What Are the CIS Controls and How Can They Improve Your Cybersecurity?

What Are the CIS Controls?

A practical foundation for cyber defense in 2025

The Center for Internet Security (CIS) Controls are a community-driven set of best practices designed to help organizations defend against today’s most prevalent cyber threats. Now in version 8.1, the CIS Controls prioritize specific safeguards that reduce the risk of ransomware, business email compromise, and third-party attacks.

Originally known as the “SANS Top 20,” the framework has evolved into a widely adopted standard among public and private sector organizations. Its latest version introduces more flexibility by dividing safeguards into Implementation Groups (IGs) based on organizational size, risk tolerance, and available resources.

Why the CIS Controls Matter in 2025

Attackers continue to evolve faster than many security programs. In 2025, ransomware groups are increasingly exploiting third-party vendors. Unlike governance frameworks such as the NIST Cybersecurity Framework (CSF), the CIS Controls are prescriptive.

Implementing these Controls also can help organizations shore up their security and, in some cases, meet compliance obligations to a variety of other directives, such as:

• The European Union’s NIS2 Directive
• The U.S. Securities and Exchange Commission’s (SEC) cyber disclosure rules
• Health Insurance Portability and Accountability Act (HIPAA)
• Gramm-Leach-Bliley Act (GLBA)
• Cybersecurity Maturity Model Certification (CMMC)
• State privacy laws like the California Consumer Privacy Act (CCPA) and Oregon Consumer Privacy Act (OCPA)

The Controls can help demonstrate due diligence, tighten supply chain security, and accelerate incident response. They also provide clear alignment with emerging cybersecurity threats globally.

Overview of the 18 CIS Controls (v8)

The CIS framework includes 18 critical Controls, each aimed at a specific area of cybersecurity defense. These are grouped by function and form the foundation of the security roadmap. They include:

1. Inventory and Control of Enterprise Assets: Maintain visibility into all devices connected to the network.
2. Inventory and Control of Software Assets: Track and manage approved and unauthorized software.
3. Data Protection: Encrypt sensitive data and enforce data classification policies. Identify processes to securely handle, maintain, and dispose of data.
4. Secure Configuration of Enterprise Assets: Apply hardened configurations to servers and endpoints.
5. Account Management: Implement least privilege and manage access lifecycles.
6. Access Control Management: Enforce role-based access and multi-factor authentication (MFA).
7. Continuous Vulnerability Management: Detect and remediate vulnerabilities proactively. Monitor threat intelligence for new vulnerabilities or campaigns.
8. Audit Log Management: Centralize logging and monitor for anomalies.
9. Email and Web Browser Protections: Harden browsers and email clients to reduce phishing risk.
10. Malware Defenses: Deploy anti-malware and behavior-based detection.
11. Data Recovery: Maintain secure, tested backups with verified recovery paths.
12. Network Infrastructure Management: Segment internal networks and monitor ingress/egress traffic. Ensure network infrastructure is up-to-date.
13. Network Monitoring and Defense: Use intrusion detection/prevention systems (IDS/IPS), anomaly detection tools, and centralize security event alerting.
14. Security Awareness and Training: Provide ongoing cybersecurity training for all employees, tailored by role. Simulate phishing attacks to assess awareness.
15. Service Provider Management: Monitor and assess third-party service providers. Require contractual commitments, conduct risk reviews, and continuously monitor vendor performance.
16. Application Software Security: Integrate security into the software development lifecycle and use trusted third-party software components.
17. Incident Response Management: Develop, test, and refine incident response plans, including roles, escalation paths, and different attack types.
18. Penetration Testing: Run simulated attacks to evaluate real-world defenses.

Tailoring the Controls: Understanding Implementation Groups

CIS breaks implementation guidance into three groups:

• IG1: Basic cyber hygiene suitable for small or resource-limited organizations.
• IG2: Enhanced protections aligned with teams that store or process sensitive data.
• IG3: Advanced safeguards for large or high-risk enterprises concerned with confidentiality, integrity, and availability of data.

Each group represents a progressive subset of the full 153 Safeguards. This allows organizations to start with essential protections and scale as maturity grows.

Key Benefits of CIS Control Adoption

Organizations that implement the Controls can realize measurable improvements in cyber resilience. Core benefits can include:

• Reduced attack surface through asset and software inventories
• Improved vulnerability management with ongoing scanning and patching
• Faster detection and response through centralized log management
• Enhanced third-party security
• Stronger compliance posture across privacy and industry regulations

How to Begin Implementing the CIS Controls

Security leaders can start with these steps:

1. Run a Gap Assessment
   Use a CIS-based assessment tool to compare your current state to the appropriate Implementation Group.
2. Prioritize High-Risk Controls
   Focus first on Controls that defend against your top threats. If phishing is a major concern, for instance, prioritize email and access controls.
3. Assign Clear Ownership
   Designate stakeholders for each Control, including IT, security, compliance, and legal teams.
4. Automate Where Possible
   Deploy platforms that monitor vendors, track asset changes, detect misconfigurations, and support audit log centralization.
5. Measure Maturity
   Monitor implementation progress over time and tie improvements to real metrics—like mean time to detect (MTTD) or audit readiness.

Use Case: Strengthening Vendor Security with CIS

Control 15 focuses on managing the cybersecurity posture of service providers. Safeguards include:

• Maintaining a full inventory of third-party service providers
• Requiring contractual commitments to minimum security standards
• Conducting periodic audits or assessments

This Control aligns closely with SecurityScorecard’s offerings. MAX, our managed service for Supply Chain Detection and Response (SCDR), can help you assess vendor security, monitor for breaches and risky behaviors, and work with vendors to fix issues.

Final Thoughts: Building Resilience with the CIS Controls

The CIS Controls offer a structured path toward real-world cyber defense even as attackers increasingly target third-parties and conduct disruptive ransomware attacks. These actionable safeguards allow organizations of all sizes to harden their infrastructure, protect sensitive data, and respond effectively to incidents.

Transform Third-Party Risk into a Supply Chain Resilience
With SecurityScorecard’s Supply Chain Detection and Response (SCDR), gain actionable insights into your vendors’ security postures. Our platform empowers you to make informed decisions, ensuring compliance and strengthening your supply chain’s cybersecurity.
🔗 Explore SCDR