Intermediate

Security Controls: The CIS Controls

security · controls · cis · governance · risk · compliance · networking · systems · globomantics · control · planning · areas · assessing · benchmarks · groups · implement · maintaining ·...

Table of Contents


Module 1: Understanding the CIS Controls

What Are Security Controls?

Security controls are measures or safeguards implemented to protect an organization’s information assets — its systems, data, equipment, facilities, people, and processes — from harm, danger, or malicious activity. Before examining the CIS Controls specifically, it is useful to review the general vocabulary used to classify controls, since this vocabulary recurs throughout the CIS Controls framework.

There are three basic control types commonly recognized in cybersecurity (note that different sources may categorize these slightly differently; the concepts below are a general framework):

Control TypeAlso Known AsTypical Examples
AdministrativeManagerial controlsPolicies, procedures, standards, guidelines
TechnicalLogical controlsFirewalls, encryption systems, authentication mechanisms
PhysicalOperational controlsChain-link fencing, guards, gates, CCTV systems, guard dogs

In addition to control type, controls are also classified by control function — what the control actually does to protect an asset:

Control FunctionDescriptionExample
DeterrentVisible controls meant to make a would-be attacker “think twice.” Deterrent controls are a subset of preventative controls.A visible CCTV camera
PreventativeStops a malicious act from occurring, whether or not the target is aware of the controlA firewall rule blocking access to a prohibited site — the user doesn’t need to know the rule exists for it to work
DetectiveIdentifies that a security event happenedAudit trails, intrusion detection alarms, network logs
CompensatingA substitute control used when a primary control fails or is otherwise unavailable, reducing risk even though it isn’t as strong as the primary controlBuilding a temporary wall when a storm damages a section of perimeter fencing and a full fence replacement isn’t immediately affordable
CorrectiveA short-term, temporary fix for an immediate security issue (in contrast to the more permanent compensating control)Posting a guard at a broken section of fence overnight until it can be repaired
RecoveryRestores the organization, facility, or asset to normal operations after an incident or disasterRestoring backed-up data to a server damaged during a disaster

These control functions can overlap. For example, a data backup could reasonably be classified as both a recovery control (it restores lost data) and a preventative control (it prevents permanent data loss). Rather than trying to force every control into a single, rigid function, treat these categories as descriptive labels that can apply in combination.

flowchart TD
    A[Security Control] --> B{Control Type}
    B --> B1[Administrative / Managerial<br/>Policies, procedures, standards]
    B --> B2[Technical / Logical<br/>Firewalls, encryption, auth]
    B --> B3[Physical / Operational<br/>Fencing, guards, CCTV]

    A --> C{Control Function}
    C --> C1[Deterrent<br/>Visible, discourages action]
    C --> C2[Preventative<br/>Stops the act from happening]
    C --> C3[Detective<br/>Identifies that it happened]
    C --> C4[Compensating<br/>Substitute when primary fails]
    C --> C5[Corrective<br/>Temporary immediate fix]
    C --> C6[Recovery<br/>Restores operations post-incident]

    C1 -.subset of.-> C2

What Are the CIS Controls?

The CIS Controls are a comprehensive set of security controls promoted by the Center for Internet Security (CIS) that organizations use to secure their information assets — systems, data, and more. The CIS Controls are one of two components of the CIS Best Security Practices; the other component is the CIS Benchmarks (covered later in this document).

Key facts about the CIS Controls:

  • They are designed to cover the most critical areas that organizations need to protect against malicious entities such as hackers.
  • They are designed to provide real security, not simply to “check a box” for compliance — although they can certainly support compliance efforts as well.
  • They are organized into 18 top-level control areas (e.g., inventorying assets).
  • Those 18 areas are broken down into 153 individual controls (also called safeguards).
  • The 153 safeguards are spread across three Implementation Groups (IGs), which prioritize and scale the controls according to an organization’s size and complexity (covered in depth in Module 2).
  • The current version at the time of this course is CIS Controls version 8, published in May 2021.
flowchart LR
    CIS[CIS Best Security Practices] --> Controls[CIS Controls<br/>18 Control Areas / 153 Safeguards]
    CIS --> Benchmarks[CIS Benchmarks<br/>Platform Configuration Guides]
    Controls --> IG1[Implementation Group 1]
    Controls --> IG2[Implementation Group 2]
    Controls --> IG3[Implementation Group 3]

Background and History of the CIS Controls

The CIS Critical Security Controls have an extensive history:

YearMilestone
2008Originally developed following compromises of U.S. government systems. The NSA, together with community supporters from both government and industry, developed the initial control set.
Handed over to the SANS Institute, which maintained, expanded, and revised them. They became popularly known in the security community as the SANS Top 20.
2013SANS handed the controls to the Council on Cyber Security.
2015The controls found their permanent home with the Center for Internet Security (CIS).
2019Version 7.1 introduced Implementation Groups, making the controls easier to prioritize, easier to implement for smaller organizations, and scalable.
2021 (May)Version 8 was released.
flowchart LR
    Y2008[2008<br/>NSA + community<br/>develop initial controls] --> SANS[SANS Institute<br/>SANS Top 20]
    SANS --> Y2013[2013<br/>Council on<br/>Cyber Security]
    Y2013 --> Y2015[2015<br/>Center for Internet<br/>Security - permanent home]
    Y2015 --> Y2019[2019<br/>v7.1<br/>Implementation Groups introduced]
    Y2019 --> Y2021[2021<br/>v8 released - May 2021]

The controls have evolved over time but have consistently maintained cutting-edge relevance to cybersecurity: as new threats emerge, the controls are updated to counter them.

Purpose of the CIS Controls

The CIS Controls serve three main purposes:

  1. Secure assets — protect data, systems, facilities, and people.
  2. Ensure compliance with governance — many governance vehicles (HIPAA, PCI-DSS, NIST, ISO, etc.) require organizations to secure data using a formalized control structure. Implementing the CIS Controls helps demonstrate compliance with those requirements.
  3. Reduce risk — without security controls, organizations don’t have visibility into their actual risk level (though it can be assumed to be high). Implementing safeguards reduces that risk.
flowchart TD
    Purpose[CIS Controls Purpose] --> P1[Secure Assets<br/>Systems, data, facilities, people]
    Purpose --> P2[Ensure Compliance<br/>HIPAA, PCI, NIST, ISO, etc.]
    Purpose --> P3[Reduce Risk<br/>Provide visibility and mitigation]

Even if an organization already operates under a different governance framework (such as HIPAA or NIST), the CIS Controls can complement — or in some cases substitute for — the controls required by those other frameworks.

