The CIS Critical Security Controls (formerly known as the SANS Top 20) are a prioritized set of high-priority actions designed to mitigate the most common and damaging cyberattacks.
Developed by the Center for Internet Security (CIS), these controls are widely regarded as the "gold standard" for foundational cyber hygiene because they are practical, actionable, and based on real-world threat data rather than just theory.
The current version (v8) organizes the framework into 18 Controls containing 153 Safeguards. They are designed to protect modern environments, including cloud, mobile, and remote work setups.
Control
Name Focus Area
01 Inventory of Enterprise Assets Knowing what hardware is on your network.
02 Inventory of Software Assets Knowing what software is running on your hardware.
03 Data Protection Identifying, classifying, and encrypting sensitive data.
04 Secure Configuration Hardening devices/software (e.g., changing default passwords).
05 Account Management Managing the lifecycle of user and admin accounts.
06 Access Control Management Granting access based on the "principle of least privilege."
07 Vulnerability Management Scanning for and patching security flaws regularly.
08 Audit Log Management Collecting and analyzing logs to detect attacks.
09 Email & Web Protections Filtering malicious sites and phishing emails.
10 Malware Defenses Using antivirus and endpoint detection (EDR).
11 Data Recovery Maintaining backups to recover from ransomware/failures.
12 Network Infrastructure Securing routers, switches, and firewalls.
13 Network Monitoring Watching network traffic for suspicious activity.
14 Security Awareness Training employees to recognize cyber threats.
15 Service Provider Mgmt. Ensuring vendors and cloud providers are secure.
16 Application Software Security Securing custom-built or third-party software.
17 Incident Response Having a plan for when a breach actually happens.
18 Penetration Testing Simulating attacks to find hidden weaknesses.
Not every organization can implement all 153 safeguards at once. CIS breaks them into three Implementation Groups based on an organization’s risk profile and resources:
IG1 (Essential Cyber Hygiene): The "must-haves." Designed for small to medium businesses with limited IT expertise. It focuses on the most fundamental 56 safeguards.
IG2: For organizations with moderate resources that handle sensitive client information and have a higher risk of targeted attacks.
IG3: For large enterprises or those handling highly sensitive data (like healthcare or finance) that face sophisticated "Advanced Persistent Threats" (APTs).
The biggest benefit of the CIS Controls is prioritization. Instead of trying to do everything at once (which often leads to doing nothing well), CIS tells you exactly where to start to get the "biggest bang for your buck" in terms of risk reduction.
By implementing just the first six controls (often called the "Basic" controls), organizations can stop approximately 85% of common cyberattacks.