy: Implement IG1 First]
S1 --> S2[Strategy: Prioritize Quick Wins<br/>vs. High-Cost Controls]
S2 --> S3{Can Every Control<br/>Be Implemented?}
S3 -->|No| S3a[Add Compensating Controls<br/>to Mitigate Risk]
S3 -->|Yes| S4[Leverage Existing<br/>Governance Frameworks]
S3a --> S4
S4 --> Done([Proceed to Implementation])
Module 2 Recap
This module examined the 18 control areas and how the 153 total controls are distributed — unevenly — across the three Implementation Groups. It covered the purpose of IG1 (basic cyber hygiene, mandatory baseline), IG2 (enterprise-scale controls), and IG3 (advanced protection for highly sensitive data). It also introduced the CIS Benchmarks as configuration guides for securing platforms like Windows and Linux, and closed with planning considerations and strategies — including starting with IG1, prioritizing quick wins, using compensating controls where needed, and leveraging existing governance frameworks.
Module 3: Implementing the CIS Controls
The Implementation Process and Key Questions
Implementation is a critical step that follows planning, but even careful planning will not anticipate every issue — implementation rarely proceeds exactly according to plan.
During implementation, two overarching concerns must be addressed:
- Security AND privacy — controls must protect not just data broadly, but the privacy of personal, health, and financial data over which individuals have rights.
- The specific security objective the control targets:
- Confidentiality → access controls, rights, permissions, privileges, encryption
- Integrity → integrity-checking mechanisms, hashing
- Availability → redundancy, backups
Key questions to ask before/during implementation:
- Which controls are already in place? Can any existing controls (e.g., an existing firewall, network security device, or application-level encryption) be leveraged to fulfill CIS or other governance requirements? Are they sufficient?
- Which controls have yet to be implemented? Is there a prioritized list and implementation order?
- How effective are existing controls? Was risk or effectiveness assessed beforehand, to understand the gap between current and target state?
- How will new controls be implemented on existing systems? Are they interoperable with other components? Do other system components need upgrading (e.g., changing an encryption algorithm supported network-wide)?
Implementation approach:
- Determine which controls are already in place and to what extent, and how well they are functioning.
- Perform a gap analysis — the difference between current state and target state.
- Evaluate functionality: interoperability with other components, cost, effectiveness, and the type/amount of risk reduced.
flowchart TD
Plan([Planning Complete]) --> Existing{Controls Already<br/>in Place?}
Existing -->|Yes| Leverage[Assess Sufficiency<br/>Leverage Existing Control]
Existing -->|No| ToDo[Add to Prioritized<br/>Implementation List]
Leverage --> Gap[Perform Gap Analysis]
ToDo --> Gap
Gap --> Eval[Evaluate: Interoperability,<br/>Cost, Effectiveness, Risk Reduction]
Eval --> Install[Proceed to Installation]
Integrating CIS Controls with Other Governance Frameworks
Many organizations manage multiple types of sensitive data, some of which is regulated by law, requiring integration of the CIS Controls with other governance or control frameworks.
Regulatory vs. voluntary frameworks:
| Type | Description | Examples |
|---|---|---|
| Regulatory | Imposed by laws/regulations, typically tied to a data type | HIPAA (healthcare data) |
| Voluntary | Chosen by the organization | PCI-DSS (though effectively mandatory for card processors), NIST SP 800-53, ISO/IEC 27001 |
Requirements for using a specific framework can come from:
- Governance imposed by law or regulation.
- Industry requirements — e.g., the automotive industry may require its suppliers/partners to meet a specific control framework to do business.
- Data type processed — e.g., processing credit card transactions triggers PCI-DSS; processing healthcare data triggers HIPAA.
How CIS deals with other frameworks:
- Some frameworks require a specific control set (e.g., PCI-DSS for card transactions).
