Skip to content

What Are the CIS Controls? A Practical Guide to Building a Stronger Security Program

 Blog Outline: What Are the CIS Controls? A Practical Guide to Building a Stronger Security Program

Cybersecurity can quickly become a tool conversation.

Endpoint protection. Email security. MFA. Backups. Logging. Vulnerability scanning. Pen testing. Every piece matters, but tools alone do not tell an organization whether its security program is actually mature, measurable, or improving.

That is where the Center for Internet Security Controls, or CIS Controls, are useful.

The CIS Controls give organizations a practical framework for understanding what good security should look like, how to prioritize improvements, and how to measure progress over time. For small and mid-sized businesses, they can also make cybersecurity easier to talk about because they shift the conversation away from isolated products and toward business risk, operational maturity, and defensible progress.

What Are the CIS Controls?

The CIS Controls are a set of cybersecurity best practices created by the Center for Internet Security to help organizations protect their systems, data, users, and networks from common threats.

They are designed to be practical. Instead of starting with abstract security concepts, the CIS Controls focus on the real safeguards organizations need in place, such as knowing what devices are connected to the environment, managing user access, protecting email and web activity, reviewing security logs, recovering data, and responding to incidents.

That practicality is what makes the CIS Controls useful for businesses that need a clearer way to understand cybersecurity. They give teams a shared structure for asking important questions:

  • Do we know what assets and software are in our environment?
  • Are accounts and permissions being managed properly?
  • Are systems configured securely?
  • Are we protecting users from common attack paths?
  • Are logs being collected and reviewed?
  • Do we have a process for responding when something goes wrong?
  • Are we testing whether our defenses actually work?

The CIS Controls do not replace security tools, policies, or technical expertise. Instead, they help organize those pieces into a more complete security program. For organizations that are not sure where to start, they provide a practical foundation. For organizations that already have security tools in place, they create a way to evaluate whether those tools are supporting the right outcomes.

 

Why the CIS Controls Matter

The CIS Controls matter because they give organizations a practical way to prioritize cybersecurity.

Without a framework, security decisions can become reactive. A business may add a tool after a phishing incident, update a policy after an audit request, or review backups only after something goes wrong. Each action may be useful, but without a larger structure, it can be hard to know whether the organization is actually becoming more secure or, in some cases, less.

The CIS Controls help create that structure.

They give businesses a way to look at cybersecurity as a connected program instead of a collection of separate tasks. Asset inventory, access control, malware defense, logging, recovery, incident response, and penetration testing all support different parts of the same goal: reducing risk in a way that can be understood, measured, and improved.

That is especially important for small and mid-sized businesses. Many organizations know they need stronger cybersecurity, but they do not always know what should come first. The CIS Controls help answer that question by giving teams a clearer path forward. They can identify what is already in place, what is missing, and which improvements will make the biggest difference.

In that way, the CIS Controls function as more than a best-practice list. They can become a roadmap. They help organizations move from basic cyber hygiene toward a more mature security program, one step at a time.

The value is not just knowing what security should include. The value is having a practical way to decide what to do next.

 

The 18 CIS Controls at a High Level

CIS Control 1: Inventory and Control of Enterprise Assets

Organizations need to know what devices and systems are connected to their environment. This includes workstations, servers, mobile devices, cloud resources, and other assets that could introduce risk if they are unknown, unmanaged, or unauthorized. 

CIS Control 2: Inventory and Control of Software Assets

Businesses also need visibility into the software running across their environment. This control focuses on identifying approved software, removing unauthorized applications, and reducing risk from outdated, unsupported, or unnecessary software. 

CIS Control 3: Data Protection

Data protection focuses on identifying, handling, and securing sensitive information. This includes understanding where important data lives, who can access it, how it is protected, and how the organization reduces the risk of data exposure or loss. 

CIS Control 4: Secure Configuration of Enterprise Assets and Software

Default settings are not always secure. This control focuses on configuring systems, applications, and devices in a way that reduces unnecessary risk and helps maintain a stronger security baseline over time. 

CIS Control 5: Account Management

User accounts need to be created, changed, monitored, and removed in a controlled way. This control helps organizations reduce risk from unused accounts, shared accounts, excessive permissions, and poor account lifecycle management. 

CIS Control 6: Access Control Management

Access control focuses on making sure users only have the access they need to do their jobs. It includes practices like managing permissions, enforcing authentication requirements, and limiting unnecessary access to systems and data. 

CIS Control 7: Continuous Vulnerability Management

New vulnerabilities are discovered constantly. This control focuses on identifying, prioritizing, and addressing weaknesses in systems and software before attackers can use them. 

