Skip to content

What are the three main categories of the CIS 20 framework?

Explore some of our latest AI related thought leadership and research

6clicks has been built for cybersecurity, risk and compliance professionals.

Learn more about our Hub & Spoke architecture, Hailey AI engine and explore the other content in our platform here

Developing responsible AI management systems through the ISO/IEC 42001 standard

Using artificial intelligence has propelled global economic growth and enriched different aspects of our lives. However, its ever-evolving nature and...

Incorporating Generative AI into Cybersecurity: Opportunities, Risks, and Future Outlook

Key Takeaways Generative AI is a branch of artificial intelligence that focuses on creating new content with human-like creativity. The rise of...

Understanding RAG: Retrieval-Augmented Generation Explained

Natural Language Processing (NLP) has come a long way in the past few decades. With the goal of enabling more efficient communication between humans...

Responsible AI is here to stay

Artificial Intelligence (AI) and Machine Learning (ML) continue to be a much talked about topic since the release of ChatGPT last year but also well...

Responsible AI in risk management: Diving into NIST’s AI Risk Management Framework

Artificial intelligence has since changed the way we use technology and interact with organizations and systems. AI solutions such as automation and...

The Imperative of Governance to Achieving Responsible AI

AI brings many opportunities to businesses and we can see the AI boom across different industry verticals. However, it also questions who would be...


What is the CIS 20 framework?

The CIS 20 framework, also known as the Center for Internet Security Critical Security Controls, is a set of best practices and guidelines designed to help organizations improve their cybersecurity posture. It provides a comprehensive list of 20 key controls that organizations should prioritize in order to protect their critical assets from cyber threats. These controls are divided into three main categories: Basic Controls, Foundational Controls, and Organizational Controls. By implementing and properly maintaining these controls, organizations can establish a strong cybersecurity foundation, enhance their ability to detect and respond to security incidents, and mitigate security risks. The CIS 20 framework is a widely recognized and respected set of standards, serving as a baseline for cybersecurity programs and helping security professionals effectively defend against a wide range of common attacks and security weaknesses.

The three main categories of CIS 20

The CIS 20 (Center for Internet Security) framework is a set of 20 security controls that serve as a foundation for building an effective cybersecurity program. These controls are organized into three main categories: security and risk management, asset management, and access control management.

  1. Security and Risk Management: This category focuses on the identification, assessment, and mitigation of security risks. It includes controls related to security policies, risk assessment, vulnerability management, awareness and training, and security monitoring. By implementing these controls, organizations can establish a strong security posture, proactively identify and manage potential threats, and effectively respond to security incidents.
  2. Asset Management: This category emphasizes the importance of knowing and managing all assets within an organization's IT infrastructure. It includes controls for asset inventory and management, software and hardware asset use policies, and data classification and protection. By effectively managing assets, organizations can reduce the attack surface, ensure timely security updates, and minimize the impact of security weaknesses.
  3. Access Control Management: This category pertains to establishing and maintaining appropriate access controls to protect critical systems and data. It includes controls for identity and access management, authentication, authorization, and continuous monitoring. By implementing robust access controls, organizations can prevent unauthorized access, minimize the risk of insider threats, and maintain the integrity and confidentiality of sensitive information.

These three categories form the foundation of a comprehensive cybersecurity program, providing organizations with a structured approach to addressing security risks and protecting their critical assets. Adhering to the CIS 20 framework helps security professionals ensure that security controls are effectively implemented and continuously improved to mitigate cyber threats.

Category 1: security and risk management

In today's digital landscape, organizations face a multitude of security risks and threats that constantly evolve and become more sophisticated. To effectively protect their systems and data, organizations must prioritize security and risk management. This category of the CIS 20 framework focuses on the identification, assessment, and mitigation of security risks. It encompasses a range of controls related to security policies, risk assessment, vulnerability management, awareness and training, and security monitoring. By implementing these controls, organizations can establish a strong security posture, proactively identify and manage potential threats, and effectively respond to security incidents. This category forms the foundation for a comprehensive cybersecurity program, ensuring that organizations have the necessary measures in place to safeguard their critical assets and maintain a secure environment.

Establishing an information security policy

Establishing an Information Security Policy in the CIS 20 Framework

In the ever-evolving landscape of cybersecurity threats, organizations need to have a robust information security policy in place. This policy serves as a guiding framework for implementing security controls and practices to protect critical assets and mitigate potential risks. The CIS 20 Framework provides a comprehensive set of guidelines and best practices to help organizations establish and maintain a strong security posture.

The importance of having an information security policy cannot be overstated. It serves as a foundation for developing a cybersecurity program that aligns with the organization's goals and objectives. A clear and comprehensive policy ensures that security efforts are well-defined, consistent, and aligned with industry standards.