CIS Control Concepts: Areas, Safeguards, and Implementation Groups

The CIS Controls are organized as follows:

  • 18 control areas (e.g., Data Protection, Account Management).
  • 153 individual controls (safeguards) spread across those 18 areas.
  • 3 Implementation Groups (IGs) that build on a base set of critical controls and progressively add more depth, detail, and security.

The Implementation Groups are cumulative:

Implementation GroupControls AddedCumulative Total
IG156 baseline controls56
IG2+74 additional controls130
IG3+23 additional controls153

In other words, to fully achieve IG2, an organization must implement all 56 IG1 controls plus the 74 additional IG2 controls. To fully achieve IG3, an organization must implement all 130 IG1+IG2 controls plus the 23 additional IG3 controls.

flowchart TD
    subgraph IG3["Implementation Group 3 (153 total)"]
        direction TB
        subgraph IG2["Implementation Group 2 (130 total)"]
            direction TB
            subgraph IG1["Implementation Group 1 (56 total)"]
                Base[56 Basic Cyber Hygiene Controls]
            end
            Add2[+74 Additional Controls]
        end
        Add3[+23 Additional Controls]
    end

We will cover the Implementation Groups in much greater depth in Module 2, including why they exist and how they apply to organizations of different sizes.

Who Should Implement the CIS Controls?

The CIS Controls are broadly applicable — they are not restricted to any particular type or size of organization:

  • Any size organization — small, medium, or large. Small organizations or those without dedicated security staff can benefit from implementing at minimum the 56 basic cyber hygiene controls in IG1.
  • Any organization with sensitive data — the controls become more detailed and in-depth as you move into IG3, designed to protect more sensitive data types. Any data of value to an organization can be considered sensitive.
  • Any organization with compliance requirements — the CIS control set maps closely to, and is frequently cross-mapped with, other control sets such as NIST and PCI-DSS. Organizations already using another framework can map their existing controls to CIS, or vice versa.
  • Any industry — government, government contractors, nonprofits, service businesses, manufacturing, and more. It does not matter what industry an organization is in; the CIS Controls are designed to protect systems and data broadly. Government agencies with NIST Framework requirements can still benefit, since CIS maps to those NIST requirements as well.
mindmap
  root((Who Benefits<br/>from CIS Controls))
    Organization Size
      Small
      Medium
      Large
    Data Sensitivity
      Any valuable data
      Highly sensitive data -> IG3
    Compliance Drivers
      HIPAA
      PCI-DSS
      NIST
      ISO/IEC 27001
    Industry
      Government / Contractors
      Nonprofits
      Service businesses
      Manufacturing

Module 1 Recap

This module covered the foundations of the CIS Controls: what they are, their history (from the 2008 NSA-driven origins through the SANS Top 20, the Council on Cyber Security, and their permanent home at CIS), their three purposes (securing assets, ensuring compliance, and reducing risk), and the basic control concepts — 18 control areas, 153 individual controls, and 3 cumulative Implementation Groups. It also covered which organizations should implement the controls: essentially any organization, regardless of size, industry, or existing governance requirements.


Module 2: Planning Your CIS Implementation

This module goes deeper into the design and construction of the CIS Controls, examines the Implementation Groups in more detail, introduces the CIS Benchmarks, and discusses the considerations involved in planning a CIS Controls implementation.

The 18 CIS Control Areas in Depth

As of version 8 (May 2021), the CIS Controls are organized into 18 control areas, spread across the three Implementation Groups. Importantly, the controls are not spread evenly across the IGs — some control areas have no representation at all in IG1. The individual controls within a single control area also vary in depth, detail, and implementation complexity; this variability is precisely why the Implementation Groups exist — to let organizations implement a basic, manageable set of controls regardless of size or available resources.

The 18 control areas and their total number of individual safeguards are:

#Control AreaTotal SafeguardsNotes from Narration
1Inventory and Control of Enterprise Assets5IG1: 2, IG2 adds 2 (cumulative 4), IG3 adds 1 (cumulative 5)
2Inventory and Control of Software Assets7IG1: 3, IG2 adds 3 (cumulative 6), IG3 adds 1 (cumulative 7)
3Data Protection14Distribution not itemized in this course — consult the CIS Controls Navigator for full per-safeguard IG mapping
4Secure Configuration of Enterprise Assets and Software12See note above
5Account Management6See note above
6Access Control Management8See note above
7Continuous Vulnerability Management7See note above
8Audit Log Management12See note above
9Email and Web Browser Protections7See note above
10Malware Defenses7Spread across all three IGs (used as an example area in this course)
11Data Recovery5See note above
12Network Infrastructure Management8See note above
13Network Monitoring and Defense11IG1: 0 — no controls in this area appear in IG1. IG2 adds 6, IG3 adds 5 more
14Security Awareness and Skills Training9See note above
15Service Provider Management7See note above
16Application Software Security14See note above
17Incident Response Management9See note above
18Penetration Testing5IG1: 0 — spread only across IG2 and IG3

Total: 153 individual safeguards across 18 control areas.

You do not need to memorize this exact distribution. CIS publishes a downloadable chart on the CIS Controls site showing the complete distribution of controls across the Implementation Groups. The important takeaway is that the distribution is uneven — some areas (like Network Monitoring and Defense, and Penetration Testing) have zero representation in IG1 because they typically require more mature security programs and dedicated resources to implement.

