What Are the CIS Controls? A Practical Guide to Building a Stronger Security Program

Written by Aubrey Crooks | Jul 16, 2026 2:23:01 PM

Cybersecurity can quickly become a tool conversation.

Endpoint protection. Email security. MFA. Backups. Logging. Vulnerability scanning. Pen testing. Every piece matters, but tools alone do not tell an organization whether its security program is actually mature, measurable, or improving.

That is where the Center for Internet Security Controls, or CIS Controls, are useful.

The CIS Controls give organizations a practical framework for understanding what good security should look like, how to prioritize improvements, and how to measure progress over time. For small and mid-sized businesses, they can also make cybersecurity easier to talk about because they shift the conversation away from isolated products and toward business risk, operational maturity, and defensible progress.

What Are the CIS Controls?

The CIS Controls are a set of cybersecurity best practices created by the Center for Internet Security to help organizations protect their systems, data, users, and networks from common threats.

They are designed to be practical. Instead of starting with abstract security concepts, the CIS Controls focus on the real safeguards organizations need in place, such as knowing what devices are connected to the environment, managing user access, protecting email and web activity, reviewing security logs, recovering data, and responding to incidents.

That practicality is what makes the CIS Controls useful for businesses that need a clearer way to understand cybersecurity. They give teams a shared structure for asking important questions:

  • Do we know what assets and software are in our environment?
  • Are accounts and permissions being managed properly?
  • Are systems configured securely?
  • Are we protecting users from common attack paths?
  • Are logs being collected and reviewed?
  • Do we have a process for responding when something goes wrong?
  • Are we testing whether our defenses actually work?

The CIS Controls do not replace security tools, policies, or technical expertise. Instead, they help organize those pieces into a more complete security program. For organizations that are not sure where to start, they provide a practical foundation. For organizations that already have security tools in place, they create a way to evaluate whether those tools are supporting the right outcomes.

 

Why the CIS Controls Matter

The CIS Controls matter because they give organizations a practical way to prioritize cybersecurity.

Without a framework, security decisions can become reactive. A business may add a tool after a phishing incident, update a policy after an audit request, or review backups only after something goes wrong. Each action may be useful, but without a larger structure, it can be hard to know whether the organization is actually becoming more secure or, in some cases, less.

The CIS Controls help create that structure.

They give businesses a way to look at cybersecurity as a connected program instead of a collection of separate tasks. Asset inventory, access control, malware defense, logging, recovery, incident response, and penetration testing all support different parts of the same goal: reducing risk in a way that can be understood, measured, and improved.

That is especially important for small and mid-sized businesses. Many organizations know they need stronger cybersecurity, but they do not always know what should come first. The CIS Controls help answer that question by giving teams a clearer path forward. They can identify what is already in place, what is missing, and which improvements will make the biggest difference.

In that way, the CIS Controls function as more than a best-practice list. They can become a roadmap. They help organizations move from basic cyber hygiene toward a more mature security program, one step at a time.

The value is not just knowing what security should include. The value is having a practical way to decide what to do next.

 

The 18 CIS Controls at a High Level

 

What Are CIS Implementation Groups?

The CIS Controls are not meant to be applied the same way for every organization. A small business with limited internal IT resources will not have the same security needs, budget, or staffing as a larger organization with a dedicated security team.

That is why the CIS Controls are divided into Implementation Groups.

Implementation Groups help organizations prioritize which safeguards to focus on based on their current risk, resources, and security maturity. Instead of expecting every business to implement every safeguard at once, CIS creates a more practical path for building security over time.

IG1: Essential Cyber Hygiene

Implementation Group 1, or IG1, is the starting point. It focuses on foundational safeguards that help protect against common attacks and establish basic cyber hygiene.

For many small and mid-sized businesses, IG1 is the most realistic place to begin. It helps answer the question: What should we have in place first?

IG2: Building on the Foundation

Implementation Group 2 builds on IG1. It is typically a better fit for organizations with more complex environments, greater risk exposure, or more resources available for cybersecurity.

At this stage, the organization is not just trying to establish the basics. It is working toward stronger processes, better visibility, and more consistent security operations.

IG3: Advanced Security Maturity

Implementation Group 3 includes the most advanced safeguards. It is generally intended for organizations with higher risk, more mature security programs, or dedicated internal security expertise.

These organizations may need deeper monitoring, stronger governance, more formalized response processes, and greater validation of their security controls.

The important thing to understand is that Implementation Groups are not a pass-or-fail model. They are a way to make the CIS Controls more usable. They help organizations start where they are, focus on what matters most, and build toward a stronger security program over time.

