Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world

About Us Leadership Principles Testimonials


secure your organization
Secure Your Organization

secure specific platforms
Secure Specific Platforms

cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments

View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities

CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers




filter by topic
Filter by Topic

View All Resources  
CIS Logo Show Search Expand Menu

Where Risks Meet Controls

By Sean Atkinson, Chief Information Security Officer, CIS

CISO blog

Using the CIS Controls to define and identify risk

The implementation of the CIS Controls is a best practice standard to help organizations align internal security controls to a consensus-based collection of cyber-risk mitigation strategies. The integration of a risk management program with the CIS Controls can define how a company identifies risk and how it can be treated. Treatment strategies come in the form of remediation steps to lower exposure to risk from vulnerabilities and threats to computer systems and business processes.

How the CIS Controls can help

CIS Controls Version 7 contains a total of 20 controls. How each CIS Control is implemented will vary by organization. To define the need for a control, a risk must be present that needs to be treated. Identification of these risks may go undetected by many organizations, and so the CIS Controls can provide a helpful starting point of evaluation.

By turning each of the CIS Controls into a question and analyzing your answers to each, your organization can gain major insights into its risk identification and management. Start by reviewing CIS Control 1 – Inventory of Authorized and Unauthorized Devices – as part of a risk identification exercise:

Question: Can your organization define and detail all its hardware assets? Be sure to include laptops, BYOD (Bring-Your-Own-Device) mobile devices, and printers.

Asking this question can generate additional scenarios to identify risk:

  • Are there any connected assets which are not authorized to be on your network?
  • Are all assets configured securely?
  • What role does each asset play in your organization’s processes?
  • What data is stored on each asset?

These are high-level ideas to start the conversation in regards to risk and its identification. The use of the CIS Controls can generate questions that identify gaps and weaknesses to implement a level of risk management and respective control over your organization’s assets, data and systems.

Arrow  Download the CIS Controls