Skip to content

How many controls are there in the CIS framework?

Explore some of our latest AI related thought leadership and research

6clicks has been built for cyber risk and compliance professionals to automate and streamline security compliance, IT risk management, vendor risk management, incident management, and more.

Learn more about our Hub & Spoke architecture, Hailey AI engine and explore the other content in our platform here

Risk, threat and vulnerability - what's the difference?

Risk, threat and vulnerability - what's the difference?

What is the difference between NIST 800-53 and NIST CSF?

What is the difference between NIST 800-53 and NIST CSF?

The top 5 vendor risk assessment questionnaires for 2023

The top 5 vendor risk assessment questionnaires for 2023

What is a risk register and how to automate

What is a risk register and why is it important?

Top management's key responsibilities for ISO 27001 implementation

Top management's key responsibilities for ISO 27001 implementation

The founder’s story: How 6clicks was born and what’s behind the name

The founder’s story: How 6clicks was born and what’s behind the name


What is the CIS framework?

The CIS (Center for Internet Security) framework is a set of best practices and controls used to establish a baseline for organizations to improve their cybersecurity posture. It provides a comprehensive set of guidelines and recommendations to mitigate the most common cyber threats and vulnerabilities. The framework includes 20 critical security controls that are designed to address key areas of concern and provide effective defenses against various attack vectors. These controls cover a wide range of areas such as secure configuration of hardware and software assets, control of software assets, continuous vulnerability assessment and remediation, access control measures, incident response planning, and more. By implementing the CIS framework, organizations can reduce their risk profile, strengthen their security posture, and enhance their ability to detect, respond to, and recover from security incidents. It serves as a valuable resource for security professionals to identify and implement the necessary cybersecurity measures to protect their critical assets and stay ahead of the evolving threat landscape.

Overview of the CIS controls

The CIS controls, or Critical Security Controls, are a set of cybersecurity best practices that organizations can use to enhance their security posture and protect against common cyber threats. These controls are divided into three categories: Basic Controls, Foundational Controls, and Organizational Controls.

The Basic Controls, also known as the First Five, focus on establishing foundational cyber hygiene practices. These controls are designed to protect against unauthorized access to hardware and software, maintain secure configurations, and manage vulnerabilities. They include:

  1. Inventory and Control of Hardware Assets: This control ensures that all authorized devices are identified and managed to prevent unauthorized access.
  2. Inventory and Control of Software Assets: It involves creating an inventory of authorized software and ensuring that only approved and up-to-date software is used in the organization.
  3. Continuous Vulnerability Management: This control involves regularly scanning for vulnerabilities in network and end-user devices and promptly addressing any identified weaknesses.
  4. Controlled Use of Administrative Privileges: This control limits and monitors the use of administrative privileges to minimize the risk of unauthorized access and potential misuse.
  5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers: This control ensures that all devices and software are configured securely and in accordance with best practices.

By implementing these controls, organizations can reduce their cyber risk and enhance their defenses against a wide range of security threats. The CIS controls provide a framework for organizations to strengthen their security posture and protect their critical assets.

History of CIS Controls

The history of CIS Controls dates back to 2008 when a group of security professionals came together to create a set of best practices to address common cyber threats and vulnerabilities. Initially known as the SANS Top 20 Critical Security Controls, this framework served as a comprehensive guide to help organizations improve their security posture. In 2013, the Center for Internet Security (CIS) took over the development and management of the controls and expanded the framework to include 20 controls that covered a wide range of security areas. Over the years, the CIS Controls have become widely adopted by organizations of all sizes and industries as a baseline for improving their cybersecurity risk profile. The controls are regularly updated to address emerging threats and evolving attack vectors, ensuring that organizations have the necessary tools and guidance to strengthen their cyber defenses. Today, the CIS Controls are recognized as a crucial element of an effective security program and are an essential resource for security teams in protecting critical assets and mitigating cyber risks.

Origins of the CIS framework

The CIS framework, also known as the CIS Controls, has its origins in the U.S. National Security Agency (NSA). It was initially developed by the NSA in response to major data loss incidents that highlighted the need for a standardized set of controls to protect against common cyber threats.

After its initial development, the controls were later published by the SANS Institute, a renowned cybersecurity training and research organization. The SANS Institute collaborated with a consortium of public and private sector organizations to refine and enhance the controls, ensuring that they addressed the most critical security weaknesses and provided effective defenses against a wide range of cyber threats.

In recent years, ownership of the CIS Controls has been transferred to the Center for Internet Security (CIS), a non-profit organization dedicated to improving cybersecurity defenses and promoting cyber hygiene practices. The CIS continues to update and maintain the controls, working closely with industry experts and security professionals to ensure that they remain relevant and effective in the ever-evolving landscape of cyber threats.

