"The CIS Control framework along with CIS-RAM are exactly what you need to develop organizational cyber defense capabilities , as well conducting cyber risk assessment to make well-informed decisions about prioritization and implementation of the CIS Controls regardless of organization complexity in-line with global best practices. CIS framework is easy to map with program and risk frameworks, and reverse mapping features."
Adham Etoom, PMP®, GCIH®, CRISC®, FAIR™, CISM®
Government of Jordan, NCSC
"We use the CIS Controls to help our clients achieve compliance with state and federal cybersecurity regulations. The CIS 18 are prioritized, easy to understand, and extremely cost-effective for small to mid-size organizations looking to prove they are secure enough to do business in today’s marketplace. I highly recommend starting with CIS in building your cybersecurity program."
The Long Law Firm, PLLC
"Too often, people think that CyberSecurity means making IT hard to use and stopping people from doing their jobs. I call this the “wrong security”. The CIS Controls show that good security doesn’t have to be this way. We’ve spent years applying the controls to systems in the UK Public Sector, and now are pleased to be taking this to our SMB clients."
Chief Technology Officer, UK
"The fact that the CIS Controls crosswalks to the other frameworks is very helpful to us. If we go into an entity that has to comply with another framework, we're often able to show them how our evaluation crosses over with whatever they're required to comply with. We don't have to become specialists in eight different control frameworks. We can be specialists in this one framework and then help our audit clients understand how they are related."
IT Security Audit Manager
Washington State Auditor’s Office (SAO)
"Cybersecurity can be an overwhelming undertaking for organizations that lack the staff or knowledge. The CIS Controls take the guesswork out of what steps to implement. The Implementation Groups (IGs) take an overwhelming list of controls and essentially turns them into a checklist that is very easy to understand. I have found the CIS IGs to be very helpful when explaining to school officials and municipal leaders the steps or controls that need to be implemented to raise their security posture."
Director of Technology
New Hampshire Hillsboro-Deering School District
"Applying the Controls in a school environment is very important to me. Controls 1 and 2 (Inventory) as well as Control 6 (Monitoring Logs) and Control 15 (Wireless Control) are the most useful CIS Controls. Of course, the goal is to apply all possible CIS Controls to achieve a higher level of security."
Technician and Educator
Italian Ministry of Education
CIS Controls Community Volunteer
"I strongly believe that good IT operational practices drive a reduction in cybersecurity-related risk and that the CIS Controls help drive those operational practices. I wanted to help develop the CIS Controls and use my quarter of a century experience in this sector to make them even more effective."
Director, SAM for Compliance Ltd.
CIS Controls Community Volunteer
CEO, IACI (International Association of Certified IASOs)
Kamala D. Harris, Attorney General
California Department of Justice
California Data Breach Report
"I’m a huge fan of the [CIS] Controls…CIS Controls provide a strong story and framework."
Christophe Demoor, CISM
"This is where the [CIS Controls] are almost perfect for establishing a security baseline for smaller organizations."
James Jacobs, CEE
"Start by taking care of the basics: build a solid cybersecurity foundation by implementing the [CIS Controls], especially application white-listing, standard secure configurations, reduction of administrative privileges, and a quick patching process."
Zurich Insurance Group
Risk Nexus: Overcome by cyber risks?
Economic benefits and costs of alternate cyber futures
Since we switched over to a standardized CIS Benchmark, it’s easy for us to give the auditor the data and say: We’re using CIS and these devices are going to be compliant with that, because we implement the CIS Benchmarks through group policy. If we fall in alignment with these configuration standards, it just clearly makes sense that it could really lighten the workload on the team of the State of Minnesota. I’m really impressed [by] the value you get with CIS. It’s huge.
State of Minnesota Security Architect
Without this resource, the hardening of our devices would have taken a lot longer and required many meetings between IT and Security to debate which configuration settings to change and the impact they could have. The CIS Benchmarks provided the necessary information to alleviate many of the fears IT may have had with changing specific settings.
Banking Information Security Engineer
CIS-CAT Pro is a real solid foundation by which you can go to any customer and show them: Look, here’s what the Center for Internet Security tells us we need to be doing to lock your systems down. You can read what Tony Sager says – stop chasing shiny objects and get back to the basics.
BFB Consulting President
CIS SecureSuite Membership provides excellent value. It should be part of everybody’s security program.
Malicious Domain Blocking and Reporting (MDBR)
"For California, the Malicious Domain Blocking and Reporting (MDBR) service has been effective as an additional source of threat intelligence. This capability adds an additional element of automation in our security operations processes and playbooks, resulting in greater efficiencies. The preventive blocking and reporting provides metrics on true positive and high-fidelity events, allowing our internal teams to focus on more sophisticated attacks."
Chief Information Security Officer
State of California
"Prior to Albert, I had no mechanism for fully analyzing my incoming and (just as importantly) outgoing electronic traffic. I now have a reliable, affordable, and trusted source that inspects ALL of my traffic in both directions."
Marion County, Florida Elections
Sources Going Back to December 2019 (Case Studies):
Washington State Auditor's Office: https://www.cisecurity.org/case-study/washington-state-auditors-office-uses-cis-controls-to-perform-effective-security-audits/
Minnesota Security Architect: https://www.cisecurity.org/case-study/tackling-audits-and-cloud-security-efficiently-and-at-scale/