Each individual control (safeguard) within an area is numbered using a <area>.<safeguard> scheme — for example, safeguards 1.1, 1.2, 1.3, and so on within the “Inventory and Control of Enterprise Assets” area. Each safeguard also carries a name and an indicator of which Implementation Group(s) it belongs to.

flowchart TD
    CIS8[CIS Controls v8<br/>153 Safeguards] --> A1[1. Inventory & Control<br/>of Enterprise Assets - 5]
    CIS8 --> A2[2. Inventory & Control<br/>of Software Assets - 7]
    CIS8 --> A3[3. Data Protection - 14]
    CIS8 --> A4[4. Secure Configuration - 12]
    CIS8 --> A5[5. Account Management - 6]
    CIS8 --> A6[6. Access Control Management - 8]
    CIS8 --> A7[7. Continuous Vulnerability Mgmt - 7]
    CIS8 --> A8[8. Audit Log Management - 12]
    CIS8 --> A9[9. Email & Web Browser Protections - 7]
    CIS8 --> A10[10. Malware Defenses - 7]
    CIS8 --> A11[11. Data Recovery - 5]
    CIS8 --> A12[12. Network Infrastructure Mgmt - 8]
    CIS8 --> A13[13. Network Monitoring & Defense - 11]
    CIS8 --> A14[14. Security Awareness & Skills Training - 9]
    CIS8 --> A15[15. Service Provider Management - 7]
    CIS8 --> A16[16. Application Software Security - 14]
    CIS8 --> A17[17. Incident Response Management - 9]
    CIS8 --> A18[18. Penetration Testing - 5]

Understanding the Three Implementation Groups

Implementation Groups (IGs) were established with version 7.1. Their purpose is to allow the CIS Controls to be prioritized and scaled according to the needs and resources of the organization.

Implementation GroupDescriptionCumulative SafeguardsTarget Organization
IG1Basic cyber hygiene. The first 56 safeguards. Designed so that even a small organization with limited resources can implement them. Studies suggest these controls alone account for most of the security issues organizations face, and implementing them can significantly reduce risk.56Any organization, especially small organizations with limited resources — these are the minimum controls every organization should implement
IG2Adds 74 additional controls. Assists in managing security for enterprise-level IT infrastructure.130Medium to large companies with more mature security programs and greater resources
IG3Adds 23 additional safeguards above IG1+IG2.153 (all controls)Organizations with highly sensitive data to protect that want to be forward-thinking about preventing or mitigating advanced attacks

Because with 153 total safeguards a full implementation can seem daunting, the Implementation Groups let an organization prioritize and scale the rollout — starting, at minimum, with IG1.

An example of the kind of controls found only in IG3 (the 23 additional safeguards beyond IG1+IG2) includes things like:

  • Allow-listing of scripts
  • Use of data loss prevention (DLP) solutions
  • Application-layer filtering

These represent the advanced depth, detail, and complexity expected of a mature organization with a large, dedicated IT and cybersecurity staff — capabilities a smaller organization with only one or two IT staff may not be able to support.

flowchart LR
    Org1[Small Organization<br/>Limited resources] --> IG1[IG1: 56 Controls<br/>Basic Cyber Hygiene]
    Org2[Medium/Large Organization<br/>Enterprise IT infrastructure] --> IG2[IG2: 130 Controls<br/>IG1 + 74 additional]
    Org3[Organization with<br/>Highly Sensitive Data] --> IG3[IG3: 153 Controls<br/>IG1 + IG2 + 23 additional]

    IG1 -.baseline for.-> IG2
    IG2 -.baseline for.-> IG3

Using the CIS Benchmarks

The CIS Benchmarks are configuration guides for specific platforms — operating systems (Windows, Linux, and older OS versions), applications, and devices. They complement the CIS Controls by telling you exactly how to configure a system securely.

Key facts:

  • Available for free as PDF documents.
  • CIS members can obtain them in machine-readable formats such as XCCDF, enabling automated configuration and assessment.
  • Can be applied manually or through automated scripting.
  • Used to build CIS Hardened Images — pre-built, securely configured virtual machine images (covered further in Module 3).

Walkthrough example — CIS Benchmark for Microsoft Windows 10 Enterprise, Password Policy:

The benchmark’s table of contents lists configuration categories such as Password Policy, Account Lockout Policy, and Local Policies. Drilling into a specific setting shows the following structure:

FieldExample Content
SettingEnsure Minimum password length is set to 14 or more character(s)
DescriptionExplanation of what the setting does and why it matters
NotesAdditional context or caveats
RemediationThe exact steps to configure the setting
Registry/GPO PathComputer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length
Default Value7 characters on domain members, 0 characters on standalone servers
Recommended Value14 characters
Mapped ControlReference to the corresponding CIS Control/safeguard

Manually applying every benchmark setting this way would be a long, cumbersome process for an entire operating system — which is why automated tooling (via the XCCDF format or third-party products) is the recommended approach for larger-scale deployments.

flowchart TD
    Bench[CIS Benchmark] --> Format{Available Format}
    Format -->|Free| PDF[PDF Document]
    Format -->|CIS Membership| XCCDF[XCCDF / Machine-Readable]
    PDF --> Manual[Manual Configuration]
    XCCDF --> Auto[Automated Configuration<br/>via Scripts / Tools]
    Manual --> Hardened[Securely Configured System]
    Auto --> Hardened
    Hardened --> Images[Used to Build<br/>CIS Hardened Images]

Planning the CIS Control Implementation

Before implementing the CIS Controls, an organization should ask itself several key questions and consider a set of planning strategies.

Key planning questions:

  • What is our current security posture? Do we have effective, risk-reducing controls in place already?
  • Do we need additional resources (money, qualified personnel, equipment)? (Almost every organization does.)
  • What are our governance requirements — HIPAA, PCI-DSS, NIST RMF, or others?
  • Have we inventoried our business processes — the critical processes, and the systems, equipment, and information that support them?
  • What are our data sensitivity requirements? Have sensitivity/criticality levels been assigned to systems and data supporting critical business processes?