An information security policy outlines the roles and responsibilities of the security team, defines acceptable use policies for network and mobile devices, establishes guidelines for secure configurations of operating systems and software assets, and sets requirements for incident response and vulnerability assessment. By addressing these aspects, organizations can enhance their security posture and effectively protect their critical assets.

Moreover, an information security policy helps organizations identify and address security weaknesses and vulnerabilities. It provides guidance on implementing basic controls such as malware defenses, integrity protection, and secure configurations for network infrastructure devices. It also establishes measures to prevent unauthorized access, phishing attacks, and other dangerous attacks.

Stakeholder engagement and communication

Stakeholder engagement and communication play a crucial role in any organization's cybersecurity strategy. One key aspect of this is educating employees about cybersecurity threats, specifically social engineering and phishing.

Social engineering and phishing are tactics used by cybercriminals to manipulate individuals and gain unauthorized access to sensitive information or networks. By educating employees about these threats, organizations can empower them to recognize and respond to suspicious activities, ultimately reducing the organization's vulnerability to exploits.

Training programs should be implemented to educate employees about the various forms of social engineering and phishing, including email scams, phone calls posing as legitimate organizations, or even in-person attempts to gain unauthorized access. Employees should be trained to identify phishing emails by checking for suspicious links, misspellings, or requests for sensitive information. They should also be advised on best practices for creating strong passwords and regularly updating them.

Additionally, organizations should communicate the potential consequences of falling victim to social engineering or phishing attacks, such as data breaches, financial losses, or reputational damage. By highlighting these risks, employees are more likely to remain vigilant and actively contribute to the organization's overall cybersecurity posture.

Regulatory and legal compliance requirements

Regulatory and legal compliance requirements play a crucial role in establishing an information security policy within the CIS 20 framework. These requirements ensure that organizations meet the necessary standards and guidelines to protect sensitive information and maintain the confidentiality, integrity, and availability of data.

Stakeholder engagement and communication are essential components of regulatory and legal compliance. Organizations must involve key stakeholders, including employees, customers, and partners, in the development and implementation of the information security policy. Regular communication channels should be established to keep stakeholders informed about security measures, policies, and any updates or changes.

Allocating appropriate resources for security program management is another critical aspect of regulatory and legal compliance. Resources such as manpower, technology, and financial investments need to be allocated to effectively manage and enforce the information security policy. This includes incorporating security controls, conducting risk assessments, and implementing security awareness programs.

Adhering to industry-specific regulations is also essential. The CIS 20 framework complements industry-specific regulations like NIST 800-53, PCI DSS, FISMA, and HIPAA. These regulations outline specific requirements and best practices for information security and data protection. Organizations must ensure that their information security policy aligns with these regulations to achieve compliance and avoid penalties or legal consequences.

Appropriate resources for security program management

Appropriate resources for security program management are crucial for the effective defense of an organization against cyber threats. It is essential to have individuals with the necessary knowledge, skills, and abilities to handle and mitigate security risks.

Having a team with expertise in various areas of cybersecurity is vital. These professionals should be knowledgeable about common attacks, security configurations, malware defenses, vulnerability assessments, incident response, and other critical security controls. Their skills should encompass areas such as network infrastructure devices, mobile devices, operating systems, and wireless access controls. Their abilities should extend to the identification and assessment of security weaknesses and the implementation of secure configurations.

To ensure that the organization has the required resources, it is crucial to assess and identify any gaps in security expertise. This can be achieved through regular audits and evaluations of the security team's capabilities. By conducting such assessments, organizations can determine areas where additional training or recruitment is needed.

Addressing these gaps can be done through various means, such as policy development, strategic planning, targeted training programs, and security awareness initiatives. Security frameworks like the CIS 20 provide guidance on the necessary knowledge, skills, and abilities required for effective security program management.

By allocating the appropriate resources and addressing gaps in security expertise, organizations can strengthen their security posture and effectively defend against cyber threats.

Category 2: asset management

Effective asset management is crucial for cybersecurity. This category focuses on identifying and managing an organization's critical assets, including hardware, software, and data. It involves maintaining an accurate inventory of these assets, ensuring they are properly classified and tagged, and establishing processes for their secure acquisition, use, and disposal. Asset management also includes implementing controls to protect assets from unauthorized access, ensuring that all assets are scanned and patched regularly for vulnerabilities, and monitoring and tracking asset usage throughout their lifecycle. By effectively managing assets, organizations can mitigate security risks and ensure the confidentiality, integrity, and availability of their critical resources.

Inventory of assets

In the CIS 20 framework, maintaining an inventory of assets is a crucial component of a strong cybersecurity program. Assets include hardware, software, and data that are essential to an organization's operations. It is important to note that assets are dynamic in nature, constantly changing as new devices and software are added or removed from an organization's network.

