What is the CIS 20 framework?

The CIS 20 framework, or Center for Internet Security Critical Security Controls, is a set of 20 critical security controls aimed at helping organizations strengthen their cybersecurity defenses. Organized into three categories—Basic, Foundational, and Organizational—these controls provide a structured approach to securing systems and data. By following the CIS 20, organizations can improve their ability to prevent, detect, and respond to cyber threats. The framework is widely recognized as a practical baseline for robust cybersecurity, enabling companies to protect critical assets, mitigate risk, and defend against a wide range of cyber attacks.

The three main categories of the CIS 20 Framework

Category 1: Basic controls

• Inventory and control of enterprise assets: Develop and maintain an accurate inventory of hardware and physical devices connected to the organization's network. By identifying unauthorized or unmanaged devices, organizations can reduce potential attack surfaces.
• Inventory and control of software assets: This involves identifying and monitoring all software in use within an organization. Unapproved or unpatched software can expose an organization to risks, so having visibility into software assets helps reduce vulnerabilities.
• Data protection: Secure and manage data throughout its lifecycle, ensuring that data is appropriately classified and protected against unauthorized access.
• Secure configuration of enterprise assets and software: Standardize security configurations for hardware and software, reducing potential vulnerabilities from unnecessary services or settings.
• Account management: Manage user accounts, especially those with privileged access, to ensure that only authorized users can access sensitive systems and information.

Category 2: Foundational controls

• Email and web browser protections: Protect against malware, phishing, and other web-based attacks by securing email gateways, web browsers, and ensuring safe browsing practices.
• Malware defenses: Implement antivirus and anti-malware solutions that can detect, respond to, and remove malicious software across enterprise assets.
• Limitation and control of network ports, protocols, and services: Restrict access to only the necessary network services and ports, reducing the risk of attacks on open, unsecured ports.
• Data recovery capability: Implement robust backup solutions and regularly test recovery capabilities to ensure critical data can be restored in the event of a cyber incident.
• Secure configuration for network devices: Apply secure settings to firewalls, routers, and other network devices to reduce vulnerabilities in network infrastructure.
• Boundary defense: Deploy measures to control data flow across network boundaries, detecting and blocking suspicious activities at external and internal perimeters.
• Data protection: Classify, label, and protect sensitive data, especially when it is in transit, ensuring that data is encrypted and handled securely.

Category 3: Organizational controls

• Security awareness and skills training: Educate employees and staff on security best practices, helping them recognize and respond to potential security threats, such as phishing.
• Application software security: Implement secure development practices, ensuring that applications are developed with security in mind and regularly tested for vulnerabilities.
• Incident response management: Develop, document, and test incident response plans to effectively handle security incidents, from identification to remediation and recovery.
• Penetration testing: Conduct simulated attacks to test the security of systems and networks, identifying weaknesses that need to be addressed.
• Control of access based on the need to know: Apply principles of least privilege, ensuring that employees have access only to information and resources necessary for their roles.
• Audit log management: Maintain, protect, and regularly review audit logs to detect potential security incidents and maintain a record of activities for forensic and compliance purposes.

Each category plays a critical role in a layered defense strategy. Basic controls provide a quick boost in security, foundational controls enhance operational defenses, and organizational controls sustain and guide the security program over the long term. Together, these categories help organizations build a comprehensive approach to cybersecurity.

Summary

The CIS 20 framework is a set of 20 critical security controls designed to help organizations improve cybersecurity. Divided into three categories—Basic, Foundational, and Organizational—the framework provides a structured approach to securing assets, reducing risks, and building resilience against cyber threats. Basic controls establish core security practices like asset inventory and secure configurations, Foundational controls focus on proactive defenses such as malware protection and data recovery, and Organizational controls strengthen governance through policies and training. Together, these categories enable organizations to develop a comprehensive, layered defense strategy.