Recommended implementation strategies:

  1. Start with IG1. These are the basic cyber hygiene controls that every organization needs, regardless of size or resources — get these “quick wins” implemented first.
  2. Prioritize by speed and effectiveness. Distinguish “quick wins” (e.g., removing unnecessary administrative privileges from users, which costs no money though it may cause user friction) from higher-cost, higher-effort controls (e.g., purchasing and configuring new equipment, requiring dedicated qualified staff).
  3. Mitigate what you can’t fully implement. If a specific control cannot be implemented, consider strengthening other controls or adding compensating controls to reduce the associated risk instead of simply accepting the gap.
  4. Leverage existing governance frameworks. If under mandatory governance (HIPAA, PCI-DSS, etc.), leverage controls you already have in place, and map them to the CIS Controls (or vice versa) rather than duplicating work.
flowchart TD
    Start([Begin Planning]) --> Q1{Current Security<br/>Posture?}
    Q1 --> Q2{Governance<br/>Requirements?}
    Q2 --> Q3{Business Processes<br/>Inventoried?}
    Q3 --> Q4{Data Sensitivity<br/>Assigned?}
    Q4 --> S1[Strategy: Implement IG1 First]
    S1 --> S2[Strategy: Prioritize Quick Wins<br/>vs. High-Cost Controls]
    S2 --> S3{Can Every Control<br/>Be Implemented?}
    S3 -->|No| S3a[Add Compensating Controls<br/>to Mitigate Risk]
    S3 -->|Yes| S4[Leverage Existing<br/>Governance Frameworks]
    S3a --> S4
    S4 --> Done([Proceed to Implementation])

Module 2 Recap

This module examined the 18 control areas and how the 153 total controls are distributed — unevenly — across the three Implementation Groups. It covered the purpose of IG1 (basic cyber hygiene, mandatory baseline), IG2 (enterprise-scale controls), and IG3 (advanced protection for highly sensitive data). It also introduced the CIS Benchmarks as configuration guides for securing platforms like Windows and Linux, and closed with planning considerations and strategies — including starting with IG1, prioritizing quick wins, using compensating controls where needed, and leveraging existing governance frameworks.


Module 3: Implementing the CIS Controls

The Implementation Process and Key Questions

Implementation is a critical step that follows planning, but even careful planning will not anticipate every issue — implementation rarely proceeds exactly according to plan.

During implementation, two overarching concerns must be addressed:

  • Security AND privacy — controls must protect not just data broadly, but the privacy of personal, health, and financial data over which individuals have rights.
  • The specific security objective the control targets:
    • Confidentiality → access controls, rights, permissions, privileges, encryption
    • Integrity → integrity-checking mechanisms, hashing
    • Availability → redundancy, backups

Key questions to ask before/during implementation:

  • Which controls are already in place? Can any existing controls (e.g., an existing firewall, network security device, or application-level encryption) be leveraged to fulfill CIS or other governance requirements? Are they sufficient?
  • Which controls have yet to be implemented? Is there a prioritized list and implementation order?
  • How effective are existing controls? Was risk or effectiveness assessed beforehand, to understand the gap between current and target state?
  • How will new controls be implemented on existing systems? Are they interoperable with other components? Do other system components need upgrading (e.g., changing an encryption algorithm supported network-wide)?

Implementation approach:

  1. Determine which controls are already in place and to what extent, and how well they are functioning.
  2. Perform a gap analysis — the difference between current state and target state.
  3. Evaluate functionality: interoperability with other components, cost, effectiveness, and the type/amount of risk reduced.
flowchart TD
    Plan([Planning Complete]) --> Existing{Controls Already<br/>in Place?}
    Existing -->|Yes| Leverage[Assess Sufficiency<br/>Leverage Existing Control]
    Existing -->|No| ToDo[Add to Prioritized<br/>Implementation List]
    Leverage --> Gap[Perform Gap Analysis]
    ToDo --> Gap
    Gap --> Eval[Evaluate: Interoperability,<br/>Cost, Effectiveness, Risk Reduction]
    Eval --> Install[Proceed to Installation]

Integrating CIS Controls with Other Governance Frameworks

Many organizations manage multiple types of sensitive data, some of which is regulated by law, requiring integration of the CIS Controls with other governance or control frameworks.

Regulatory vs. voluntary frameworks:

TypeDescriptionExamples
RegulatoryImposed by laws/regulations, typically tied to a data typeHIPAA (healthcare data)
VoluntaryChosen by the organizationPCI-DSS (though effectively mandatory for card processors), NIST SP 800-53, ISO/IEC 27001

Requirements for using a specific framework can come from:

  • Governance imposed by law or regulation.
  • Industry requirements — e.g., the automotive industry may require its suppliers/partners to meet a specific control framework to do business.
  • Data type processed — e.g., processing credit card transactions triggers PCI-DSS; processing healthcare data triggers HIPAA.

How CIS deals with other frameworks:

  • Some frameworks require a specific control set (e.g., PCI-DSS for card transactions).
  • Some frameworks recommend but do not require a control set — HIPAA has data protection requirements (security and privacy rules) but does not mandate a specific control set; it strongly recommends NIST controls, but the CIS Controls can satisfy HIPAA requirements in most cases.
  • Control sets are broadly similar because they cover the same fundamental security requirements (e.g., password complexity appears in CIS, NIST, HIPAA, PCI-DSS, and ISO alike), which makes cross-mapping feasible.

Mapping considerations:

  • Mappings are not always one-to-one — a single control in one framework may cover several controls in another (one-to-many or many-to-one).
  • Mappings are useful when an organization already has a control set in place but must demonstrate equivalent compliance with a different framework, or when it must comply with multiple frameworks simultaneously (e.g., HIPAA + PCI-DSS + NIST + ISO).

Process for using mappings:

  1. Determine the baseline control set/framework in use.
  2. Inventory and document existing controls (e.g., account management, password complexity).
  3. Use mappings (to or from CIS) to determine how equivalent the existing controls are — is it one-to-one, one-to-many, or many-to-one?
  4. Document the specifics of the mapping, including coverage depth and any shortfalls, so that gaps are visible.

CIS publishes mappings for numerous frameworks, including:

Framework
HIPAA
NIST SP 800-171
NIST SP 800-53
NIST Cybersecurity Framework (CSF)
PCI-DSS
SOC 2
CSA Cloud Controls Matrix

In some cases, cross-mapping is required — e.g., mapping CIS to NIST SP 800-53, which in turn maps to ISO controls, achieving an indirect mapping between CIS and ISO.