- Some frameworks recommend but do not require a control set — HIPAA has data protection requirements (security and privacy rules) but does not mandate a specific control set; it strongly recommends NIST controls, but the CIS Controls can satisfy HIPAA requirements in most cases.
- Control sets are broadly similar because they cover the same fundamental security requirements (e.g., password complexity appears in CIS, NIST, HIPAA, PCI-DSS, and ISO alike), which makes cross-mapping feasible.
Mapping considerations:
- Mappings are not always one-to-one — a single control in one framework may cover several controls in another (one-to-many or many-to-one).
- Mappings are useful when an organization already has a control set in place but must demonstrate equivalent compliance with a different framework, or when it must comply with multiple frameworks simultaneously (e.g., HIPAA + PCI-DSS + NIST + ISO).
Process for using mappings:
- Determine the baseline control set/framework in use.
- Inventory and document existing controls (e.g., account management, password complexity).
- Use mappings (to or from CIS) to determine how equivalent the existing controls are — is it one-to-one, one-to-many, or many-to-one?
- Document the specifics of the mapping, including coverage depth and any shortfalls, so that gaps are visible.
CIS publishes mappings for numerous frameworks, including:
| Framework |
|---|
| HIPAA |
| NIST SP 800-171 |
| NIST SP 800-53 |
| NIST Cybersecurity Framework (CSF) |
| PCI-DSS |
| SOC 2 |
| CSA Cloud Controls Matrix |
In some cases, cross-mapping is required — e.g., mapping CIS to NIST SP 800-53, which in turn maps to ISO controls, achieving an indirect mapping between CIS and ISO.
Example: CIS-to-HIPAA mapping spreadsheet columns
| Field | Example |
|---|---|
| CIS Control | Control area name |
| Safeguard Number | e.g., 3.11 |
| Asset Type | e.g., Data |
| Security Function | e.g., Protect |
| Title | Safeguard title |
| Description | Safeguard description |
| Relationship | e.g., Superset — the CIS control covers more than one HIPAA control |
| HIPAA Control | The mapped HIPAA control reference |
| HIPAA Title | Mapped control’s title |
| HIPAA Description | Mapped control’s description |
flowchart TD
Baseline[Determine Baseline<br/>Framework in Use] --> Inventory[Inventory & Document<br/>Existing Controls]
Inventory --> MapType{Mapping Type}
MapType --> OneToOne[One-to-One]
MapType --> OneToMany[One-to-Many]
MapType --> ManyToOne[Many-to-One]
OneToOne --> Document[Document Coverage<br/>and Shortfalls]
OneToMany --> Document
ManyToOne --> Document
Document --> Cross{Cross-Mapping<br/>Needed?}
Cross -->|Yes, e.g. CIS to NIST 800-53 to ISO| Indirect[Perform Indirect Mapping]
Cross -->|No| Direct[Use Direct Mapping]
Using the CIS Benchmarks, Hardened Images, and Security Metrics
CIS Benchmarks (recap and expansion): recommended configuration settings for operating systems, applications, and devices. Available for Windows (including older versions), various Linux distributions (CentOS, Red Hat, etc.), and select applications. Free as PDF; XCCDF and other machine-readable formats available to CIS members for automation. Many third-party tools — including some published by CIS itself — accept these benchmarks to configure and assess assets.
CIS Hardened Images: virtual machine images that are pre-configured according to the CIS Benchmarks, covering various operating systems and applications. Available through major cloud infrastructure providers, including AWS, Azure, Google Cloud Platform, and Oracle Cloud, and can be downloaded or run directly in the cloud. Includes various Linux distributions and Microsoft Windows Server distributions.
