Complete List of CIS Controls v8 - Top 20 Controls with Examples

You've been tasked with improving your organization's cybersecurity posture, and everyone keeps mentioning the CIS Top 20 Controls. But what exactly are these controls, why do they matter, and how can you implement them effectively? If you're feeling overwhelmed by the complexity of cybersecurity frameworks, you're not alone.

Many security professionals struggle with prioritizing which controls to implement first, finding the right tools for implementation, and tailoring these controls to their specific organizational risks. The good news is that there's a structured approach that can make this process more manageable.

What Are the CIS Top 20 Controls?

The Center for Internet Security (CIS) Critical Security Controls, commonly known as the CIS Top 20 Controls, provide a prioritized set of actions that collectively form a defense-in-depth framework to help organizations improve their cybersecurity posture.

These controls are developed by a community of IT experts who continuously update the framework to address evolving cyber threats. The controls are organized into three implementation groups based on an organization's resources and cybersecurity maturity:

• Basic (IG1): Essential cyber hygiene practices that every organization should implement
• Foundational (IG2): Technical best practices for organizations with moderate complexity
• Organizational (IG3): Advanced measures for organizations with significant resources and expertise

Key Insight: According to the Verizon Data Breach Investigations Report, implementing just the first five Basic Controls can mitigate up to 85% of common cyber attacks.

The Complete List of CIS Top 20 Controls

Let's explore each of the CIS Top 20 Controls with practical examples of implementation:

1. Inventory and Control of Hardware Assets

Objective: Actively manage and inventory all hardware devices on your network.

Example Implementation:

• Implement an asset discovery tool like Nmap or Qualys to automatically scan your network
• Use a configuration management database (CMDB) to maintain an updated inventory
• Deploy network access control (NAC) solutions to prevent unauthorized devices from connecting

Why It Matters: You can't protect what you don't know exists. Unmanaged devices represent significant security gaps in your environment.

2. Inventory and Control of Software Assets

Objective: Maintain an inventory of authorized software and prevent unauthorized software from being installed.

Example Implementation:

• Use application whitelisting tools like Microsoft AppLocker
• Implement software inventory tools such as Lansweeper or Belarc Advisor
• Create standardized software images for workstations and servers

Why It Matters: Unauthorized software often introduces vulnerabilities and can be a vector for malware.

3. Continuous Vulnerability Management

Objective: Continuously acquire, assess, and take action on new information to identify and remediate vulnerabilities.

Example Implementation:

• Deploy vulnerability scanners like Tenable Nessus or Qualys
• Establish a regular patching schedule for all systems
• Prioritize vulnerabilities based on criticality and exploitability

Why It Matters: Unpatched systems remain one of the most common entry points for attackers.

4. Controlled Use of Administrative Privileges

Objective: Track, control, prevent, and correct the use of administrative privileges.

Example Implementation:

• Implement multi-factor authentication for administrative accounts
• Use privileged access management (PAM) solutions like CyberArk
• Maintain separate accounts for administrative and standard user activities
• Regularly audit administrative account usage

Why It Matters: Compromised admin accounts give attackers significant control over your systems.

5. Secure Configuration for Hardware and Software

Objective: Establish and maintain secure configuration of devices.

Example Implementation:

• Use CIS Benchmarks as baseline configurations
• Implement configuration management tools like Ansible or Chef
• Regularly scan systems for configuration drift
• Disable unnecessary services, ports, and default accounts

Why It Matters: Default configurations often prioritize usability over security, leaving systems vulnerable.

6. Maintenance, Monitoring, and Analysis of Audit Logs

Objective: Collect, manage, and analyze audit logs of events.

Example Implementation:

• Deploy a Security Information and Event Management (SIEM) solution
• Configure centralized logging for all critical systems
• Establish log retention policies that meet compliance requirements
• Set up alerts for suspicious activities

Why It Matters: Without proper logging, organizations lack visibility into potential security incidents.

7. Email and Web Browser Protections

Objective: Minimize attack surface and opportunities for attackers to manipulate users via email and web browsers.