Example: CIS-to-HIPAA mapping spreadsheet columns

FieldExample
CIS ControlControl area name
Safeguard Numbere.g., 3.11
Asset Typee.g., Data
Security Functione.g., Protect
TitleSafeguard title
DescriptionSafeguard description
Relationshipe.g., Superset — the CIS control covers more than one HIPAA control
HIPAA ControlThe mapped HIPAA control reference
HIPAA TitleMapped control’s title
HIPAA DescriptionMapped control’s description
flowchart TD
    Baseline[Determine Baseline<br/>Framework in Use] --> Inventory[Inventory & Document<br/>Existing Controls]
    Inventory --> MapType{Mapping Type}
    MapType --> OneToOne[One-to-One]
    MapType --> OneToMany[One-to-Many]
    MapType --> ManyToOne[Many-to-One]
    OneToOne --> Document[Document Coverage<br/>and Shortfalls]
    OneToMany --> Document
    ManyToOne --> Document
    Document --> Cross{Cross-Mapping<br/>Needed?}
    Cross -->|Yes, e.g. CIS to NIST 800-53 to ISO| Indirect[Perform Indirect Mapping]
    Cross -->|No| Direct[Use Direct Mapping]

Using the CIS Benchmarks, Hardened Images, and Security Metrics

CIS Benchmarks (recap and expansion): recommended configuration settings for operating systems, applications, and devices. Available for Windows (including older versions), various Linux distributions (CentOS, Red Hat, etc.), and select applications. Free as PDF; XCCDF and other machine-readable formats available to CIS members for automation. Many third-party tools — including some published by CIS itself — accept these benchmarks to configure and assess assets.

CIS Hardened Images: virtual machine images that are pre-configured according to the CIS Benchmarks, covering various operating systems and applications. Available through major cloud infrastructure providers, including AWS, Azure, Google Cloud Platform, and Oracle Cloud, and can be downloaded or run directly in the cloud. Includes various Linux distributions and Microsoft Windows Server distributions.

CIS Security Metrics: CIS publishes documentation and guidance to help organizations assess security performance across business areas. This guidance defines 28 measurements across 7 security business functions:

Security Business Function
Incident Management
Vulnerability Management
Patch Management
Configuration Management
Change Management
Application Security
Financial Metrics (cost effectiveness of the CIS Controls implementation)

Sample metrics published by CIS:

Metric
Cost of incidents
Mean time to incident recovery
Mean time to mitigate vulnerabilities
Mean time to patch
Percentage of configuration compliance
Percent of changes with security exceptions
Security testing coverage
IT security budget allocation
flowchart LR
    Benchmarks[CIS Benchmarks] --> HardenedImages[CIS Hardened Images<br/>Pre-configured VM images]
    HardenedImages --> Cloud1[AWS]
    HardenedImages --> Cloud2[Azure]
    HardenedImages --> Cloud3[Google Cloud Platform]
    HardenedImages --> Cloud4[Oracle Cloud]

    Metrics[CIS Security Metrics<br/>28 measurements / 7 functions] --> M1[Incident Management]
    Metrics --> M2[Vulnerability Management]
    Metrics --> M3[Patch Management]
    Metrics --> M4[Configuration Management]
    Metrics --> M5[Change Management]
    Metrics --> M6[Application Security]
    Metrics --> M7[Financial Metrics]

Steps to Implement the CIS Controls

Beyond planning and the questions discussed above, a set of concrete implementation steps helps ensure success:

  1. Install the control — put it into operation, whether it is a network device, software program, security mechanism, physical control, or security policy.
  2. Test the control — confirm it was installed correctly, that it functions as intended, and that it is effective (does its job to the expected performance level) as well as efficient (doesn’t consume excessive time, power, or staff effort relative to its benefit).
  3. Document the control — configuration items, diagrams, installation notes, management/change-control-board approvals, and pre-implementation test data. Documentation is critical before, during, and after installation.
  4. Check interoperability — is the control causing problems with other systems? Excessive network traffic or bandwidth consumption? Are encryption and authentication mechanisms understood by all other devices on the network?
  5. Ensure the control does not interfere with operations — an overly restrictive control that blocks legitimate access or authentication needs to be tuned; remember that “the business of the business is business,” not security for its own sake.
  6. Train users on new controls (e.g., a new secure email encryption workflow) and train the staff responsible for managing/maintaining the control (e.g., configuring and maintaining firewall rule sets).
  7. Monitor the control on an ongoing basis for function, performance, and effectiveness (covered in depth in Module 4).
StepPurpose
InstallPut the control into operation
TestVerify correct installation, function, effectiveness, and efficiency
DocumentRecord configuration, diagrams, approvals, and test data
Check InteroperabilityConfirm no negative impact on other systems/network
Preserve OperationsEnsure the control does not block legitimate business activity
TrainEducate both end users and control administrators
MonitorContinually verify function, performance, and effectiveness
flowchart TD
    Install[1. Install] --> Test[2. Test]
    Test --> Document[3. Document]
    Document --> Interop[4. Check Interoperability]
    Interop --> Ops[5. Preserve Business Operations]
    Ops --> Train[6. Train Users & Administrators]
    Train --> Monitor[7. Monitor Continuously]
    Monitor -.feedback loop.-> Test

Module 3 Recap

This module covered the implementation process itself: the key questions to answer about existing controls, gap analysis, and interoperability; how to integrate the CIS Controls with other governance frameworks such as HIPAA, PCI-DSS, NIST, and ISO (including mapping considerations and cross-mapping); a deeper look at CIS Benchmarks, CIS Hardened Images (available via AWS, Azure, GCP, and Oracle Cloud), and CIS Security Metrics (28 measurements across 7 business functions); and finally the concrete steps for implementation — install, test, document, check interoperability, preserve operations, train, and monitor.


Module 4: Maintaining and Assessing the CIS Controls

Implementing the CIS Controls is not the end of the story. Controls must be maintained and assessed on a continual basis, because the operating environment, technology, and threat landscape all change over time, affecting how effective a control remains.

Maintaining the CIS Controls

Maintaining the CIS Controls involves ongoing activity before, during, and after implementation:

  • Plan and document — any change to a control (implementation, reconfiguration, replacement, removal) must be documented.
  • Implement — sometimes controls are implemented once; sometimes a control is pulled out of service and replaced with another.
  • Update and upgrade — technologies become obsolete. Legacy network devices may no longer meet security or compliance requirements or effectively reduce risk, requiring upgrades (e.g., updating encryption mechanisms to current standards).
  • Patch — devices and applications require ongoing patching as new vulnerabilities and exploits are discovered daily. Constant monitoring for vulnerabilities associated with each control, followed by timely patching, is essential to avoid being caught by an unpatched zero-day.
  • Assess — evaluate controls for continued effectiveness, proper function, risk reduction, and compliance (see next section).