CIS Security Metrics: CIS publishes documentation and guidance to help organizations assess security performance across business areas. This guidance defines 28 measurements across 7 security business functions:
| Security Business Function |
|---|
| Incident Management |
| Vulnerability Management |
| Patch Management |
| Configuration Management |
| Change Management |
| Application Security |
| Financial Metrics (cost effectiveness of the CIS Controls implementation) |
Sample metrics published by CIS:
| Metric |
|---|
| Cost of incidents |
| Mean time to incident recovery |
| Mean time to mitigate vulnerabilities |
| Mean time to patch |
| Percentage of configuration compliance |
| Percent of changes with security exceptions |
| Security testing coverage |
| IT security budget allocation |
flowchart LR
Benchmarks[CIS Benchmarks] --> HardenedImages[CIS Hardened Images<br/>Pre-configured VM images]
HardenedImages --> Cloud1[AWS]
HardenedImages --> Cloud2[Azure]
HardenedImages --> Cloud3[Google Cloud Platform]
HardenedImages --> Cloud4[Oracle Cloud]
Metrics[CIS Security Metrics<br/>28 measurements / 7 functions] --> M1[Incident Management]
Metrics --> M2[Vulnerability Management]
Metrics --> M3[Patch Management]
Metrics --> M4[Configuration Management]
Metrics --> M5[Change Management]
Metrics --> M6[Application Security]
Metrics --> M7[Financial Metrics]
Steps to Implement the CIS Controls
Beyond planning and the questions discussed above, a set of concrete implementation steps helps ensure success:
- Install the control — put it into operation, whether it is a network device, software program, security mechanism, physical control, or security policy.
- Test the control — confirm it was installed correctly, that it functions as intended, and that it is effective (does its job to the expected performance level) as well as efficient (doesn’t consume excessive time, power, or staff effort relative to its benefit).
- Document the control — configuration items, diagrams, installation notes, management/change-control-board approvals, and pre-implementation test data. Documentation is critical before, during, and after installation.
- Check interoperability — is the control causing problems with other systems? Excessive network traffic or bandwidth consumption? Are encryption and authentication mechanisms understood by all other devices on the network?
- Ensure the control does not interfere with operations — an overly restrictive control that blocks legitimate access or authentication needs to be tuned; remember that “the business of the business is business,” not security for its own sake.
- Train users on new controls (e.g., a new secure email encryption workflow) and train the staff responsible for managing/maintaining the control (e.g., configuring and maintaining firewall rule sets).
- Monitor the control on an ongoing basis for function, performance, and effectiveness (covered in depth in Module 4).
| Step | Purpose |
|---|---|
| Install | Put the control into operation |
| Test | Verify correct installation, function, effectiveness, and efficiency |
| Document | Record configuration, diagrams, approvals, and test data |
| Check Interoperability | Confirm no negative impact on other systems/network |
| Preserve Operations | Ensure the control does not block legitimate business activity |
| Train | Educate both end users and control administrators |
| Monitor | Continually verify function, performance, and effectiveness |
flowchart TD
Install[1. Install] --> Test[2. Test]
Test --> Document[3. Document]
Document --> Interop[4. Check Interoperability]
Interop --> Ops[5. Preserve Business Operations]
Ops --> Train[6. Train Users & Administrators]
Train --> Monitor[7. Monitor Continuously]
Monitor -.feedback loop.-> Test
Module 3 Recap
This module covered the implementation process itself: the key questions to answer about existing controls, gap analysis, and interoperability; how to integrate the CIS Controls with other governance frameworks such as HIPAA, PCI-DSS, NIST, and ISO (including mapping considerations and cross-mapping); a deeper look at CIS Benchmarks, CIS Hardened Images (available via AWS, Azure, GCP, and Oracle Cloud), and CIS Security Metrics (28 measurements across 7 business functions); and finally the concrete steps for implementation — install, test, document, check interoperability, preserve operations, train, and monitor.
Module 4: Maintaining and Assessing the CIS Controls
Implementing the CIS Controls is not the end of the story. Controls must be maintained and assessed on a continual basis, because the operating environment, technology, and threat landscape all change over time, affecting how effective a control remains.
