<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TFQTPSJ" height="0" width="0" style="display:none;visibility:hidden">

CIS Controls™

Adopt Trusted, Universal Best Practices

“The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet.”

–Kamala Harris, 32nd Attorney General of California

A Gateway to Foundational Cybersecurity

The CIS Controls™ security standard is a set of guidelines (formerly known as the SANS Top 20 Critical Security Controls) that gives your organization a reliable, universally-recognized foundation for cybersecurity. Unlike the recommendations you'll get from security vendors, these controls are accepted and trusted as best practices that are used by a variety of brands.

Aligning your system with these universal recommendations, even when it’s not required by law, can fortify your company and show consumers that you take security seriously.

When you’re searching for a cybersecurity certification or unsure of where to begin in creating a secure system for your company, choose CIS Controls - and start with a Gap Analysis.


The Story of CIS Controls

The CIS Controls were developed in a cooperative effort of IT experts and data security personnel from a wide range of industries and sectors, including defense, education, government, healthcare, manufacturing, retail, and more.

These experienced cyber-defenders set out to create standards that any organization (in any industry) could follow to better protect themselves and their customers.

Together, they wrote a prioritized set of actions that form an in-depth framework of best practices for protecting systems and networks against the most common forms of attack. 

Named the CIS Controls after the Center for Internet Security (CIS), which promotes the program, it’s one of today’s most widely-used standards of voluntary cybersecurity compliance. 

Why CIS Controls Work

CIS Controls are based on strategies that have been proven to work when subjected to an actual attack. These guidelines go beyond protecting your systems and include best practices for addressing attacks in progress, post-attack response, detecting compromised machines, preventing follow-up attacks, and even providing actionable information to law enforcement.

Components of CIS Controls

The CIS Controls security standard is based on five critical tenets of cyber defense:

Offense Informs Defense

Each attack tells a story and teaches a lesson. The knowledge gained from those lessons forms the foundation of CIS Controls. These controls have all been proven effective against actual attacks. 


The principle of prioritization calls for the most effective controls to be implemented first. Different controls will provide greater risk reduction for some organizations than they will for others. CIS Implementation Groups help organizations identify the most relevant controls for them.


Measurements and Metrics

Common metrics provide a shared language for managers, auditors, IT personnel and security personnel to calculate the effectiveness of security procedures, identify issues and quickly implement any changes.

Continuous Diagnostics and Mitigation

Ongoing testing validates the effectiveness of implemented security measures, informing the next steps and revealing opportunities for improvement.


To achieve and scale reliable security, defense measures in alignment with the controls must be automated, removing the human component as a roadblock to effective security.

Understanding the CIS Controls

Basic Controls

CIS Control 1: Inventory and Control of Hardware Assets 

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

CIS Control 2: Inventory and Control of Software Assets 

Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that all unauthorized and unmanaged software is found and prevented from installation or execution. 

CIS Control 3: Continuous Vulnerability Management 

Continuously acquire, assess and take action on new information in order to identify vulnerabilities, remediate and minimize the window of opportunity for attackers.

CIS Control 4: Controlled Use of Administrative Privileges 

The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Establish, implement and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. 

CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs 

Collect, manage and analyze audit logs of events that could help detect, understand, or recover from an attack. 


Foundational Controls

CIS Control 7: Email and Web Browser Protections 

Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems. 

CIS Control 8: Malware Defenses 

Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering and corrective action.

CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services 

Manage (track/control/correct) the ongoing operational use of ports, protocols and services on networked devices in order to minimize windows of vulnerability available to attackers.

CIS Control 10: Data Recovery Capabilities 

The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.

CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches 

Establish, implement and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

CIS Control 12: Boundary Defense 

Detect/prevent/correct the flow of information transferring across networks of different trust levels with a focus on security-damaging data.

CIS Control 13: Data Protection 

The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data and ensure the privacy and integrity of sensitive information.

CIS Control 14: Controlled Access Based on the Need to Know 

The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.

CIS Control 15: Wireless Access Control 

The processes and tools used to track/control/prevent/correct the secure use of wireless local area networks (WLANs), access points, and wireless client systems.

CIS Control 16: Account Monitoring and Control 

Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them.


Organizational Controls

CIS Control 17: Implement a Security Awareness and Training Program 

For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps and remediate through policy, organizational planning, training and awareness programs.

CIS Control 18: Application Software Security 

Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect and correct security weaknesses.

CIS Control 19: Incident Response and Management 

Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence and restoring the integrity of the network and systems.

CIS Control 20: Procedures and Tools 

After defining detailed incident response procedures, the incident response team should engage in periodic scenario-based training, working through a series of attack scenarios fine-tuned to the threats and vulnerabilities the organization faces. These scenarios help ensure that team members understand their role on the incident response team and also help prepare them to handle incidents. It is inevitable that exercise and training scenarios will identify gaps in plans and processes and unexpected dependencies. 

CIS Control 21: Penetration Tests and Red Team Exercises 

Test the overall strength of an organization’s defense (the technology, the processes and the people) by simulating the objectives and actions of an attacker.

Truvantis® for Your CIS Controls Implementation

As proud members of CIS and front-line cybersecurity veterans, Truvantis can help you to create a robust security foundation that complies with the CIS Controls standard. 

Our CIS Controls Gap Analysis provides a comprehensive assessement of your system against this standard. We offer a vast array of security products and services to help you to achieve the CIS Controls standard with custom recommendations that are right for your business.  

Contact Truvantis today to learn more about the CIS Controls for your business.