The 18 CIS Critical Security Controls

Formerly the SANS Critical Security Controls (SANS Top 20) these are now officially called the CIS Critical Security Controls (CIS Controls).

CIS Controls Version 8 combines and consolidates the CIS Controls by activities, rather than by who manages the devices. Physical devices, fixed boundaries, and discrete islands of security implementation are less important; this is reflected in v8 through revised terminology and grouping of Safeguards, resulting in a decrease of the number of Controls from 20 to 18.

Click on the individual CIS Control for more information:

 

CIS Control 1: Inventory and Control of Enterprise Assets

 

CIS Control 2: Inventory and Control of Software Assets

 

CIS Control 3: Data Protection

 

CIS Control 4: Secure Configuration of Enterprise Assets and Software

 

CIS Control 5: Account Management

 

CIS Control 6: Access Control Management

 

CIS Control 7: Continuous Vulnerability Management

 

CIS Control 8: Audit Log Management

 

CIS Control 9: Email Web Browser and Protections

 

CIS Control 10: Malware Defenses

 

CIS Control 11: Data Recovery

 

CIS Control 12: Network Infrastructure Management

 

CIS Control 13: Network Monitoring and Defense

 

CIS Control 14: Security Awareness and Skills Training

 

CIS Control 15: Service Provider Management

 

CIS Control 16: Application Software Security

 

CIS Control 17: Incident Response Management

 

CIS Control 18: Penetration Testing