The 18 CIS Critical Security Controls

Formerly the SANS Critical Security Controls (SANS Top 20) these are now officially called the CIS Critical Security Controls (CIS Controls).

CIS Controls Version 8.1 includes updated alignment to evolving industry standards and frameworks, revised asset classes and CIS Safeguard descriptions, and the addition of the “Governance” security function.


Click on the individual CIS Control for more information:


CIS Control 1: Inventory and Control of Enterprise Assets


CIS Control 2: Inventory and Control of Software Assets


CIS Control 3: Data Protection


CIS Control 4: Secure Configuration of Enterprise Assets and Software


CIS Control 5: Account Management


CIS Control 6: Access Control Management


CIS Control 7: Continuous Vulnerability Management


CIS Control 8: Audit Log Management


CIS Control 9: Email and Web Browser Protections


CIS Control 10: Malware Defenses


CIS Control 11: Data Recovery


CIS Control 12: Network Infrastructure Management


CIS Control 13: Network Monitoring and Defense


CIS Control 14: Security Awareness and Skills Training


CIS Control 15: Service Provider Management


CIS Control 16: Application Software Security


CIS Control 17: Incident Response Management


CIS Control 18: Penetration Testing


Learn how you can use the CIS Controls to strengthen your cyber defenses in the video below.