Example Implementation:

• Implement email filtering solutions like Mimecast or Proofpoint
• Use DNS filtering to block malicious websites
• Deploy browser extensions that block malicious content
• Disable unnecessary browser plugins and extensions

Why It Matters: Email and web browsing remain primary vectors for phishing and malware distribution.

8. Malware Defenses

Objective: Control the installation, spread, and execution of malicious code.

Example Implementation:

• Deploy endpoint protection platforms with advanced threat detection
• Implement application whitelisting
• Use network-based anti-malware filtering
• Conduct regular anti-malware scans

Why It Matters: Malware continues to be a significant threat, with increasingly sophisticated variants emerging regularly.

9. Limitation and Control of Network Ports, Protocols, and Services

Objective: Manage the secure use of ports, protocols, and services on networked devices.

Example Implementation:

• Use host-based firewalls to restrict unnecessary ports
• Regularly scan for open ports using tools like Nmap
• Disable or remove unnecessary services from systems
• Document all required ports and services for business operations

Why It Matters: Open ports and unnecessary services expand the attack surface for potential exploitation.

10. Data Recovery Capabilities

Objective: Properly maintain backups of critical systems and data.

Example Implementation:

• Implement the 3-2-1 backup strategy (3 copies, 2 different media, 1 offsite)
• Regularly test backup restoration processes
• Use encryption for sensitive backup data
• Establish recovery time objectives (RTOs) for critical systems

Why It Matters: Effective backup and recovery capabilities are crucial for business continuity and ransomware mitigation.

11. Secure Configuration for Network Devices

Objective: Establish and maintain secure configuration of network infrastructure.

Example Implementation:

• Use secure templates for routers, switches, and firewalls
• Implement configuration management for network devices
• Disable unused network ports and services
• Regularly audit network device configurations

Why It Matters: Improperly configured network devices can provide attackers with entry points or allow lateral movement.

12. Boundary Defense

Objective: Detect, prevent, and correct the flow of information across network boundaries.

Example Implementation:

• Deploy next-generation firewalls at network boundaries
• Implement intrusion detection/prevention systems (IDS/IPS)
• Use data loss prevention (DLP) tools to monitor outbound traffic
• Segment networks based on security requirements

Why It Matters: Effective boundary controls limit an attacker's ability to move between network segments.

13. Data Protection

Objective: Protect data-at-rest and data-in-transit.

Example Implementation:

• Encrypt sensitive data in storage and during transmission
• Implement data classification policies and tools
• Use DLP solutions to prevent unauthorized data transfers
• Establish data retention and destruction policies

Why It Matters: Data breaches can result in significant financial, reputational, and regulatory consequences.

14. Controlled Access Based on the Need to Know

Objective: Track, control, prevent, and correct secure access to critical assets.

Example Implementation:

• Implement the principle of least privilege for all accounts
• Use role-based access controls (RBAC)
• Regularly review and audit access rights
• Implement data access governance solutions

Why It Matters: Limiting access to only what users need reduces the risk of insider threats and limits the impact of compromised accounts.

15. Wireless Access Control

Objective: Track, control, prevent, and correct the security use of wireless networks.

Example Implementation:

• Use WPA3 encryption for wireless networks
• Implement network access control for wireless connections
• Segment guest wireless networks from corporate networks
• Regularly scan for rogue wireless access points

Why It Matters: Unsecured wireless networks can provide attackers with easy access to your environment.

16. Account Monitoring and Control

Objective: Actively manage the lifecycle of accounts and their access.

Example Implementation:

• Implement automated account provisioning and deprovisioning
• Require multi-factor authentication for all accounts
• Monitor for suspicious account activities
• Regularly audit user accounts and remove inactive ones

Why It Matters: Unmanaged accounts, especially those with elevated privileges, present significant security risks.

17. Implement a Security Awareness and Training Program

Objective: Educate users on cybersecurity risks and their role in defense.

Example Implementation:

• Conduct regular security awareness training
• Run simulated phishing campaigns
• Develop role-specific security training
• Create clear security policies and procedures

Why It Matters: Users remain a critical component of security; well-trained users can serve as an effective defense layer.

18. Application Software Security

Objective: Manage the security lifecycle of all in-house developed and acquired software.