Assessing vs. monitoring: Assessing typically involves a formal, “wall-to-wall” review of the controls. Monitoring means looking at controls on a day-to-day basis — tracking performance and function and correcting deficiencies as they arise.

flowchart TD
    Maintain[Maintaining CIS Controls] --> Plan[Plan & Document Changes]
    Maintain --> Implement[Re-implement / Replace as Needed]
    Maintain --> Update[Update / Upgrade Obsolete Technology]
    Maintain --> Patch[Patch Continuously]
    Maintain --> Assess[Formally Assess Effectiveness]
    Assess --> Monitor[Continuously Monitor Day-to-Day]
    Monitor -.feeds back into.-> Plan

Assessing the CIS Controls

Assessment is necessary to track how well controls are performing their function, reducing risk, protecting assets, and ensuring compliance. There are three primary things being assessed:

AspectWhat It MeasuresHow to Measure
EffectivenessHow well the control protects systems/dataNumber of incidents tied to the control or its failure; number/severity of vulnerabilities the control should mitigate; performance/functional metrics (e.g., how much malicious software an anti-malware control detects vs. allows through)
RiskWhether risk is going up or down because of the controlCompare risk levels with the control implemented vs. what risk would be if it were absent; evaluate whether strengthening or adding compensating controls reduces risk to an acceptable level
ComplianceWhether the organization meets governance requirementsUsually measured against a standard or regulatory requirement; in most cases, compliance is largely binary (compliant / not compliant), though some governance regimes allow for partial compliance

Compliance, protection level, and risk reduction are three distinct aspects that must each be tracked, assessed, and monitored. A stronger control tends to satisfy all three; a weak or absent control satisfies none.

Four basic assessment methods (generally accepted across the security and risk community, applicable to the CIS Controls or any other control set):

MethodDescription
Interview key personnelTalk to system administrators, systems engineers, risk practitioners, and others responsible for day-to-day maintenance. Ask how they feel the control is working, whether it’s difficult to use, and whether it reduces risk or protects assets.
Observe systems in operationWatch the control functioning in real time (e.g., does an authentication mechanism properly prompt the user, obfuscate/encrypt the password, and correctly query the central authentication repository?).
Review documentationExamine implementation details, network diagrams, architectures, scan results, and anything else documenting the control and its performance.
Perform technical testingVulnerability scans and/or penetration testing reveal configuration issues and actual performance for technical controls.
flowchart TD
    Assess[Assessing a Control] --> Eff[Effectiveness]
    Assess --> Risk[Risk]
    Assess --> Comp[Compliance]

    Assess --> Method1[Interview Key Personnel]
    Assess --> Method2[Observe Systems in Operation]
    Assess --> Method3[Review Documentation]
    Assess --> Method4[Perform Technical Testing]

Monitoring the CIS Controls

Monitoring is closely related to assessing but occurs on a fairly constant, consistent basis rather than at a formal point in time. Monitoring tracks:

  • Control effectiveness — how well it does its job.
  • Risk.
  • Changes in the operating environment — companies grow, change markets, and change business missions/goals, all of which can affect how well controls perform.
  • Changes in implemented technologies — technologies become obsolete/legacy and may no longer meet the changing threat environment.
  • Changes in the threat environment — new threats and vulnerabilities emerge daily; “what worked yesterday may not work today.”

Monitoring techniques include day-to-day activities such as vulnerability assessments and log reviews, as well as periodic/repeated formal assessments such as penetration testing. Whenever the control, operating environment, or technology changes (e.g., through a patch or update), or when new threats/vulnerabilities are discovered, control documentation must be kept up to date.

AspectAssessingMonitoring
FrequencyPoint-in-time, periodic (e.g., annual pen test)Continuous / day-to-day
ScopeFormal, comprehensive reviewOngoing tracking of performance and function
OutputFormal report or assessment resultOngoing corrections and documentation updates
Shared GoalsEffectiveness, risk reduction, complianceEffectiveness, risk reduction, compliance
flowchart LR
    Env[Operating Environment Changes] --> Monitor[Continuous Monitoring]
    Tech[Technology Changes] --> Monitor
    Threat[Threat Landscape Changes] --> Monitor
    Monitor --> Update[Update Controls /<br/>Documentation as Needed]
    Update --> Assess[Periodic Formal Assessment]
    Assess -.results feed back into.-> Monitor

Module 4 Recap

This module covered maintaining the CIS Controls (planning/documenting changes, re-implementation, updates/upgrades, patching), assessing the controls for effectiveness, risk, and compliance using four methods (interviews, observation, documentation review, and technical testing), and monitoring the controls continuously as the operating environment, technology, and threat landscape evolve.


Module 5: Case Study — Implementing the CIS Controls at Globomantics

This module applies everything covered so far to a practical scenario: how a fictional company, Globomantics, might plan, implement, and monitor a CIS Controls program.

Globomantics Company Profile and Security Issues

Company profile:

AttributeDetail
IndustryManufacturer of automobile parts (e.g., door panels, electrical components) sold to various automobile manufacturers
SizeMedium-sized business
LocationsSeveral regional sales offices, warehouses, and two major production plants (geographically spread out)
Retail PresenceA few specialized retail outlet stores recently opened to sell directly to the public
Additional FacilityAn on-site health clinic at headquarters providing basic healthcare services (shots, tests) to employees

Current security posture:

  • A typical perimeter infrastructure (firewalls, routers) exists, but with no ongoing control or support — it was configured by a third party that then walked away.
  • Different operations use different levels of sensitive data, but there is no formal control structure.
  • Encryption is used inconsistently; authentication mechanisms vary by worker type (warehouse, production plant, headquarters) with nothing formalized.
  • No formal security program exists at all; a small IT shop at headquarters manages IT for all regional areas, but there is no CISO or dedicated cybersecurity role.

Triggering events:

  • A recent, relatively small data breach — not personal data, but company-sensitive competitive data related to parts production.
  • A recent unfavorable security audit, required by a customer, that identified deficiencies across the board.

