The 18 CIS Critical Security Controls

The 18 CIS Critical Security Controls (often referred to as CIS Controls v8) represent a prioritized, highly prescriptive set of cybersecurity best practices designed to defend against the most common and dangerous cyber threats. Unlike broader, process-oriented frameworks, the CIS Controls focus on actionable technical measures that organizations can implement to secure their environments immediately.

For a higher-level context on the CIS ecosystem, see the CIS Critical Security Controls v8 Overview.

Anatomy of a Control

Each of the 18 controls is broken down into specific Safeguards (formerly known as sub-controls). These safeguards define the exact procedures, tools, and configurations required to satisfy the control.

To help organizations prioritize their efforts, safeguards are divided into CIS Implementation Groups (IGs)—IG1, IG2, and IG3. IG1 represents foundational cybersecurity hygiene for small-to-medium enterprises, while IG3 encompasses advanced safeguards for highly mature organizations. Furthermore, every safeguard maps to specific Asset Types (such as Devices, Data, Users, or Applications) and aligns with core security functions (Identify, Protect, Detect, Respond, Recover).

Summary of the 18 Controls

The controls are logically structured, starting with foundational asset and identity management and scaling up to advanced offensive testing and incident response. Key controls outlined in the framework include:

• Control 06: Access Control Management: Defines and maintains role-based access, validates privileges, and centralizes access control through directory services or SSO providers.
• Control 07: Continuous Vulnerability Management: Requires developing a plan to continuously assess and track vulnerabilities across all enterprise assets to minimize the window of opportunity for attackers.
• Control 08: Audit Log Management: Ensures the secure collection, review, and retention of audit logs.
• Control 09: Email and Web Browser Protections: Defends against attacks delivered via email and the web.
• Control 10: Malware Defenses: Focuses on the deployment of centrally managed, behavior-based anti-malware software, automatic signature updates, and disabling auto-execute features for removable media.
• Control 11: Data Recovery: Mandates practices sufficient to restore assets to a pre-incident state. This includes performing automated backups, maintaining isolated instances of recovery data, and routinely testing data recovery.
• Control 12: Network Infrastructure Management: Secures physical and virtual network devices (firewalls, routers, gateways) by removing default, insecure configurations and proactively managing network access points.
• Control 13: Network Monitoring and Defense: Requires robust monitoring to detect anomalies and potential breaches.
• Control 14: Security Awareness and Skills Training: Ensures users and administrators understand their security responsibilities.
• Control 15: Service Provider Management: Evaluates and tracks the security posture of third-party vendors.
• Control 16: Application Software Security: Manages the security lifecycle of all acquired and developed software.
• Control 17: Incident Response Management: Prepares the enterprise to quickly discover, contain, and recover from an active breach.
• Control 18: Penetration Testing: Validates the overall effectiveness of the organization's security posture through simulated attacks.

Integration with the Broader Security Ecosystem

The 18 CIS Controls serve as a tactical roadmap that feeds seamlessly into wider governance and risk management strategies. Organizations frequently map their implemented CIS Safeguards back to high-level compliance standards. For more information on how these controls fit alongside other industry standards, review the Cybersecurity Frameworks Overview.