By having an accurate and up-to-date inventory of assets, organizations can effectively manage their attack surfaces. Attack surfaces refer to all the possible points in a system or network where an attacker can exploit vulnerabilities. With a comprehensive inventory, security teams can identify all the devices and software present in the network and ensure that each one is adequately protected against potential threats.

Additionally, a thorough inventory of assets helps identify any unauthorized devices that may have been added to the network. These unauthorized devices pose a significant risk as they may not adhere to secure configurations, making them susceptible to attacks or serving as entry points for attackers. By removing such devices, organizations can significantly reduce their risk exposure and strengthen their overall security posture.

Data classification and labeling

Data classification and labeling play a crucial role in the CIS 20 framework as they help organizations effectively manage and protect their sensitive information. The process of data classification involves categorizing data based on its sensitivity, value, and regulatory requirements. By classifying data, organizations can prioritize their security efforts and allocate appropriate resources to safeguarding different types of information.

Once data is classified, it is important to label it accordingly to ensure proper handling and protection. Labels can indicate the level of sensitivity, access rights, and any applicable data protection requirements. For example, confidential data may be labeled as 'restricted access' or 'confidential' to alert users about the need for additional security measures when accessing or transmitting such information.

Organizations must also use appropriate processes and tools to eliminate data exfiltration risks while maintaining the integrity of sensitive information. This involves implementing strong access controls, monitoring data transfers, and conducting regular audits to detect any unauthorized attempts to access or transfer sensitive data. By employing encryption techniques, organizations can protect data during transit and ensure that only authorized recipients can access it.

Furthermore, implementing integrity protection measures helps to verify the accuracy and completeness of data throughout its lifecycle. This includes implementing mechanisms such as checksums or digital signatures to detect any unauthorized modifications or tampering.

To prevent data loss, organizations can employ data loss prevention (DLP) techniques. This involves using tools and technologies that monitor and control the flow of information within the network. DLP solutions can prevent sensitive data from being transferred outside the organization's authorized network or stored on unauthorized devices.

Change control

Change control is a crucial concept within the CIS 20 framework, which is a set of 20 critical security controls developed by the Center for Internet Security (CIS) to help organizations improve their cybersecurity posture. Change control refers to the process of managing and controlling changes to an organization's IT systems, networks, applications, and other related components.

The importance of change control cannot be overstated when it comes to maintaining an organization's cyber-health and preventing unauthorized access to the network. Without proper change control processes in place, unauthorized changes can be made to critical systems, configurations, or software, which can introduce vulnerabilities and compromise security. Additionally, inadequate change control can lead to disruptions or outages, negatively impacting business operations.

Implementing effective change control practices involves several steps. Firstly, organizations must establish a formal change control policy that outlines the process and guidelines for requesting, reviewing, approving, implementing, and documenting changes. This policy should define roles and responsibilities, specify change categories, and set criteria for emergency changes.

Next, organizations should establish a change advisory board (CAB), consisting of representatives from various departments, to review and approve proposed changes. The CAB ensures that changes are thoroughly evaluated, risks are assessed, and appropriate controls are in place to mitigate any potential negative impact on security or operations.

Proper documentation is also essential in change control. Organizations should maintain records of change requests, approvals, implementation details, and post-change reviews. These records can help track changes, identify trends, and facilitate auditing and compliance efforts.

Regular monitoring and evaluation of changes also play a vital role in effective change control. Organizations should establish mechanisms to monitor the implementation and impact of changes, ensuring that they are successfully deployed and do not introduce any unforeseen vulnerabilities.

Category 3: access control management

Access control management is a critical component of any organization's cybersecurity program. It encompasses the processes, policies, and technologies used to manage and control access to systems, data, and resources. Proper access control management ensures that only authorized individuals have the necessary privileges to access sensitive information, minimizing the risk of data breaches or unauthorized activities. This category of the CIS 20 framework focuses on establishing and maintaining effective access control measures, such as strong authentication mechanisms, user account management, access control policies, and monitoring and auditing capabilities. By implementing robust access control management practices, organizations can significantly enhance their security posture and protect their critical assets from unauthorized access or misuse.

Identification and authentication controls

Identification and authentication controls are a crucial component of the CIS 20 framework, as they play a pivotal role in preventing unauthorized access and protecting sensitive information. These controls verify the identity of users, systems, and devices attempting to access critical assets, ensuring that only authorized individuals can gain entry.

One of the primary measures that should be implemented is the use of strong passwords. Passwords should be unique, complex, and regularly updated to mitigate the risk of brute force attacks. Additionally, multi-factor authentication (MFA) should be enforced, requiring users to validate their identity through multiple means such as a password and a unique code sent to their mobile device.