Maintaining the CIS Controls
Maintaining the CIS Controls involves ongoing activity before, during, and after implementation:
- Plan and document — any change to a control (implementation, reconfiguration, replacement, removal) must be documented.
- Implement — sometimes controls are implemented once; sometimes a control is pulled out of service and replaced with another.
- Update and upgrade — technologies become obsolete. Legacy network devices may no longer meet security or compliance requirements or effectively reduce risk, requiring upgrades (e.g., updating encryption mechanisms to current standards).
- Patch — devices and applications require ongoing patching as new vulnerabilities and exploits are discovered daily. Constant monitoring for vulnerabilities associated with each control, followed by timely patching, is essential to avoid being caught by an unpatched zero-day.
- Assess — evaluate controls for continued effectiveness, proper function, risk reduction, and compliance (see next section).
Assessing vs. monitoring: Assessing typically involves a formal, “wall-to-wall” review of the controls. Monitoring means looking at controls on a day-to-day basis — tracking performance and function and correcting deficiencies as they arise.
flowchart TD
Maintain[Maintaining CIS Controls] --> Plan[Plan & Document Changes]
Maintain --> Implement[Re-implement / Replace as Needed]
Maintain --> Update[Update / Upgrade Obsolete Technology]
Maintain --> Patch[Patch Continuously]
Maintain --> Assess[Formally Assess Effectiveness]
Assess --> Monitor[Continuously Monitor Day-to-Day]
Monitor -.feeds back into.-> Plan
Assessing the CIS Controls
Assessment is necessary to track how well controls are performing their function, reducing risk, protecting assets, and ensuring compliance. There are three primary things being assessed:
| Aspect | What It Measures | How to Measure |
|---|---|---|
| Effectiveness | How well the control protects systems/data | Number of incidents tied to the control or its failure; number/severity of vulnerabilities the control should mitigate; performance/functional metrics (e.g., how much malicious software an anti-malware control detects vs. allows through) |
| Risk | Whether risk is going up or down because of the control | Compare risk levels with the control implemented vs. what risk would be if it were absent; evaluate whether strengthening or adding compensating controls reduces risk to an acceptable level |
| Compliance | Whether the organization meets governance requirements | Usually measured against a standard or regulatory requirement; in most cases, compliance is largely binary (compliant / not compliant), though some governance regimes allow for partial compliance |
Compliance, protection level, and risk reduction are three distinct aspects that must each be tracked, assessed, and monitored. A stronger control tends to satisfy all three; a weak or absent control satisfies none.
Four basic assessment methods (generally accepted across the security and risk community, applicable to the CIS Controls or any other control set):
| Method | Description |
|---|---|
| Interview key personnel | Talk to system administrators, systems engineers, risk practitioners, and others responsible for day-to-day maintenance. Ask how they feel the control is working, whether it’s difficult to use, and whether it reduces risk or protects assets. |
| Observe systems in operation | Watch the control functioning in real time (e.g., does an authentication mechanism properly prompt the user, obfuscate/encrypt the password, and correctly query the central authentication repository?). |
| Review documentation | Examine implementation details, network diagrams, architectures, scan results, and anything else documenting the control and its performance. |
| Perform technical testing | Vulnerability scans and/or penetration testing reveal configuration issues and actual performance for technical controls. |
flowchart TD
Assess[Assessing a Control] --> Eff[Effectiveness]
Assess --> Risk[Risk]
Assess --> Comp[Compliance]
Assess --> Method1[Interview Key Personnel]
Assess --> Method2[Observe Systems in Operation]
Assess --> Method3[Review Documentation]
Assess --> Method4[Perform Technical Testing]
Monitoring the CIS Controls
Monitoring is closely related to assessing but occurs on a fairly constant, consistent basis rather than at a formal point in time. Monitoring tracks:
- Control effectiveness — how well it does its job.
- Risk.
- Changes in the operating environment — companies grow, change markets, and change business missions/goals, all of which can affect how well controls perform.