Key security issues/dilemmas:

  • No formal cybersecurity program, meaning no strategic or tactical direction.
  • No formal control over infrastructure and no formal security controls.
  • Multiple governance sources apply simultaneously:
    • PCI-DSS — because retail stores process customer credit card transactions.
    • HIPAA — because the on-site health clinic processes employee healthcare data.
  • Inconsistent technology posture: some systems have encryption, some don’t; some operating systems are unsupported/legacy.

Why Globomantics needs the CIS Controls:

  • Concern over further data loss following the recent breach.
  • Concern over noncompliance with HIPAA and PCI-DSS, opening the door to civil or criminal liability.
  • Need to establish a formal security controls program that protects data, ensures compliance, and reduces risk.
  • The external auditor specifically recommended the CIS Controls because they are widely available, cost-effective, and interoperable with other governance frameworks such as HIPAA and PCI-DSS.
mindmap
  root((Globomantics<br/>Security Issues))
    No Formal Program
      No CISO
      No strategy
    Uncontrolled Infrastructure
      3rd-party set up, no support
      Inconsistent encryption
      Inconsistent auth
    Multiple Governance Drivers
      PCI-DSS - retail credit cards
      HIPAA - onsite health clinic
    Triggering Events
      Small data breach
      Unfavorable customer audit

Planning the CIS Control Implementation at Globomantics

Globomantics decided to adopt the CIS Controls, but several planning considerations apply, just as they would for any organization:

  • Cost — how much will implementation cost, and how much budget is allocated?
  • Urgency — should this happen quickly or gradually? What quick actions would meaningfully reduce risk before the full control set is in place?
  • Difficulty — some controls require only configuration changes; others require new equipment or infrastructure redesign.
  • Governance fit — how will the CIS Controls articulate with HIPAA and PCI-DSS requirements? Can the same controls satisfy multiple frameworks simultaneously?

Governance context specific to Globomantics:

  • HIPAA — because of the free on-site healthcare clinic (a valued employee benefit), Globomantics must protect that healthcare data.
  • PCI-DSS — because of credit card transactions at the new retail stores.
  • Business contract requirements — some large automobile manufacturer customers contractually require secure data and systems, or they may stop doing business with Globomantics.

Globomantics’ implementation plan (after consulting internal staff and outside consultants):

  1. Implement IG1 first — the 56 basic controls that every organization needs, many of which are low-cost and effective.
  2. Assess risk after implementing IG1 to determine what areas still need focus and attention.
  3. Create a plan for IG2 and IG3, since those controls are more in-depth, detailed, and complex, and may require long-term planning and resource allocation.
  4. Continue to monitor risk and controls for the entire organization — including the IG1 controls just implemented, any pre-existing controls, and the residual risk from not yet implementing IG2/IG3.
  5. When resources and infrastructure allow, gradually implement IG2 and IG3, continuing to monitor controls and risk throughout to confirm effectiveness, compliance, and risk reduction.
flowchart TD
    Decision[Decision: Adopt CIS Controls] --> Consider[Consider Cost, Urgency,<br/>Difficulty, Governance Fit]
    Consider --> IG1Plan[Step 1: Implement IG1<br/>56 baseline controls]
    IG1Plan --> AssessRisk[Step 2: Assess Risk]
    AssessRisk --> IG23Plan[Step 3: Plan IG2 & IG3<br/>Long-term resource allocation]
    IG23Plan --> Monitor1[Step 4: Continuously<br/>Monitor Risk & Controls]
    Monitor1 --> Gradual[Step 5: Gradually Implement<br/>IG2 & IG3 as Resources Allow]
    Gradual --> Monitor2[Continue Monitoring<br/>Throughout Lifecycle]

Implementing the CIS Controls at Globomantics

With a plan in place, Globomantics executes the implementation:

  1. Inventory all assets — critical business processes and the systems/data that support them. Knowing what assets exist is a prerequisite for applying controls to them.
  2. Assess existing risk — establish the starting point (current risk with current infrastructure) to determine the gap to the target state.
  3. Implement IG1 controls (the 56 core controls) across all assets, prioritizing the most critical and sensitive assets identified during the inventory, then working outward across the organization.
  4. Reassess risk after IG1 implementation — a recurring activity that must happen whenever the control set or infrastructure changes, evaluating control effectiveness, risk reduction, and compliance support.
  5. Plan and implement IG2 and IG3 as a longer-term initiative — requiring budget allocation, scheduling, potential network redesign, and accounting for downtime; controls are prioritized based on criticality.
  6. Continuously monitor risk throughout — both while implementing IG2/IG3 and after, tracking control effectiveness and risk reduction over the entire lifecycle.
sequenceDiagram
    participant Org as Globomantics
    participant Assets as Asset Inventory
    participant Risk as Risk Assessment
    participant IG1 as IG1 Controls
    participant IG23 as IG2/IG3 Controls

    Org->>Assets: Inventory critical processes, systems, and data
    Org->>Risk: Assess existing risk (baseline)
    Org->>IG1: Implement 56 basic controls<br/>(prioritized by criticality)
    Org->>Risk: Reassess risk after IG1
    Org->>IG23: Plan long-term rollout<br/>(budget, schedule, redesign)
    Org->>IG23: Gradually implement IG2 & IG3
    loop Continuous
        Org->>Risk: Monitor effectiveness, risk, compliance
    end

Monitoring the CIS Security Controls at Globomantics

Implementation does not end once controls are functioning, meeting governance, and reducing risk somewhat — ongoing monitoring is required from several perspectives:

  • Monitor the implementation lifecycle end to end.
  • Monitor control effectiveness — are assets actually being secured? This can be verified through vulnerability assessments and penetration testing.
  • Monitor changes in risk — does risk increase or decrease due to the controls in place? Risk must be continually reassessed.
  • Monitor changes in the operating environment — technology, business, and threat environments all evolve. Some technologies may become legacy and stop functioning well; the business/market/regulatory environment changes; and the threat landscape constantly produces new threats and vulnerabilities that must be addressed.
  • Adapt controls as needed based on monitoring and risk evaluation results — updating, changing, or adding compensating controls whenever risk changes (whether increasing or decreasing) or when controls no longer meet protection requirements.

