top of page

Center for Internet Security Critical Controls List (CIS)

CIS Critical Control List was built in the late 2000s by a team of volunteer-expert coalition to create a framework for protecting companies from the threats of cybersecurity. It is comprised of 20 controls that are regularly updated by experts from all fields – government, academia, and industry – to be consistently modern and on top of cybersecurity threats. 
Using CIS is an effective starting point for organizations who want to begin the process of developing and improving their critical controls. The process is typically divided into three groups. Starting with the basic technology, then move into foundational, and finally, organizational controls. CIS can be used as a standalone control model or as a supplemental framework that can coexist with other, industry-specific compliance standards (such as HIPAA, GLBA, FERPA, etc.).
CIS coexists with benchmarks, or guidelines based on commonly used standards, such as NIST and ISO.  CIS control guidance is provided for each of three broad implementation groups based upon the resources, cybersecurity expertise available to implement the controls.  

bottom of page