CIS Control 8: Audit Log Management

Logs help organizations understand what happened in their environment. This control focuses on collecting, retaining, and reviewing security logs so suspicious activity can be investigated and response teams have the information they need. 

CIS Control 9: Email and Web Browser Protections

Email and web browsing are common paths for attacks. This control focuses on reducing risk from phishing, malicious links, unsafe attachments, harmful websites, and other threats users may encounter during normal business activity. 

CIS Control 10: Malware Defenses

Malware defenses help prevent, detect, and respond to malicious software. This includes protections against viruses, ransomware, trojans, and other malicious activity that could impact systems or data. 

CIS Control 11: Data Recovery

Organizations need the ability to recover when data is lost, encrypted, deleted, or damaged. This control focuses on backup practices, recovery testing, and ensuring the business can restore critical data when needed. 

CIS Control 12: Network Infrastructure Management

Network devices and infrastructure need to be managed securely. This control focuses on maintaining routers, firewalls, switches, wireless systems, and other network components in a controlled and secure way. 

CIS Control 13: Network Monitoring and Defense

This control focuses on monitoring network activity for signs of suspicious behavior. It helps organizations detect threats, investigate unusual traffic, and respond to potential attacks within the environment. 

CIS Control 14: Security Awareness and Skills Training

Employees play an important role in security. This control focuses on helping users understand common risks, follow secure practices, recognize suspicious activity, and respond appropriately. 

CIS Control 15: Service Provider Management

Vendors and service providers can introduce risk into the business. This control focuses on evaluating, managing, and monitoring third-party relationships that may affect systems, data, or security operations. 

CIS Control 16: Application Software Security

Applications need to be developed, configured, and maintained securely. This control focuses on reducing risk in software that the organization builds, uses, or manages. 

CIS Control 17: Incident Response Management

Organizations need a plan for responding when something goes wrong. This control focuses on preparing for security incidents, assigning responsibilities, documenting response procedures, and improving response over time. 

CIS Control 18: Penetration Testing

Penetration testing helps organizations validate whether their defenses can withstand real-world attack techniques. This control focuses on testing security controls, identifying exploitable weaknesses, and using those findings to improve the security program. 

 

What Are CIS Implementation Groups?

The CIS Controls are not meant to be applied the same way for every organization. A small business with limited internal IT resources will not have the same security needs, budget, or staffing as a larger organization with a dedicated security team.

That is why the CIS Controls are divided into Implementation Groups.

Implementation Groups help organizations prioritize which safeguards to focus on based on their current risk, resources, and security maturity. Instead of expecting every business to implement every safeguard at once, CIS creates a more practical path for building security over time.

IG1: Essential Cyber Hygiene

Implementation Group 1, or IG1, is the starting point. It focuses on foundational safeguards that help protect against common attacks and establish basic cyber hygiene.

For many small and mid-sized businesses, IG1 is the most realistic place to begin. It helps answer the question: What should we have in place first?

IG2: Building on the Foundation

Implementation Group 2 builds on IG1. It is typically a better fit for organizations with more complex environments, greater risk exposure, or more resources available for cybersecurity.

At this stage, the organization is not just trying to establish the basics. It is working toward stronger processes, better visibility, and more consistent security operations.

IG3: Advanced Security Maturity

Implementation Group 3 includes the most advanced safeguards. It is generally intended for organizations with higher risk, more mature security programs, or dedicated internal security expertise.

These organizations may need deeper monitoring, stronger governance, more formalized response processes, and greater validation of their security controls.

The important thing to understand is that Implementation Groups are not a pass-or-fail model. They are a way to make the CIS Controls more usable. They help organizations start where they are, focus on what matters most, and build toward a stronger security program over time.

 

How CIS Connects Security Tools, Processes, and Evidence

Security tools are important, but they are only part of a strong security program.

A business may have endpoint protection, email filtering, multifactor authentication, backups, logging, and other safeguards in place. Those tools can all support better security, but the bigger question is whether they are being used in a way that is consistent, measurable, and connected to the organization’s actual risk.

The CIS Controls help create that connection.

Instead of looking at each tool in isolation, the CIS Controls help organizations understand what each safeguard is meant to accomplish. Endpoint protection may support malware defense. Email security may support protection against phishing and malicious links. Logging may support investigation and response. Backups may support recovery. Penetration testing may help validate whether controls are working as expected.

The framework also brings process and evidence into the conversation. It is not enough to have a tool turned on. Organizations also need to understand how it is managed, how often it is reviewed, who is responsible for it, and what evidence exists to show that the safeguard is actually working.

That is where CIS becomes especially useful. It gives businesses a way to connect the technical side of cybersecurity with the operational side. Tools, policies, documentation, review cycles, response procedures, and reporting all become part of the same larger picture.