Example Implementation:

• Incorporate security into the software development lifecycle
• Perform regular code reviews and security testing
• Use static and dynamic application security testing tools
• Implement secure coding standards

Why It Matters: Insecure applications can provide attackers with direct access to sensitive data and systems.

19. Incident Response and Management

Objective: Protect information and systems through a comprehensive incident response plan.

Example Implementation:

• Develop and regularly test incident response plans
• Establish clear roles and responsibilities during incidents
• Create communication protocols for security incidents
• Document lessons learned after incidents

Why It Matters: Effective incident response can significantly reduce the impact of security breaches.

20. Penetration Tests and Red Team Exercises

Objective: Test the organization's defenses through simulated attacks.

Example Implementation:

• Conduct regular penetration tests against critical systems
• Perform red team exercises to test detection and response capabilities
• Address identified vulnerabilities promptly
• Use the results to improve security controls

Why It Matters: These exercises help identify security gaps before real attackers exploit them.

Getting Started with CIS Top 20 Controls

If you're new to implementing the CIS Top 20 Controls, consider this approach:

1. Start with IG1 controls: Focus on implementing the basic controls first, which provide the highest security return on investment.
2. Assess your current state: Use the CIS Controls Self Assessment Tool (CSAT) to identify gaps in your security posture.
3. Prioritize based on risk: Address the controls that mitigate your organization's most significant risks first.
4. Leverage existing tools: Many organizations already have tools that can help implement these controls; identify what you have before investing in new solutions.
5. Document your progress: Keep track of your implementation journey to demonstrate improvement over time.

The CIS Top 20 Controls provide a practical, prioritized approach to cybersecurity that can significantly reduce your organization's risk profile. By focusing on these controls, you're addressing the most common and impactful attack vectors that threaten organizations today.

Remember that cybersecurity is a journey, not a destination. Continuous improvement and adaptation to evolving threats are essential for maintaining an effective security posture. The CIS Top 20 Controls provide the roadmap—your organization's unique circumstances will determine the specific route you take.

Frequently Asked Questions

What are the CIS Top 20 Controls?

The CIS Top 20 Controls, now formally known as CIS Controls v8, are a prioritized set of best practices to help organizations defend against the most common cyber attacks. Developed by the Center for Internet Security (CIS), they provide an actionable, defense-in-depth framework that is regularly updated by a community of global experts to address evolving threats.

Why are the CIS Controls important for cybersecurity?

The CIS Controls are important because they provide a prioritized, data-driven framework that helps organizations focus on actions that mitigate the most common cyber threats. By concentrating on a limited number of high-impact controls—such as the first five—organizations can significantly reduce their risk of a successful cyber attack, often by up to 85%.

How do the CIS Controls differ from other frameworks like NIST or ISO 27001?

The primary difference is that CIS Controls are a prioritized, implementation-focused set of technical safeguards, while frameworks like the NIST Cybersecurity Framework (CSF) and ISO 27001 are broader risk management frameworks. CIS Controls offer prescriptive guidance on what to do first, making them highly actionable. In contrast, NIST and ISO provide a structure for how to manage a cybersecurity program, and they are often used in conjunction with the CIS Controls.

Where should an organization start with implementing the CIS Controls?

An organization should start by focusing on Implementation Group 1 (IG1), which contains the "basic cyber hygiene" controls. These foundational controls are designed to provide the greatest risk reduction for the least investment and are considered essential for all organizations, regardless of size or industry. A self-assessment using the CIS CSAT tool is also a recommended first step to identify existing gaps.

Are the CIS Top 20 Controls still relevant?

Yes, the principles of the CIS Controls are highly relevant, though the framework has evolved. The "Top 20" branding refers to an older version; the current version is CIS Controls v8, which consists of 18 revised and reprioritized controls. The framework is continuously updated to address the modern threat landscape, ensuring it remains a practical and effective guide for cybersecurity defense.

What are Implementation Groups (IGs) in the CIS Controls?

Implementation Groups (IG1, IG2, and IG3) are categories that help organizations prioritize their implementation efforts based on their specific risk profile and available resources. IG1 is for essential cyber hygiene, IG2 is for organizations with more complex IT environments, and IG3 is for mature organizations with significant resources that handle sensitive data. This tiered approach makes the controls scalable for any organization.