Proven cybersecurity best practices with global recognition.
“The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet.”
- Kamala Harris, Vice President of the United States
(quoted while serving as Attorney General of California)
Straightforward, effective, and universal cybersecurity.
The CIS Controls (formerly known as the SANS 20 Critical Security Controls) are a prescriptive, prioritized, and simplified set of cybersecurity best practices and defensive actions that can help support compliance in a multi-framework era. They are leveraged by organizations around the world to provide specific guidance and a clear pathway to achieve the goals and objectives described by multiple legal, regulatory, and policy frameworks.
Straightforward.
The CIS Controls were designed as a simple list of 20 security controls that any organization could implement to protect themselves and their customers. As of May 2021, the CIS Controls have been further simplified to 18 controls.
The CIS Controls are prioritized in Implementation Groups (IGs). This allows smaller organizations to implement a prioritized subset of the controls, while large organizations with mature security programs can implement all of the controls. And, as smaller organizations grow, they can adopt additional safeguards without changing frameworks.
Implementing all of the CIS Controls is the definition of an effective cybersecurity program, while effectively implementing only those controls within IG 1 represents basic cyber hygiene for any organization.
Effective.
The CIS Controls were cooperatively developed by consortium subject matter experts representing most industries. They incorporate best practices which have been proven to work in the real world.
To ensure continued effectiveness the CIS Controls are regularly updated and re-prioritized to address emerging threats. For example, in May 2021, version 8 of the CIS Controls was released. Data Protection, formerly control 13, was reordered to control 3 to show its importance in recognition of today’s ‘borderless’ networks and cloud transformation.
The Verizon Data Breach Investigations Report (DBIR) also recognizes the effectiveness of the CIS Controls. The DBIR integrates the CIS Controls throughout the report, and names the CIS Controls as a guide to use for mitigating risk across industries. The DBIR is one of the most well-known and credible sources for data on cybersecurity incidents and breaches.
Universal.
The CIS Controls are universally recognized by organizations around the world, and across industries including government, defense, critical infrastructure, healthcare, finance, education, and many more.
The CIS Controls are also universal in their ability to map to standards and regulatory frameworks like PCI DSS, HIPAA, FedRAMP, and others. In addition to making the CIS Controls adaptable to organizations of any size, separating the CIS Controls Implementation Groups (IGs) make their application across multiple frameworks easier.
Rather than aligning your security program to a specific industry standard or regulatory framework, alignment to the CIS Controls ensures organizations can adapt to emerging compliance requirements.
Schedule a gap analysis to assess your security program against the CIS Controls.