By providing organizations with a comprehensive set of best practices, the CIS framework empowers security teams to proactively mitigate risks and enhance their security posture. It serves as a valuable resource for organizations seeking to bolster their cyber defenses and protect critical assets from increasingly dangerous attacks.

Evolution of the framework over time

The CIS framework has evolved significantly over time to adapt to the changing landscape of cyber threats. Originally developed by the SANS Institute, the controls were then refined and enhanced through collaboration with public and private sector organizations. Ownership and maintenance of the controls have since been transferred to the Center for Internet Security (CIS), a non-profit organization dedicated to cybersecurity.

One key development in the framework is the introduction of implementation groups (IG1, IG2, and IG3). These groups provide a simplified and consistent approach to implementing the controls based on an organization's size, resources, and risk profile. This allows organizations to focus on the specific controls that are most relevant to their needs, ensuring a more efficient and effective cybersecurity posture.

A notable aspect of the CIS framework is its emphasis on measurable actions. Instead of providing abstract guidance, the controls offer specific actions that organizations can take to improve their security posture. Additionally, the framework utilizes plain English, making it accessible to a broader range of users, even those without extensive technical expertise.

The 20 critical security controls

The 20 Critical Security Controls (CSC) is a set of prioritized actions developed by the Center for Internet Security (CIS) that organizations can implement to improve their overall cybersecurity posture. These controls are based on real-world attacks, common attack techniques, and the knowledge of security professionals, making them a valuable resource for organizations looking to enhance their cyber defenses. The controls cover a wide range of areas, including secure configuration, continuous vulnerability assessment and remediation, advanced malware defenses, application software security, and more. By implementing these controls, organizations can mitigate security weaknesses, reduce the attack surface, and effectively defend against a variety of cyber threats. The 20 CSC provide a comprehensive and practical approach to addressing the most critical security risks faced by organizations today, ensuring that they are equipped to effectively detect, respond to, and recover from security incidents.

Control 1 – inventory and control of software assets

Control 1 of the CIS (Center for Internet Security) framework focuses on the inventory and control of software assets. This control is crucial in preventing security risks and vulnerabilities within an organization.

One of the key practices of this control is identifying and documenting all software assets present within the organization's network. This involves maintaining an up-to-date inventory of authorized software, including applications, operating systems, and firmware. By having a clear understanding of the software assets, organizations can effectively manage and secure them.

Another important aspect of this control is the removal of outdated or vulnerable software. Regularly updating and patching software is essential for addressing known security vulnerabilities and reducing the risk of exploitation. This practice ensures that the organization's software assets are kept secure and protected against cyber threats.

To aid in the management of software assets, organizations can leverage automated tracking tools. These tools streamline the process of inventorying and controlling software assets by providing real-time visibility and monitoring. They help identify unauthorized or unmanaged software, ensuring that the organization's software environment is secure and well-maintained.

Control 3 – continuous vulnerability management

Control 3 - Continuous Vulnerability Management, is a critical aspect of the CIS framework that emphasizes the continuous acquisition, assessment, and remediation of vulnerabilities within an organization's network.

In today's rapidly evolving threat landscape, new vulnerabilities are constantly being discovered. It is crucial for organizations to stay vigilant and address these vulnerabilities promptly. By continuously monitoring for new information on vulnerabilities, organizations can proactively identify and remediate weaknesses in their systems, reducing the risk of compromise.

Implementing continuous vulnerability management allows organizations to regularly conduct vulnerability assessments, which involve scanning their network devices, operating systems, and applications for known vulnerabilities. This process enables organizations to gain real-time visibility into their risk profile and take appropriate measures to mitigate threats.

Without effective vulnerability management, organizations are at a significant risk of compromise. Cybercriminals actively exploit vulnerabilities to launch attacks, such as malware infections, unauthorized access, and phishing campaigns. By proactively addressing vulnerabilities, organizations can significantly reduce their attack surface and strengthen their security posture.

Continuous vulnerability management relies on regular security updates, patching, and robust change management processes. It requires organizations to have dedicated security teams or security professionals who are responsible for monitoring and addressing vulnerabilities. By prioritizing vulnerability remediation, organizations can effectively defend against cyber threats and maintain a strong security posture.

Control 4 – controlled use of administrative privileges

Control 4 in the CIS (Center for Internet Security) framework focuses on the controlled use of administrative privileges within an organization's systems. This control is vital for ensuring the security of critical assets and reducing the risk of unauthorized access.

The principle of least privilege is a key aspect of Control 4. It states that individuals should only be granted the administrative privileges necessary to perform their specific job functions. By adhering to this principle, organizations can minimize the potential for privilege misuse and limit the impact of a security incident.

