The CIS Top 20 Controls: What Are the Top Level Controls?



In a world where data breaches are a daily occurrence, implementing cyber security controls that can protect your organization has never been more important. Over the past few years, a number of risk management frameworks have come to life, highlighting the most important security controls an organization should measure and implement, in order to minimize being breached.


One of the leading frameworks to measure IT security controls was born out of an industry collaboration of both the SANS Institute alongside the Center of Internet Security. Together, they created a list of cyber security controls for an organization to focus on, what is now known as the CIS Top 20 critical security controls.


Before we dive into the 20 controls, we will first explain the structure of this framework and what it includes. So let’s get started!

There are three groups within the CIS 20 critical controls and those include:

  • Basic cyber security controls

  • Foundational cyber security controls

  • Organizational cyber security controls


In the latest release CIS Controls V7.1, they have added new guidance in how to implement the IT security controls, kind of similar to the NIST Tiering system.

The three groups include different implementation guidelines based on the maturity of the organization. Here’s a quick breakdown:


  • Implementation group 1 – relevant to organizations of all sizes An organization that does not have the full resources under the security team to implement the sub-controls

  • Implementation group 2 – extra controls focused on storing of sensitive data An organization that has some of the resources to implement the sub-controls

  • Implementation Group 3 - extra controls for storing very sensitive data An organization that is more advanced and mature with extensive resources and cyber experience, on how to manage and allocate sub-controls


Let’s review the CIS Top 20 security controls, to better understand the split-up, and what is required when implementing them:


Basic Cyber Security Controls


  • Control 1: Inventory and Control of Hardware Assets

Create active inventory of all hardware devices on or connected to the network, to ensure that only approved and authorized devices can gain access. This also ensures that unauthorized devices will be identified, located and restricted access. This inventory should regularly be tracked and updated.


  • Control 2: Inventory and Control of Software Assets

Create active inventory of all software applications connected or affiliated with the organization’s network and data, to ensure that only approved and authorized software can execute and run, and unauthorized software cannot. Included here should be all 3rd-party software solutions as well. This inventory should regularly be tracked and updated.


  • Control 3: Continuous Vulnerability Assessment and Remediation

Collect, analyze and operationalize vulnerability data on a continuous basis to identify new vulnerabilities early, remediate where necessary, and minimize the risk of an attacker exploiting it to gain unauthorized access.


  • Control 4: Controlled Use of Administrative Privileges

A set of processes and solutions that help keep track and manage the assignment of administrative privileges to various computers, systems, networks and applications. These rules are also meant to help prevent and correct misconfiguration of wrong privileges that have been granted.


  • Control 5: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

The implementation of configuration management as well as change control processes, to actively manage, track and correct security configurations on:

  • Mobile devices

  • Servers

  • Workstations

  • Laptops

This control can help prevent the exploitation of a vulnerability within a service or setting, by an attacker.


  • Control 6: Maintenance, Monitoring, and Analysis of Audit Logs

Collection management and analysis of the audit logs the track events in order to help identify and understand an attack happening as well as the best path to recovery.


Foundational Cyber Security Controls


  • Control 7: Email and Web Browser Protections

Narrow the pathway for attackers to manipulate the weakest link in the attack chain ,which is the human element, by a set of controls that can help protect email and web browser interactions. Email in particular is often thought to be a secure method of communication, and sensitive data is not treated carefully enough.


  • Control 8: Malware Defenses

Malicious code can be deployed in many places within the enterprise. Eliminating the spread and execution of malicious code is a key factor in defense. In order to achieve this, organizations must use automated tools to quickly collect data as well as update defenses where needed.


  • Control 9: Limitation and Control of Network Ports, Protocols, and Services

Manage ports protocols and services that affect devices that are on the network in order to track, control and mitigate open gaps that could create an opportunity for a vulnerability to be available to an attacker.


  • Control 10: Data Recovery Capabilities

The tools and processes that support the backup of all data with a focus on critical information. A rigorous methodology is required to ensure minimal downtime to recovery in the case of an event.


  • Control 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

Management of the network infrastructure device’s security configuration, to actively track, report and mitigate opportunities for attackers to exploit vulnerable services and settings. Using proper change control processes as well as configuration management can help minimize this risk.


  • Control 12: Boundary Defense

Monitor information being transferred through organizational networks, while focusing on data that could pose a threat to the security of the organization. implement the ability to both prevent and correct problems that are detected.


  • Control 13: Data Protection

Solutions and processes that will help avoid data exfiltration, as well as how to deal with already exfiltrated data, to ensure maximum privacy and integrity to the information that is sensitive. The is one of the CIS Top 20 critical security controls that addresses a pre and post breach situation which is very important to keep in mind at all times.


  • Control 14: Controlled Access Based on the Need to Know

Solutions and processes to manage access to critical assets by classifying approved people, systems and applications that should have the right to access these critical assets.


  • Control 15: Wireless Access Control

Solutions and processes to manage all the security around the wireless local area networks, wireless client systems and access points.


  • Control 16: Account Monitoring and Control

Management of account creation lifecycles for applications and systems, lack of use, and elimination of these accounts, to minimize channels for attackers to leverage.


Organizational Cyber Security Controls


  • Control 17: Implement a Security Awareness and Training Program

Create a plan to measure security awareness across the organization, by assessing and analyzing data and remediating gaps. The outcome of this plan should include organizational training and awareness programs for all active roles internally as well as direct contractors.


  • Control 18: Application Software Security

Software being used by the organization can serve as a risk and a weakness. as such, there needs to be a rigorous security lifecycle assessment process that ensures the prevention, detection and correction of unintentional vulnerabilities. In an age where many software providers are now being targeted, similar to what we saw in the SolarWinds attack, this has become a critical focus area. This is relevant to software developers, internal development teams and third parties you acquire software from.


  • Control 19: Incident Response and Management

Attacks are inevitable, so operating under the assumption that you very well might be attacked is a preferred approach. Creating a well-defined plan that lays out the roles and responsibilities during an incident is extremely important. These plans will also include training, communication and general management of the incident, to help identify the attack as quickly as possible, contain and mitigate the damage, and eradicate the presence of the attacker. The primary goal here is to restore the full integrity and operation of its systems and its network. One of the goals of using the CIS 20 critical controls is to ensure you are thinking about an attack before and after it takes place.


  • Control 20: Penetration Tests and Red Team Exercises

The last and final control focuses on pressure testing in a battlefield approach, the strength and resilience of the organizations people processes, and tools that are in place to protect it. This is done through a series of exercises that simulate a real time attack by bad actors, and help the organization identify gaps in its security strategy. This should be done regularly, with a clear methodology and lifecycle for measuring the resilience, identifying gaps and mitigating risks.



To summarize, the CIS Top 20 security controls are an excellent framework to measure the most important security controls in an organization. With new CIS cybersecurity control implementation tiers, fitting this to your organization’s maturity has become a lot more accurate and streamlined.