The 20 CIS Controls


Cybersecurity threats are growing day by day. With the wanna cry, the world has seen the insight of what cybersecurity threats can actually do in the modern world. As the proverb goes ‘prevention is better than cure ‘, organizations follow different standards and measures to make data confidential, integrated and available. CIS (Centre for Internet Security) provide the first steps that any organization could follow to protect information both physically and digitally.

The 20 CIS Controls are implemented by much information security teams and advised by many IT professionals and used by many chief information security officers (CISO) as the first step for protection. CIS controls follow “must do, do first” approach which organizations can implement as an initial step to protect them, CIS controls provide hygiene against possible risks and CIS states that organizations can shrink their risk by 85% if the top 5 CIS controls are implemented. For those who are not familiar with the 20 CIS controls can refer to the image below .( Do note that the CIS controls are continually improving and is decided on the basis of opinions from the big community of CIS controls)

Figure 1.0: 20 CIS Controls.

Figure 2.0 shows the top 5 CIS controls from the list of 20 controls.

The above-mentioned 20 CIS controls are influenced by five critical tenets which are listed and statements below:

Offense informs defense – The real-world cyber attacks and incidents are analyzed to form the best defensive wall

Prioritizing – Prioritize the threats and attacks according to priority. This also indicates

High rated risks are treated first, followed by medium and low

Metrics – A common metrics are established to provide a shared language for executives and IT Specialists, auditors and security officials.

Continous diagnostics and mitigation – Continous monitoring and improvement are done to reprioritize and evaluate the system.

Automation – Automating defenses can provide organizations with continuous monitoring, validate effectiveness etc.

The CSC ‘s (Critical Security Controls ) can be implemented by organizations so that they can make it a first step to protect their information and a foundation for other controls to build upon.

The CSCs have been adopted and recommended by organizations like the U.S. National Governors Association (NGA) and the U.K.’s Centre for the Protection of National Infrastructure (CPNI), U.S. National Institute of Standards and Technology (NIST) etc..

Implementing CSC’s can give the organization a base for other controls to be implemented and can be used as a first step for protection. But the 20 CSC’s can’t alone guarantee risk prevention. For this, organizations should consider implementing other standards which benefit the organization’s framework and culture. Smaller organization’s which is very less prone to attacks and intrusions can implement CIS alone for protection.

CSC’s does provide continuous improvement through ever-evolving controls and the large community support. The large community support CIS has is another advantage for organizations implementing the 20 CSC’s.

Based on above information about CIS 20 critical security control’s organizations could decide to adopt continuous improvement and compliance with CSC’s or take the 20 CSC’s an initial step for the protection of information and a base for other controls.

For more information about CIS, controls refer to

You could also join the CIS community by following the link below :