Session timeouts are another important measure to consider. This control automatically logs users out of their accounts after a specified period of inactivity, reducing the risk of unauthorized access if a device is left unattended. This ensures that even if someone gains physical access to a device, they won't be able to access sensitive information without re-authenticating.

By implementing identification and authentication controls, organizations can significantly enhance their security posture and reduce the likelihood of unauthorized access. These measures not only protect sensitive information but also provide assurance to customers and stakeholders that their data is being handled with utmost care and diligence. In an era where cyber threats are increasingly prevalent, strong passwords, multi-factor authentication, and session timeouts are critical security controls that should be prioritized within any cybersecurity program.

Access control administration and maintenance

Access control administration and maintenance is a crucial aspect of cybersecurity that focuses on controlling user privileges and limiting access rights to reduce the attack surface. By effectively managing and securing access to systems and data, organizations can significantly enhance their overall security posture and reduce the risk of unauthorized access or data breaches.

Control 06 of the CIS Controls framework combines controls 4 and 14 and provides comprehensive guidance on access control administration and maintenance. This control emphasizes the importance of establishing an access granting process that includes the principle of least privilege. Implementing the principle of least privilege ensures that users are granted only the necessary access rights required to perform their tasks, minimizing the potential impact of unauthorized access or misuse of privileges.

Another key practice highlighted in Control 06 is the implementation of multifactor authentication (MFA). By requiring users to authenticate through multiple means, such as a password and a unique code sent to their mobile device, MFA adds an extra layer of security and significantly reduces the risk of unauthorized access even if a password is compromised.

Maintaining a comprehensive system inventory is also crucial in access control administration and maintenance. By keeping track of all authorized devices and ensuring that they are properly protected with security configurations, organizations can detect and mitigate potential vulnerabilities or risks more efficiently.

Secure network design and architecture

Secure network design and architecture play a crucial role in the CIS 20 framework, which focuses on implementing critical security controls to protect organizations against common attacks and cyber threats. A key aspect of the framework is the prevention of attackers from exploiting vulnerable services and settings, which can be effectively addressed through secure network design.

Designing and implementing a secure network infrastructure is of utmost importance to safeguard critical assets and maintain a strong security posture. A well-designed network architecture ensures that security controls are effectively implemented across all network devices, including routers, switches, firewalls, and wireless access points. By following the security recommendations provided by the CIS controls, organizations can reduce their attack surface and fortify their network against dangerous attacks.

One of the key principles in secure network design is the implementation of secure configurations for network infrastructure devices. This involves configuring devices with hardened settings and disabling unnecessary services to minimize security weaknesses. Additionally, regular security updates and patches should be applied to ensure that devices are running current versions of firmware and software, reducing the risk of exploitation through known vulnerabilities.

Furthermore, network segmentation, also known as 'islands of security implementation,' plays a vital role in secure network design. By dividing the network into discreet segments and implementing appropriate access controls between them, organizations can contain potential security incidents and prevent unauthorized access to critical assets.

General thought leadership and news

From Compliance to Cybersecurity: The 6clicks Ideal Customer Profile

From Compliance to Cybersecurity: The 6clicks Ideal Customer Profile

In an era where digital threats loom larger by the day, the intersection of compliance and cybersecurity has never been more critical. For businesses...

AI Hype and GRC

Beyond the AI Hype: Crafting GRC Solutions That Truly Matter

In the relentless chase for innovation, it's easy to get caught in the dazzling allure of AI. Everywhere you turn, AI seems to be the silver bullet,...

Reflections from my time as Chief Digital Officer at KPMG

Reflections from my time as Chief Digital Officer at KPMG

Between 2016 and 2018 I held the role of Chief Digital Officer at KPMG, responsible for strategy and the development of software assets to underpin...

6clicks Partners with Microsoft to run 6clicks on Private Azure Clouds

6clicks Partners with Microsoft to run 6clicks on Private Azure Clouds

Summary 6clicks, a cyber governance, risk, and compliance (GRC) platform, has partnered with Microsoft to offer a privately hosted option of its...

6clicks Fabric - Hosted on private Microsoft Azure clouds

Empowering enterprises: Get in control with your own GRC SaaS platform-in-a-box

In today's dynamic business landscape, enterprises are constantly seeking innovative solutions to streamline their operations, improve the value they...

6clicks Fabric for GSIs: Tailoring cybersecurity GRC programs for global markets

6clicks Fabric for GSIs: Tailoring cybersecurity GRC programs for global markets

Robust cybersecurity measures and the effective and safe implementation of IT infrastructure are critical for organizations to successfully do...