Call (952) 836-2770
Free Consultation
Contact Us

CIS Critical Controls

What are CIS Critical Controls?

The CIS Critical Security Controls are a recommended set of cyber defense actions that provide specific and actionable ways to stop today’s attacks. The Critical controls were created by NSA Red and Blue teams, the US Department of Energy, and some of the top forensics and incident response organizations. The resulting controls’ primary goal is to identify what needs to be done to stop any known attacks.

The Controls take the best-in-class threat data and turn it into a form of actionable guidance, to improve security in cyberspace. Too often in Cybersecurity, the “attackers” are more organized than the “good guys.” These controls attempt to provide a means to change that outcome and provide maximum security for an organization. 

The list of twenty controls is as follows, and each has its subset of guidance. 

  • Inventory and Control of Hardware Assets
  • Inventory and Control of Software Assets
  • Continuous Vulnerability Assessment and Remediation
  • Controlled Use of Administrative Privileges
  • Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  • Maintenance, Monitoring, and Analysis of Audit Logs
  • Email and Web Browser Protections
  • Malware Defenses
  • Limitation and Control of Network Ports, Protocols, and Services
  • Data Recovery Capabilities
  • Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  • Boundary Defense
  • Data Protection
  • Controlled Access Based on the Need to Know
  • Wireless Access Control
  • Account Monitoring and Control
  • Implement a Security Awareness and Training Program
  • Application Software Security
  • Incident Response and Management
  • Penetration Tests and Red Team Exercises

As of April 2019, the version of guidance introduced breaks these controls into “Implementation Groups,” dividing the Controls into three sections: 

  • Implementation Group 1: Applicable to all companies (small to large) 
  • Implementation Group 2: Additional Controls for storing sensitive information 
  • Implementation Group 3: Additional Controls for very sensitive information

With the advent of implementation groups, smaller companies do not need to comply with all CIS Controls; however, the maximum coverage is more easily achieved by implementing as many as possible.

Explore More Terms

Application Security Testing Programs

Increase in Cybersecurity Threats

Advanced Detection and Prevention

Incident Response Plan

BYOD/Mobile Device Security Risks

Cybersecurity

Cybersecurity Barriers

Funding Cybersecurity

Value of Cybersecurity

Cyber-Attack vs. Cyber Threat vs. Cyber Risk

Intrusion Prevention System

SIEM (Security Information and Event Management)

Vulnerability Management Best Practices

View All Terms

Let’s Get Started

Whether you are just starting your security journey or looking to take testing to the next level, securing your business is what we do, and we look forward to working with you.

RedTeam Security

5200 Willson Rd. Suite 150,
EdinaMN55424

(952) 836-2770

[email protected]


5200 Willson Rd. Suite 150,
EdinaMN55424
(952) 836-2770

Proud Partner of the Minnesota Wild

Proud Partner of the Minnesota Wild

LET'S CONNECT
REDTEAM SECURITY
Site Map
Privacy Policy
Accessibility
CONTACT US
[email protected]
Schedule a Free Consultation
Partner With RedTeam
© 2023 All Rights Reserved | Site by The Guerrilla Agency
Redteam Secure logo