- Changes in implemented technologies — technologies become obsolete/legacy and may no longer meet the changing threat environment.
- Changes in the threat environment — new threats and vulnerabilities emerge daily; “what worked yesterday may not work today.”
Monitoring techniques include day-to-day activities such as vulnerability assessments and log reviews, as well as periodic/repeated formal assessments such as penetration testing. Whenever the control, operating environment, or technology changes (e.g., through a patch or update), or when new threats/vulnerabilities are discovered, control documentation must be kept up to date.
| Aspect | Assessing | Monitoring |
|---|---|---|
| Frequency | Point-in-time, periodic (e.g., annual pen test) | Continuous / day-to-day |
| Scope | Formal, comprehensive review | Ongoing tracking of performance and function |
| Output | Formal report or assessment result | Ongoing corrections and documentation updates |
| Shared Goals | Effectiveness, risk reduction, compliance | Effectiveness, risk reduction, compliance |
flowchart LR
Env[Operating Environment Changes] --> Monitor[Continuous Monitoring]
Tech[Technology Changes] --> Monitor
Threat[Threat Landscape Changes] --> Monitor
Monitor --> Update[Update Controls /<br/>Documentation as Needed]
Update --> Assess[Periodic Formal Assessment]
Assess -.results feed back into.-> Monitor
Module 4 Recap
This module covered maintaining the CIS Controls (planning/documenting changes, re-implementation, updates/upgrades, patching), assessing the controls for effectiveness, risk, and compliance using four methods (interviews, observation, documentation review, and technical testing), and monitoring the controls continuously as the operating environment, technology, and threat landscape evolve.
Module 5: Case Study — Implementing the CIS Controls at Globomantics
This module applies everything covered so far to a practical scenario: how a fictional company, Globomantics, might plan, implement, and monitor a CIS Controls program.
Globomantics Company Profile and Security Issues
Company profile:
| Attribute | Detail |
|---|---|
| Industry | Manufacturer of automobile parts (e.g., door panels, electrical components) sold to various automobile manufacturers |
| Size | Medium-sized business |
| Locations | Several regional sales offices, warehouses, and two major production plants (geographically spread out) |
| Retail Presence | A few specialized retail outlet stores recently opened to sell directly to the public |
| Additional Facility | An on-site health clinic at headquarters providing basic healthcare services (shots, tests) to employees |
Current security posture:
- A typical perimeter infrastructure (firewalls, routers) exists, but with no ongoing control or support — it was configured by a third party that then walked away.
- Different operations use different levels of sensitive data, but there is no formal control structure.
- Encryption is used inconsistently; authentication mechanisms vary by worker type (warehouse, production plant, headquarters) with nothing formalized.
- No formal security program exists at all; a small IT shop at headquarters manages IT for all regional areas, but there is no CISO or dedicated cybersecurity role.
Triggering events:
- A recent, relatively small data breach — not personal data, but company-sensitive competitive data related to parts production.
- A recent unfavorable security audit, required by a customer, that identified deficiencies across the board.
Key security issues/dilemmas:
- No formal cybersecurity program, meaning no strategic or tactical direction.
- No formal control over infrastructure and no formal security controls.
- Multiple governance sources apply simultaneously:
- PCI-DSS — because retail stores process customer credit card transactions.
- HIPAA — because the on-site health clinic processes employee healthcare data.
- Inconsistent technology posture: some systems have encryption, some don’t; some operating systems are unsupported/legacy.
Why Globomantics needs the CIS Controls:
- Concern over further data loss following the recent breach.
- Concern over noncompliance with HIPAA and PCI-DSS, opening the door to civil or criminal liability.
- Need to establish a formal security controls program that protects data, ensures compliance, and reduces risk.
