The 18 CIS Critical Security Controls

Formerly the SANS Critical Security Controls (SANS Top 20) these are now officially called the CIS Critical Security Controls (CIS Controls).

CIS Controls Version 8 combines and consolidates the CIS Controls by activities, rather than by who manages the devices. Physical devices, fixed boundaries, and discrete islands of security implementation are less important; this is reflected in v8 through revised terminology and grouping of Safeguards, resulting in a decrease of the number of Controls from 20 to 18.

Click on the individual CIS Control for more information:


CIS Control 1: Inventory and Control of Enterprise Assets


CIS Control 2: Inventory and Control of Software Assets


CIS Control 3: Data Protection


CIS Control 4: Secure Configuration of Enterprise Assets and Software


CIS Control 5: Account Management


CIS Control 6: Access Control Management


CIS Control 7: Continuous Vulnerability Management


CIS Control 8: Audit Log Management


CIS Control 9: Email and Web Browser Protections


CIS Control 10: Malware Defenses


CIS Control 11: Data Recovery


CIS Control 12: Network Infrastructure Management


CIS Control 13: Network Monitoring and Defense


CIS Control 14: Security Awareness and Skills Training


CIS Control 15: Service Provider Management


CIS Control 16: Application Software Security


CIS Control 17: Incident Response Management


CIS Control 18: Penetration Testing