Practical. Pragmatic. Prioritized … It could be the slogan for a new consumer product, but it’s actually a concise summary of the qualities embedded in the CIS Controls. The CIS Controls is an international security standard consisting of 18 main controls and 153 safeguards that guide businesses step by step, technology by technology, and responsibility by responsibility through the complex task of IT security.
Their concrete and highly applicable nature in daily operations sets the CIS Controls apart from similar security frameworks. When a CIS Control specifies that a company should implement a particular security measure, it does not need to interpret how to execute, prioritize, or integrate it with other controls—it’s all clearly outlined. The controls are divided into three implementation groups based on the organization’s maturity level, available resources, access to security expertise, and risk profile. Overall, the CIS Controls function more like a playbook than a traditional framework, offering clear guidance on how to move from point A to B and so on. Once all the controls in a CIS security program are implemented, security leaders can be confident that they have followed a structured, ested, and logical plan, which brings peace of mind.
Hackers are constantly developing new attack methods. The market is flooded with security products, and vendors are eager to implement them. This complexity can make the task of IT security seem overwhelming. That’s why businesses need a tool that helps them focus on what’s necessary—nothing more, nothing less.
This white paper provides an introduction to the methodology behind the CIS Controls. It begins with comparing the CIS Controls, NIST, and ISO security standards. It then argues why the CIS Controls are well-suited as a reporting and communication tool when engaging with senior leadership. Next, the white paper delves into the structure of the 18 main controls, 153 safeguards, and three implementation groups. Finally, it concludes with a brief overview of Conscia’s Security Assessment, which is based on CIS Control principles and aims to identify strengths and weaknesses in a company’s current security setup, including recommendations for concrete improvements.