- The external auditor specifically recommended the CIS Controls because they are widely available, cost-effective, and interoperable with other governance frameworks such as HIPAA and PCI-DSS.
mindmap
root((Globomantics<br/>Security Issues))
No Formal Program
No CISO
No strategy
Uncontrolled Infrastructure
3rd-party set up, no support
Inconsistent encryption
Inconsistent auth
Multiple Governance Drivers
PCI-DSS - retail credit cards
HIPAA - onsite health clinic
Triggering Events
Small data breach
Unfavorable customer audit
Planning the CIS Control Implementation at Globomantics
Globomantics decided to adopt the CIS Controls, but several planning considerations apply, just as they would for any organization:
- Cost — how much will implementation cost, and how much budget is allocated?
- Urgency — should this happen quickly or gradually? What quick actions would meaningfully reduce risk before the full control set is in place?
- Difficulty — some controls require only configuration changes; others require new equipment or infrastructure redesign.
- Governance fit — how will the CIS Controls articulate with HIPAA and PCI-DSS requirements? Can the same controls satisfy multiple frameworks simultaneously?
Governance context specific to Globomantics:
- HIPAA — because of the free on-site healthcare clinic (a valued employee benefit), Globomantics must protect that healthcare data.
- PCI-DSS — because of credit card transactions at the new retail stores.
- Business contract requirements — some large automobile manufacturer customers contractually require secure data and systems, or they may stop doing business with Globomantics.
Globomantics’ implementation plan (after consulting internal staff and outside consultants):
- Implement IG1 first — the 56 basic controls that every organization needs, many of which are low-cost and effective.
- Assess risk after implementing IG1 to determine what areas still need focus and attention.
- Create a plan for IG2 and IG3, since those controls are more in-depth, detailed, and complex, and may require long-term planning and resource allocation.
- Continue to monitor risk and controls for the entire organization — including the IG1 controls just implemented, any pre-existing controls, and the residual risk from not yet implementing IG2/IG3.
- When resources and infrastructure allow, gradually implement IG2 and IG3, continuing to monitor controls and risk throughout to confirm effectiveness, compliance, and risk reduction.
flowchart TD
Decision[Decision: Adopt CIS Controls] --> Consider[Consider Cost, Urgency,<br/>Difficulty, Governance Fit]
Consider --> IG1Plan[Step 1: Implement IG1<br/>56 baseline controls]
IG1Plan --> AssessRisk[Step 2: Assess Risk]
AssessRisk --> IG23Plan[Step 3: Plan IG2 & IG3<br/>Long-term resource allocation]
IG23Plan --> Monitor1[Step 4: Continuously<br/>Monitor Risk & Controls]
Monitor1 --> Gradual[Step 5: Gradually Implement<br/>IG2 & IG3 as Resources Allow]
Gradual --> Monitor2[Continue Monitoring<br/>Throughout Lifecycle]
Implementing the CIS Controls at Globomantics
With a plan in place, Globomantics executes the implementation:
- Inventory all assets — critical business processes and the systems/data that support them. Knowing what assets exist is a prerequisite for applying controls to them.
- Assess existing risk — establish the starting point (current risk with current infrastructure) to determine the gap to the target state.
- Implement IG1 controls (the 56 core controls) across all assets, prioritizing the most critical and sensitive assets identified during the inventory, then working outward across the organization.
- Reassess risk after IG1 implementation — a recurring activity that must happen whenever the control set or infrastructure changes, evaluating control effectiveness, risk reduction, and compliance support.
- Plan and implement IG2 and IG3 as a longer-term initiative — requiring budget allocation, scheduling, potential network redesign, and accounting for downtime; controls are prioritized based on criticality.