Implementing access control methods is essential to track, prevent, and correct the use of administrative privileges. These methods can include the use of strong passwords, multi-factor authentication, and regularly reviewing privileges to remove any unnecessary access. Additionally, organizations should have a robust system in place to log and monitor administrative activities, allowing for prompt identification and response to any suspicious or unauthorized actions.

The risk of abuse of administrative privileges by attackers cannot be underestimated. Cybercriminals often target individuals with administrative privileges as a means to gain unauthorized access to sensitive systems and data. Social engineering tactics, such as phishing attacks, are frequently used to deceive administrators into revealing their credentials or granting access to malicious actors.

By implementing Control 4 and ensuring the controlled use of administrative privileges, organizations can minimize the risk of privilege misuse and unauthorized access. It is crucial for organizations to regularly review and update their access control measures to stay ahead of potential security threats and maintain a strong security posture.

Control 5 – secure configurations for network devices such as firewalls, routers, and switches

Control 5 of the Center for Internet Security (CIS) framework focuses on secure configurations for network devices like firewalls, routers, and switches. Secure configuration is vital for the protection of network infrastructure as default configurations often have vulnerabilities that can be exploited by attackers.

Default configurations of network devices often come with open ports, weak security settings, and default passwords. Attackers can leverage these vulnerabilities to gain unauthorized access, bypass security controls, or launch attacks on the network. Implementing secure configurations minimizes the attack surface and reduces the risk of potential breaches.

To actively manage the security configuration of network devices, organizations should utilize various tools and procedures. These include:

  1. Configuration Management Tools – Organizations can use tools like change management systems or configuration management databases to manage and track the configurations of network devices. These tools help ensure consistency, enforce security policies, and facilitate rapid response to security incidents.
  2. Documentation and Standards – Organizations should establish and maintain documentation outlining the recommended secure configurations for network devices. This documentation should include guidelines for password management, access controls, and software updates.
  3. Regular Audits and Vulnerability Scanning – Conducting regular audits and vulnerability scans helps identify any misconfigurations or security weaknesses in network devices. This allows organizations to promptly address identified issues and maintain a secure configuration.

By implementing secure configurations for network devices, organizations can significantly enhance their overall security posture and mitigate the risk of network attacks. It is crucial to regularly review and update these configurations to ensure ongoing protection against evolving cyber threats.

Control 6 – boundary defense mechanisms

Control 6 in the CIS (Center for Internet Security) Critical Security Controls framework focuses on boundary defense mechanisms. These mechanisms are essential for maintaining the security of networks by detecting, preventing, and correcting the flow of information across networks of different trust levels.

Boundary defense mechanisms play a critical role in protecting organizations against cyber threats. Attackers often target systems with configuration and architectural weaknesses in perimeter systems, network devices, and client machines. By implementing effective boundary defense mechanisms, organizations can significantly reduce the risk of unauthorized access and potential data breaches.

These defense mechanisms include a combination of technical controls and holistic security measures. They involve the implementation of firewalls, intrusion detection systems, and intrusion prevention systems. Firewalls act as the first layer of defense by monitoring and filtering network traffic based on predefined rules. Intrusion detection systems detect malicious activities or policy violations, while intrusion prevention systems actively block or mitigate potential attacks.

Additionally, employing secure configurations and regular patch management for network devices and client machines is crucial. This ensures that known vulnerabilities are promptly addressed, reducing the potential for exploitation by attackers.

Control 7 – maintenance, monitoring and analysis of audit logs

Control 7 in the CIS framework focuses on the maintenance, monitoring, and analysis of audit logs. This control emphasizes the importance of collecting, managing, and analyzing event logs to detect suspicious activities and investigate potential security incidents.

Audit logs play a crucial role in providing a comprehensive record of events within an organization's network. They capture information about user activities, system events, and security-related incidents. By regularly maintaining and monitoring these logs, organizations can gain valuable insights into their network activity and identify any anomalies or potential security threats.

The importance of Control 7 lies in its ability to prevent attackers from hiding their location and activities within the network. By carefully analyzing audit logs, security professionals can detect any suspicious or unauthorized activities, such as unauthorized access attempts or changes to critical systems. This control enables security teams to identify and respond to security incidents promptly, reducing the window of opportunity for attackers to carry out their activities undetected.

Analyzing audit logs also helps organizations to meet compliance requirements and supports forensic investigations in the event of a security incident. By monitoring and analyzing audit logs, organizations can identify patterns of abnormal behavior and potential indicators of compromise, allowing them to take appropriate measures to protect their systems and sensitive data.

Control 8 – email and web browser protection

Control 8 – email and web browser protection is a crucial component of the CIS Framework as it focuses on securing two of the most common vectors of attack. These attack vectors, namely email and web browsing, are frequently exploited by cybercriminals to deliver malware, execute phishing attacks, or gain unauthorized access to sensitive information.

