What are the CIS Top 18 Controls?

The Center for Internet Security (CIS) has developed a list of 18 critical security controls, known as the CIS Top 18 Controls (formerly called CIS Critical Security Controls). These controls provide a prioritized framework for organizations to improve their cybersecurity posture and protect against cyber threats. Here are the controls:

• Inventory and Control of Hardware Assets: Actively manage and secure all hardware devices on the network, ensuring that only authorized devices are allowed.
• Inventory and Control of Software Assets: Actively manage and secure all software on the network, ensuring that only authorized software is used.
• Continuous Vulnerability Management: Regularly assess and remediate system, software, and hardware vulnerabilities.
• Controlled Use of Administrative Privileges: Limit administrative privileges and monitor and control their use to prevent unauthorized access and system changes.
• Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers: Establish, implement, and actively manage the security configuration of mobile devices, laptops, servers, and workstations.
• Maintenance, Monitoring, and Analysis of Audit Logs: Collect, manage, and analyze audit logs of events to help detect, understand, and respond to suspicious activity.
• Email and Web Browser Protections: Minimize the attack surface and the opportunities for attackers to manipulate human behavior by interacting with web browsers and email systems.
• Malware Defenses: Implement measures to prevent the execution of malware and the spread and persistence of malicious software.
• Limitation and Control of Network Ports, Protocols, and Services: Manage (track/control/correct) the ongoing operational use of ports, services, and protocols on networked devices to minimize windows of vulnerability available to attackers.
• Data Recovery Capabilities: Ensure that critical data can be rapidly restored and made available after a catastrophic event.
• Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches: Establish, implement, and actively manage the security configuration of network infrastructure devices.
• Boundary Defense: Detect/prevent/correct the flow of information transferring networks of different trust levels, focusing on security-damaging data.
• Data Protection: Implement measures to prevent data exfiltration, data breaches, and the unauthorized disclosure or modification of sensitive data.
• Controlled Access Based on the Need to Know: Establish and implement access controls based on the principle of least privilege and need to know.
• Wireless Access Control: Ensure the appropriate security for wireless access points and networks.
• Account Monitoring and Control: Continuously monitor and control user and service accounts, as well as the associated roles and privileges, to mitigate or prevent account misuse, compromise, or fraud.
• Implement a Security Awareness and Training Program: Raise staff awareness of security, including how to respond to various forms of social engineering.
• Application Software Security: Manage the security life cycle of all in-house developed and acquired software to prevent, detect, and correct security weaknesses. 
  
  The CIS Security Controls formerly included 20 controls and have since been updated. These CIS Top 18 Controls provide a comprehensive framework for organizations to enhance their cybersecurity defenses and reduce the risk of cyber threats and attacks. They are regularly updated to adapt to evolving security challenges and best practices in the field. 

Return to Cybersecurity Frameworks and Standards Glossary