- Continuously monitor risk throughout — both while implementing IG2/IG3 and after, tracking control effectiveness and risk reduction over the entire lifecycle.
sequenceDiagram
participant Org as Globomantics
participant Assets as Asset Inventory
participant Risk as Risk Assessment
participant IG1 as IG1 Controls
participant IG23 as IG2/IG3 Controls
Org->>Assets: Inventory critical processes, systems, and data
Org->>Risk: Assess existing risk (baseline)
Org->>IG1: Implement 56 basic controls<br/>(prioritized by criticality)
Org->>Risk: Reassess risk after IG1
Org->>IG23: Plan long-term rollout<br/>(budget, schedule, redesign)
Org->>IG23: Gradually implement IG2 & IG3
loop Continuous
Org->>Risk: Monitor effectiveness, risk, compliance
end
Monitoring the CIS Security Controls at Globomantics
Implementation does not end once controls are functioning, meeting governance, and reducing risk somewhat — ongoing monitoring is required from several perspectives:
- Monitor the implementation lifecycle end to end.
- Monitor control effectiveness — are assets actually being secured? This can be verified through vulnerability assessments and penetration testing.
- Monitor changes in risk — does risk increase or decrease due to the controls in place? Risk must be continually reassessed.
- Monitor changes in the operating environment — technology, business, and threat environments all evolve. Some technologies may become legacy and stop functioning well; the business/market/regulatory environment changes; and the threat landscape constantly produces new threats and vulnerabilities that must be addressed.
- Adapt controls as needed based on monitoring and risk evaluation results — updating, changing, or adding compensating controls whenever risk changes (whether increasing or decreasing) or when controls no longer meet protection requirements.
The overarching lesson: the control lifecycle does not end at implementation. It continues indefinitely as long as the organization maintains an effective security program.
flowchart TD
Monitor[Ongoing Monitoring at Globomantics] --> M1[Monitor Full<br/>Implementation Lifecycle]
Monitor --> M2[Monitor Control<br/>Effectiveness via Testing]
Monitor --> M3[Monitor Changes in Risk]
Monitor --> M4[Monitor Changes in<br/>Technology / Business / Threat Environment]
M2 --> Adapt[Adapt Controls as Needed]
M3 --> Adapt
M4 --> Adapt
Adapt -.ongoing cycle.-> Monitor
Module 5 Recap
This case study put the entire course into a real-world context: Globomantics, a mid-sized automobile parts manufacturer, faced a lack of a security program, an unfavorable audit, a small breach, and multiple governance drivers (HIPAA due to its on-site health clinic, and PCI-DSS due to retail credit card processing). The company planned carefully, chose to implement IG1 first, monitored risk and effectiveness, and gradually rolled out IG2 and IG3 as budget, resources, and infrastructure allowed — continuing to monitor control effectiveness, compliance, and risk reduction throughout the entire lifecycle.
Summary
The CIS Controls provide a practical, scalable, and widely adopted framework for securing an organization’s information assets. The key principles from this course are:
- Controls come in types (administrative, technical, physical) and functions (deterrent, preventative, detective, compensating, corrective, recovery) — understanding this vocabulary underpins how any control framework, including CIS, is discussed and applied.
- The CIS Controls originated from a 2008 NSA/community effort, passed through the SANS Top 20 and the Council on Cyber Security, and found a permanent home at the Center for Internet Security in 2015 — evolving through versions to the current version 8 (May 2021).
- Their three purposes are securing assets, ensuring compliance with governance, and reducing risk.
- They are organized into 18 control areas comprising 153 individual safeguards, distributed unevenly across three cumulative Implementation Groups: IG1 (56 controls — basic cyber hygiene for every organization), IG2 (130 cumulative controls — enterprise-scale), and IG3 (153 cumulative controls — advanced protection for highly sensitive data).
- Any organization — regardless of size, industry, or existing governance — can benefit from adopting the CIS Controls, and the controls map well to other frameworks such as HIPAA, PCI-DSS, NIST SP 800-53/800-171, the NIST Cybersecurity Framework, ISO/IEC 27001, SOC 2, and the CSA Cloud Controls Matrix.
- CIS Benchmarks provide detailed, platform-specific configuration guidance (free as PDF, or as machine-readable XCCDF for CIS members), and are used to build CIS Hardened Images available through major cloud providers.