Implementing email and web browser protection involves deploying technical controls that aim to block malicious URLs and file types. By utilizing advanced filtering techniques and blacklist databases, organizations can effectively prevent employees from accessing known malicious websites and downloading potentially harmful files. Additionally, organizations should regularly update and patch their email client and web browser applications to ensure they have the latest security features and fixes.

However, technical controls alone are not sufficient. To establish a strong defense against email and web-based threats, organizations must also prioritize organization-wide security training. This training should educate employees about best practices for safe browsing, recognizing phishing emails, and handling suspicious attachments. By fostering a culture of cyber hygiene across the organization, employees become an active line of defense against email and web browser-related attacks.

By implementing Control 8, organizations can significantly reduce the risk posed by these common attack vectors, protecting their systems, data, and reputation.

Control 9 – malware defenses

Control 9 of the CIS framework focuses on implementing malware defenses to prevent or manage the installation, execution, and spread of malicious software within an organization. Malware is a significant cyber threat that can infiltrate systems through various entry points such as phishing emails, malicious websites, or unauthorized downloads.

To effectively defend against malware, organizations should implement a combination of technical and procedural safeguards. Centrally managing behavior-based anti-malware and signature-based tools is crucial for robust protection. Behavior-based tools can detect and block suspicious activities, while signature-based tools can identify known malware based on specific patterns. Automatic updates for these tools are essential as they ensure the latest definitions and detection capabilities are in place.

Controlling the presence of malicious code is another vital aspect of malware defense. This can be achieved by implementing strong endpoint security measures, such as regularly scanning and patching operating systems and software applications. Additionally, organizations should enforce strict policies regarding the installation of unauthorized or unvetted software.

It is also essential to educate employees about safe online practices and the potential risks associated with malware. Regular training sessions can help employees identify phishing emails, avoid malicious websites, and exercise caution when downloading files from the internet. Creating a culture of cybersecurity awareness among the workforce can significantly contribute to the overall defense against malware threats.

Control 10 – limitation and control of network ports, protocols and services

Control 10 within the CIS (Center for Internet Security) framework focuses on the limitation and control of network ports, protocols, and services. This control is of crucial importance in minimizing vulnerabilities for potential attackers. By implementing strict controls, organizations can significantly reduce their attack surface and limit the opportunities for exploitation.

Network services can often serve as entry points for attackers, making them prime targets for exploitation. Examples of commonly vulnerable network services include FTP (File Transfer Protocol), Telnet, and outdated versions of web servers or database systems. These services, if not properly managed, can expose organizations to various cyber threats.

In the latest version 8 of the CIS framework, a new addition has been made with Control 12, which emphasizes the need for active management of network devices to mitigate risks. Network devices, such as routers, switches, and firewalls, play a critical role in securing an organization's network. However, if not properly managed, these devices can become potential vulnerabilities. Control 12 highlights the importance of regularly patching and updating network devices, changing default passwords, and monitoring their configurations to ensure they align with security best practices.

By effectively implementing Control 10 and embracing the new addition of Control 12, organizations can enhance their overall security posture by minimizing the risks associated with network ports, protocols, services, and the devices that control them. These controls provide a proactive approach to managing potential vulnerabilities and reducing the window of opportunity for attackers.

General thought leadership and news

A little Chat about the future of Search in the world of AI-powered GRC

A little Chat about the future of Search in the world of AI-powered GRC

Hi everyone, Greg here to give you some early insights about how 6clicks is gearing up to redefine the future of search within our software platform....

AI's impact on cybersecurity

AI's impact on cybersecurity

Discover how artificial intelligence is transforming the field of cybersecurity and enhancing protection against cyber threats.

Unleashing the Potential of Augmented Generation for GRC

Unleashing the Potential of Augmented Generation for GRC

Discover how the implementation of Augmented Generation can revolutionize Governance, Risk, and Compliance (GRC) strategies in businesses.

Press Release: Continuous control monitoring for automated security compliance

6clicks announces continuous control monitoring

6clicks, an AI-powered cyber Governance, Risk and Compliance (GRC) platform, is excited to announce that they are developing a new continuous control...

IRAP Assessed GRC Platform for Australian Government

An Overview of the IRAP Assessed GRC Platform for Australian Government

What is an IRAP Assessed GRC? An IRAP Assessed GRC platform, or Information Security Registered Assessor Program Assessed Governance, Risk, and...

Streamline compliance with 6clicks' authority gap assessment

Streamline compliance with 6clicks' authority gap assessment

Staying compliant with standards and frameworks relevant to your organization can be challenging in an ever-shifting regulatory environment. It...