The overarching lesson: the control lifecycle does not end at implementation. It continues indefinitely as long as the organization maintains an effective security program.

flowchart TD
    Monitor[Ongoing Monitoring at Globomantics] --> M1[Monitor Full<br/>Implementation Lifecycle]
    Monitor --> M2[Monitor Control<br/>Effectiveness via Testing]
    Monitor --> M3[Monitor Changes in Risk]
    Monitor --> M4[Monitor Changes in<br/>Technology / Business / Threat Environment]
    M2 --> Adapt[Adapt Controls as Needed]
    M3 --> Adapt
    M4 --> Adapt
    Adapt -.ongoing cycle.-> Monitor

Module 5 Recap

This case study put the entire course into a real-world context: Globomantics, a mid-sized automobile parts manufacturer, faced a lack of a security program, an unfavorable audit, a small breach, and multiple governance drivers (HIPAA due to its on-site health clinic, and PCI-DSS due to retail credit card processing). The company planned carefully, chose to implement IG1 first, monitored risk and effectiveness, and gradually rolled out IG2 and IG3 as budget, resources, and infrastructure allowed — continuing to monitor control effectiveness, compliance, and risk reduction throughout the entire lifecycle.


Summary

The CIS Controls provide a practical, scalable, and widely adopted framework for securing an organization’s information assets. The key principles from this course are:

  • Controls come in types (administrative, technical, physical) and functions (deterrent, preventative, detective, compensating, corrective, recovery) — understanding this vocabulary underpins how any control framework, including CIS, is discussed and applied.
  • The CIS Controls originated from a 2008 NSA/community effort, passed through the SANS Top 20 and the Council on Cyber Security, and found a permanent home at the Center for Internet Security in 2015 — evolving through versions to the current version 8 (May 2021).
  • Their three purposes are securing assets, ensuring compliance with governance, and reducing risk.
  • They are organized into 18 control areas comprising 153 individual safeguards, distributed unevenly across three cumulative Implementation Groups: IG1 (56 controls — basic cyber hygiene for every organization), IG2 (130 cumulative controls — enterprise-scale), and IG3 (153 cumulative controls — advanced protection for highly sensitive data).
  • Any organization — regardless of size, industry, or existing governance — can benefit from adopting the CIS Controls, and the controls map well to other frameworks such as HIPAA, PCI-DSS, NIST SP 800-53/800-171, the NIST Cybersecurity Framework, ISO/IEC 27001, SOC 2, and the CSA Cloud Controls Matrix.
  • CIS Benchmarks provide detailed, platform-specific configuration guidance (free as PDF, or as machine-readable XCCDF for CIS members), and are used to build CIS Hardened Images available through major cloud providers.
  • CIS Security Metrics define 28 measurements across 7 security business functions to help organizations gauge control performance and cost effectiveness.
  • Implementation requires more than installation — testing, documentation, interoperability checks, preserving business operations, training, and ongoing monitoring are all essential steps.
  • Maintenance, assessment, and monitoring never stop. Controls must be continually assessed (effectiveness, risk, compliance) using interviews, observation, documentation review, and technical testing, and monitored day-to-day as the operating environment, technology, and threat landscape evolve.
  • The Globomantics case study demonstrates a realistic, phased approach: inventory assets, assess baseline risk, implement IG1, reassess, plan and gradually roll out IG2/IG3, and monitor continuously — all while balancing multiple governance drivers such as HIPAA and PCI-DSS.

CIS Controls Quick-Reference Table

#Control AreaTotal SafeguardsIG1 Notes
1Inventory and Control of Enterprise Assets52 controls in IG1
2Inventory and Control of Software Assets73 controls in IG1
3Data Protection14See CIS Controls Navigator
4Secure Configuration of Enterprise Assets and Software12See CIS Controls Navigator
5Account Management6See CIS Controls Navigator
6Access Control Management8See CIS Controls Navigator
7Continuous Vulnerability Management7See CIS Controls Navigator
8Audit Log Management12See CIS Controls Navigator
9Email and Web Browser Protections7See CIS Controls Navigator
10Malware Defenses7See CIS Controls Navigator
11Data Recovery5See CIS Controls Navigator
12Network Infrastructure Management8See CIS Controls Navigator
13Network Monitoring and Defense110 controls in IG1
14Security Awareness and Skills Training9See CIS Controls Navigator
15Service Provider Management7See CIS Controls Navigator
16Application Software Security14See CIS Controls Navigator
17Incident Response Management9See CIS Controls Navigator
18Penetration Testing50 controls in IG1

CIS Controls Implementation Checklist

  • Understand the three control types (administrative, technical, physical) and six control functions (deterrent, preventative, detective, compensating, corrective, recovery).
  • Identify current security posture and existing controls.
  • Identify all applicable governance requirements (HIPAA, PCI-DSS, NIST, ISO, industry contracts, etc.).
  • Inventory critical business processes and the assets (systems, data, equipment) that support them.
  • Assign data sensitivity/criticality levels.
  • Perform a baseline risk assessment before implementing any new controls.
  • Prioritize and implement Implementation Group 1 (56 controls) first.
  • Map existing controls to CIS Controls (and vice versa) to identify overlaps with other governance frameworks.
  • Use CIS Benchmarks to securely configure operating systems, applications, and devices.
  • Consider CIS Hardened Images for cloud deployments (AWS, Azure, GCP, Oracle Cloud).
  • Install, test, document, and check interoperability for every new control.
  • Train both end users and control administrators.
  • Reassess risk after each implementation phase.
  • Plan and gradually roll out IG2 (130 controls) and IG3 (153 controls) as resources and maturity allow.
  • Track CIS Security Metrics across incident, vulnerability, patch, configuration, change, application security, and financial dimensions.
  • Establish continual assessment (interviews, observation, documentation review, technical testing) and day-to-day monitoring processes.
  • Update controls and documentation whenever the operating environment, technology, or threat landscape changes.

Search Terms

security · controls · cis · governance · risk · compliance · networking · systems · globomantics · control · planning · areas · assessing · benchmarks · groups · implement · maintaining · monitoring

More Governance, Risk & Compliance courses

View all 12

Interested in this course?

Contact us to book it or get a custom training plan for your team.