- CIS Security Metrics define 28 measurements across 7 security business functions to help organizations gauge control performance and cost effectiveness.
- Implementation requires more than installation — testing, documentation, interoperability checks, preserving business operations, training, and ongoing monitoring are all essential steps.
- Maintenance, assessment, and monitoring never stop. Controls must be continually assessed (effectiveness, risk, compliance) using interviews, observation, documentation review, and technical testing, and monitored day-to-day as the operating environment, technology, and threat landscape evolve.
- The Globomantics case study demonstrates a realistic, phased approach: inventory assets, assess baseline risk, implement IG1, reassess, plan and gradually roll out IG2/IG3, and monitor continuously — all while balancing multiple governance drivers such as HIPAA and PCI-DSS.
CIS Controls Quick-Reference Table
| # | Control Area | Total Safeguards | IG1 Notes |
|---|---|---|---|
| 1 | Inventory and Control of Enterprise Assets | 5 | 2 controls in IG1 |
| 2 | Inventory and Control of Software Assets | 7 | 3 controls in IG1 |
| 3 | Data Protection | 14 | See CIS Controls Navigator |
| 4 | Secure Configuration of Enterprise Assets and Software | 12 | See CIS Controls Navigator |
| 5 | Account Management | 6 | See CIS Controls Navigator |
| 6 | Access Control Management | 8 | See CIS Controls Navigator |
| 7 | Continuous Vulnerability Management | 7 | See CIS Controls Navigator |
| 8 | Audit Log Management | 12 | See CIS Controls Navigator |
| 9 | Email and Web Browser Protections | 7 | See CIS Controls Navigator |
| 10 | Malware Defenses | 7 | See CIS Controls Navigator |
| 11 | Data Recovery | 5 | See CIS Controls Navigator |
| 12 | Network Infrastructure Management | 8 | See CIS Controls Navigator |
| 13 | Network Monitoring and Defense | 11 | 0 controls in IG1 |
| 14 | Security Awareness and Skills Training | 9 | See CIS Controls Navigator |
| 15 | Service Provider Management | 7 | See CIS Controls Navigator |
| 16 | Application Software Security | 14 | See CIS Controls Navigator |
| 17 | Incident Response Management | 9 | See CIS Controls Navigator |
| 18 | Penetration Testing | 5 | 0 controls in IG1 |
CIS Controls Implementation Checklist
- Understand the three control types (administrative, technical, physical) and six control functions (deterrent, preventative, detective, compensating, corrective, recovery).
- Identify current security posture and existing controls.
- Identify all applicable governance requirements (HIPAA, PCI-DSS, NIST, ISO, industry contracts, etc.).
- Inventory critical business processes and the assets (systems, data, equipment) that support them.
- Assign data sensitivity/criticality levels.
- Perform a baseline risk assessment before implementing any new controls.
- Prioritize and implement Implementation Group 1 (56 controls) first.
- Map existing controls to CIS Controls (and vice versa) to identify overlaps with other governance frameworks.
- Use CIS Benchmarks to securely configure operating systems, applications, and devices.
- Consider CIS Hardened Images for cloud deployments (AWS, Azure, GCP, Oracle Cloud).
- Install, test, document, and check interoperability for every new control.
- Train both end users and control administrators.
- Reassess risk after each implementation phase.
- Plan and gradually roll out IG2 (130 controls) and IG3 (153 controls) as resources and maturity allow.
- Track CIS Security Metrics across incident, vulnerability, patch, configuration, change, application security, and financial dimensions.
- Establish continual assessment (interviews, observation, documentation review, technical testing) and day-to-day monitoring processes.
- Update controls and documentation whenever the operating environment, technology, or threat landscape changes.
Search Terms
security · controls · cis · governance · risk · compliance · networking · systems · globomantics · control · planning · areas · assessing · benchmarks · groups · implement · maintaining · monitoring