Skip to content

CIS Controls

The IT industry is shaped by security standards and best practices that like the cyber attacks that continue to make headlines, are constantly evolving. Security frameworks and standards can help businesses minimize the risk of data breaches, ransomware and other cyber threats. The two most commonly applied security frameworks are administered by Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST.) In this blog post, we’ll explain the CIS Critical Security Controls (CIS Controls) and why it’s important that businesses abide by them to keep both their clients and organizations secure.

What does CIS stand for in security? 

CIS stands for the Center for Internet Security, a United States-based nonprofit that focuses on improving private and public cybersecurity. Founded in 2000, they developed the CIS Controls (now on version 8) based on collaboration among global cybersecurity experts from a range of professional backgrounds and industries. The CIS framework helps businesses ensure compliance with cybersecurity standards and provides a roadmap to a proactive cybersecurity program.

What are the CIS Controls? 

The CIS Controls contain a set of 18 cybersecurity actions and best practices ranging from data protection to email and web browser protection to penetration testing; all of which promote strong cyber hygiene. These are prescriptive and all recommendations are called Controls. To review the full list, visit the CIS website:

CIS Controls are broken up into Implementation Groups (IGs) which help organizations prioritize the Controls based on their resources and risk profile. There are three IGs based on the latest version: 

  • Implementation Group 1: Aimed at small businesses, this group is focused on basic cyber hygiene where the data sensitivity requirements are very low. It is a set of cyber defense Safeguards that every enterprise should apply to guard against the most common attacks. 
  • Implementation Group 2: Builds upon the Safeguards of group one but contains higher levels of controls for organizations with greater IT complexity, risk and moderate cybersecurity resources.
  • Implementation Group 3: Adds more safeguards directed at mature, high-risk organizations with large amounts of sensitive data and often requires cybersecurity experts to implement.

Why use CIS controls for security and compliance?

Using CIS controls for security and compliance gives you a means of demonstrating your cybersecurity practices and strategies to your clients and business partners. While there is no silver bullet for security, implementing the CIS controls will help reduce the chance of a compromise.  But security is never a “set and forget” task; it is an ongoing task that requires organizational commitment.

We sometimes hear from our clients, “Oh we don’t need that level of security – we’re too small for anyone to care to hack in to our systems.” Well that’s simply not true. –Wayne Chow | Nucleus, Director of Cybersecurity

Nucleus can review your security and help you prepare your IT infrastructure, policies, and systems for systems for CIS Controls compliance and auditing while improving your overall security posturing.  We can also just have a conversation to help you understand how CIS Controls and implementation groups would benefit your business. Contact us to schedule a meeting with one of our cybersecurity consultants.

Meet with us

We are local!