CIS Critical Security Controls: A Global De Facto Standard

While there are some limited policy standards (e.g., National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)) and industry or data standards (e.g., Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), and International Organization for Standardization ISO)), there are no specific operational standards across all the economic sectors. The CIS Critical Security Controls (CIS Controls) are a de facto, global, and reasonable standard for operational cybersecurity for six compelling reasons.

1. Prescriptive and prioritized by global experts. The CIS Controls, which are regularly compiled by cybersecurity experts around the world, help you to implement the goals of your enterprise’s cybersecurity program by identifying specific, prescriptive actions to be done in priority order based on the current state of global cyber threats and your enterprise’s unique security needs. The CIS Controls place a focus on how malicious actors attack and update their content appropriately to ensure they can defend against them. What results is the clearest, most definitive roadmap for how to protect your enterprise against cybersecurity attacks.
2. Extremely effective and measurable. The CIS Controls are very effective against today’s most pervasive attack vectors, and this effectiveness has been quantified. Over the years, CIS has worked towards a more data-driven, rigorous, and transparent process to develop and prioritize the CIS Controls, as evidenced in our release of CIS Community Defense Model (CDM) v2.0. CIS CDM v2.0 asserts that the CIS Controls defend against approximately 86% of all ATT&CK (sub-)techniques found in the MITRE ATT&CK® framework.
3. Scalable. The CIS Controls can be tailored based on the size and maturity of your enterprise. The CIS Controls use the concept of Implementation Groups (IGs), three tiers which provide an on-ramp for enterprises just starting out as well as a roadmap to greater cyber defense maturity. Even at the simplest level, IG1, the CIS Controls remain very effective, defending against 74% of ATT&CK (sub-)techniques in the MITRE ATT&CK® framework.
4. Cost-effective. Recognizing that the cost of implementation is a huge unknown in security programs (especially for small and medium-sized enterprises), CIS has been developing tools, models, and working aids to help enterprises understand and manage the cost of their cybersecurity program. CIS has published a guide that establishes how much it will cost an organization to implement an effective cybersecurity program with IG1.
5. Mapped to other global policy and data frameworks. Many enterprises must comply with multiple security frameworks, laws, and regulations. CIS develops freely available mappings of the CIS Controls to a variety of security and compliance frameworks, such as NIST® CSF, NIST® 800-53, PCI DSS, and more.
6. Widely adopted globally. The CIS Controls have been downloaded over 450,000 times over the last few years — over half of these by organizations outside the United States.