For business leaders, that makes cybersecurity easier to understand. For technical teams, it creates a clearer way to prioritize work. And for organizations trying to improve over time, it provides a structure for showing progress with more than assumptions or good intentions.

 

How to Get Started With the CIS Controls

Getting started with the CIS Controls does not mean trying to implement every safeguard at once. For most organizations, the better approach is to understand where the business stands today, identify the most important gaps, and create a realistic path forward.

A good starting point is to determine which Implementation Group best fits the organization. Many small and mid-sized businesses begin with IG1 because it focuses on essential cyber hygiene. From there, the organization can evaluate which safeguards are already in place, which ones are partially in place, and which ones need more attention.

This is where documentation and evidence matter. It is one thing to believe a process exists. It is another to show how that process works, who owns it, how often it happens, and whether it is being followed consistently. That does not mean every organization needs a complex compliance program, but it does mean cybersecurity should be based on more than assumptions.

For many businesses, a CIS Controls Assessment can help create that baseline. It gives the organization a clearer view of its current security posture and helps turn the CIS Controls into a prioritized list of next steps.

From there, the work becomes more manageable. The business can focus on the safeguards that matter most, assign ownership, make improvements over time, and revisit the framework as the environment changes.

The goal is not to finish cybersecurity. The goal is to build a security program that can keep improving.

 

 

How DotStar Uses CIS as a Security Framework

DotStar uses the CIS Controls as a practical framework for helping organizations understand, measure, and improve their security programs.

That matters because cybersecurity can easily become fragmented. One tool may protect endpoints. Another may filter email. Another may collect logs. Another may support backups or recovery. Each piece has value, but without a framework, it can be difficult to understand how those pieces work together or where the biggest gaps still exist.

CIS gives that work structure.

For DotStar, the CIS Controls help connect assessment, reporting, managed protection, detection and response, advisory support, and recurring validation into one larger security picture. The goal is not simply to deploy security tools. The goal is to help organizations understand where they are, what needs attention, and how each improvement supports a stronger security program.

This also makes CIS useful as a roadmap. An organization may start by identifying its current gaps, then focus on foundational safeguards, improve operational visibility, strengthen response processes, and validate progress over time. Each step becomes easier to prioritize because it connects back to a recognized framework.

For businesses and MSP partners, that creates a clearer way to talk about cybersecurity. Instead of relying on disconnected reports or one-off recommendations, CIS helps turn security into an ongoing process that can be measured, explained, and improved.

For continued CIS monitoring and support, learn more about CIS Compliance.

 

 

The Real Value of the CIS Controls

The CIS Controls give organizations a practical way to understand cybersecurity, prioritize improvements, and measure progress over time.

They are useful because they bring structure to a topic that can otherwise feel overwhelming. Instead of looking at cybersecurity as a long list of tools, tasks, and technical decisions, the CIS Controls help organizations see how those pieces fit together into a stronger security program.

For some businesses, that starts with basic cyber hygiene. For others, it means improving visibility, strengthening processes, validating existing controls, or preparing for more formal compliance needs. The right path depends on the organization’s size, risk, resources, and current maturity.

What matters most is having a clear framework to guide the work.

Cybersecurity is not something an organization finishes once. It is something that has to be maintained, reviewed, and improved as the business changes. The CIS Controls give organizations a practical foundation for doing that work with more clarity and confidence.

Frequently Asked Questions

What are the CIS Controls?

The CIS Controls are a set of cybersecurity best practices created by the Center for Internet Security. They help organizations protect systems, data, users, and networks by focusing on practical safeguards that reduce common security risks. 

What is the difference between CIS Controls and CIS Benchmarks?

The CIS Controls help organizations understand what cybersecurity safeguards should be in place. CIS Benchmarks are more technical configuration guidelines for securely setting up specific systems, platforms, and software.

In simple terms, the Controls help define what needs to be protected and managed. The Benchmarks help define how certain technologies should be configured securely.

What are CIS Implementation Groups?

CIS Implementation Groups help organizations prioritize which safeguards to focus on first. IG1 focuses on essential cyber hygiene, IG2 builds on that foundation for more mature or complex environments, and IG3 includes more advanced safeguards for organizations with higher risk or stronger security requirements. 

Is CIS a compliance framework?

CIS is not a regulation, but it is commonly used as a cybersecurity framework to support better security practices and compliance readiness. Many organizations use the CIS Controls to create structure, document progress, and align security efforts with broader compliance or risk management goals. 

How do you get started with the CIS Controls?

A good starting point is to identify the right Implementation Group, review which safeguards are already in place, and determine where the biggest gaps exist. Many organizations use a CIS Controls assessment to establish a baseline and create a prioritized path for improvement.