 

How CIS Connects Security Tools, Processes, and Evidence

Security tools are important, but they are only part of a strong security program.

A business may have endpoint protection, email filtering, multifactor authentication, backups, logging, and other safeguards in place. Those tools can all support better security, but the bigger question is whether they are being used in a way that is consistent, measurable, and connected to the organization’s actual risk.

The CIS Controls help create that connection.

Instead of looking at each tool in isolation, the CIS Controls help organizations understand what each safeguard is meant to accomplish. Endpoint protection may support malware defense. Email security may support protection against phishing and malicious links. Logging may support investigation and response. Backups may support recovery. Penetration testing may help validate whether controls are working as expected.

The framework also brings process and evidence into the conversation. It is not enough to have a tool turned on. Organizations also need to understand how it is managed, how often it is reviewed, who is responsible for it, and what evidence exists to show that the safeguard is actually working.

That is where CIS becomes especially useful. It gives businesses a way to connect the technical side of cybersecurity with the operational side. Tools, policies, documentation, review cycles, response procedures, and reporting all become part of the same larger picture.

For business leaders, that makes cybersecurity easier to understand. For technical teams, it creates a clearer way to prioritize work. And for organizations trying to improve over time, it provides a structure for showing progress with more than assumptions or good intentions.

 

How to Get Started With the CIS Controls

Getting started with the CIS Controls does not mean trying to implement every safeguard at once. For most organizations, the better approach is to understand where the business stands today, identify the most important gaps, and create a realistic path forward.

A good starting point is to determine which Implementation Group best fits the organization. Many small and mid-sized businesses begin with IG1 because it focuses on essential cyber hygiene. From there, the organization can evaluate which safeguards are already in place, which ones are partially in place, and which ones need more attention.

This is where documentation and evidence matter. It is one thing to believe a process exists. It is another to show how that process works, who owns it, how often it happens, and whether it is being followed consistently. That does not mean every organization needs a complex compliance program, but it does mean cybersecurity should be based on more than assumptions.

For many businesses, a CIS Controls Assessment can help create that baseline. It gives the organization a clearer view of its current security posture and helps turn the CIS Controls into a prioritized list of next steps.

From there, the work becomes more manageable. The business can focus on the safeguards that matter most, assign ownership, make improvements over time, and revisit the framework as the environment changes.

The goal is not to finish cybersecurity. The goal is to build a security program that can keep improving.

 

 

How DotStar Uses CIS as a Security Framework

DotStar uses the CIS Controls as a practical framework for helping organizations understand, measure, and improve their security programs.

That matters because cybersecurity can easily become fragmented. One tool may protect endpoints. Another may filter email. Another may collect logs. Another may support backups or recovery. Each piece has value, but without a framework, it can be difficult to understand how those pieces work together or where the biggest gaps still exist.

CIS gives that work structure.

For DotStar, the CIS Controls help connect assessment, reporting, managed protection, detection and response, advisory support, and recurring validation into one larger security picture. The goal is not simply to deploy security tools. The goal is to help organizations understand where they are, what needs attention, and how each improvement supports a stronger security program.

This also makes CIS useful as a roadmap. An organization may start by identifying its current gaps, then focus on foundational safeguards, improve operational visibility, strengthen response processes, and validate progress over time. Each step becomes easier to prioritize because it connects back to a recognized framework.

For businesses and MSP partners, that creates a clearer way to talk about cybersecurity. Instead of relying on disconnected reports or one-off recommendations, CIS helps turn security into an ongoing process that can be measured, explained, and improved.

For continued CIS monitoring and support, learn more about CIS Compliance.

 

 

The Real Value of the CIS Controls

The CIS Controls give organizations a practical way to understand cybersecurity, prioritize improvements, and measure progress over time.

They are useful because they bring structure to a topic that can otherwise feel overwhelming. Instead of looking at cybersecurity as a long list of tools, tasks, and technical decisions, the CIS Controls help organizations see how those pieces fit together into a stronger security program.

For some businesses, that starts with basic cyber hygiene. For others, it means improving visibility, strengthening processes, validating existing controls, or preparing for more formal compliance needs. The right path depends on the organization’s size, risk, resources, and current maturity.

What matters most is having a clear framework to guide the work.

Cybersecurity is not something an organization finishes once. It is something that has to be maintained, reviewed, and improved as the business changes. The CIS Controls give organizations a practical foundation for doing that work with more clarity and confidence.