CIS TOP 20 Security Controls

January 11, 2017

The Center for Internet Security

Security Standards Series

We know that there are a lot of security standards out there (more than we care to count) and the sheer number of options can make it very difficult to decide which organization has the right security standard for you. We’ve created this series of posts on security standards to make it easier for you to navigate through the noise. Please leave us a comment if you have any questions or would like to add to the discussion.

What is the Center for Internet Security (CIS) ?

The Center for Internet Security (CIS) is a nonprofit organization wholly dedicated to enhancing the ability of public and private organizations to prepare for and respond to cybersecurity threats. One of the key activities of the CIS is the development and promotion of the CIS Controls Library — a repository of the CIS Controls Framework and accompanying implementation and user guides.

CIS is home to the Multi-State Information Sharing and Analysis Center (MS-ISAC), CIS Security Benchmarks, and CIS Critical Security Controls (Top 20 & Top 5).

The Threefold Mission of the CIS is (1) Identify, develop, validate, promote, and sustain best practices in cybersecurity; (2) Deliver world-class security solutions to prevent and rapidly respond to cyber incidents; and (3) Build and lead communities to enable an environment of trust in cyberspace.

The Values that Govern the CIS are (1) Operate with INTEGRITY, (2) Commit to EXCELLENCE, (3) Embody COLLABORATION, (4) Focus on our PARTNERS, (5) Support our EMPLOYEES, (6) Promote TEAMWORK, and(7) Remain AGILE.

What are the CIS Top 20 Critical Controls?

The CIS Critical Security Controls are a concise, prioritized set of cybersecurity best practices designed to prevent the most pervasive and dangerous cyber attacks. The CIS Controls are developed, refined, and validated by a community of leading experts from around the world.

Organizations that apply just the first 5 CIS Controls can reduce their risk of cyberattack by around 85 percent. Implementing all 20 CIS Controls increases the risk reduction to around 94 percent. —

The CIS Critical Controls can be downloaded as a PDF of Excel document here.

A snapshot of the Top 5 CIS Contols

The CIS Controls help prioritize security actions an organization can take, in order to maximize the affect on an organization’s security posture. Similar to the Pareto 80/20 Principle, the CIS Controls are laid out in such a way that implementing only some of the security actions you could possibly take, yields a very large percentage of the benefit of implementing all those possible actions.

The design of the CIS Critical Security Controls is driven by the most common attack patterns highlighted in leading security threat reports, then the controls are vetted by a body of professionals working in both government and industry.

They were created by the people who know how attacks work — NSA Red and Blue teams, the US Department of Energy nuclear energy labs, law enforcement organizations and some of the nation’s top forensics and incident response organizations — to answer the question, “what do we need to do to stop known attacks.”

The Controls are derived by taking the best-in-class threat data and utilizing it to develop guidance to improve both individual and collective security in cyberspace.

“The National Governors Association recommends that states turn to the Critical Security Controls for a baseline of effective cybersecurity practices. The Critical Security Controls provide states with a security framework that can strengthen their cyber defenses and ultimately protect information, infrastructure, and critical assets.” - National Governors Association, Act and Adjust: A Call to Action for Governors for Cybersecurity

Sans Insititue

Another great source of information and guidance about the CIS Critical Security Controls, is the SANS Institute, which supports information security practitioners and managers in implementing the CIS Critical Security Controls with research and training.

You can learn more about how SANS supports CIS here.

If you’d like to speak with a Whistic representative, please click here to schedule a conversation.

About Whistic

Whistic is an award winning risk assessment and analytics platform that makes it easy for companies to assess service providers or self assess against compliance and security standards (e.g. PCI, DSS). Headquartered in Orem, Utah at the heart of the Silicon Slopes Whistic is the creator of the CrowdConfidence Scoring algorithm that leverages the wisdom of crowds to assess the inherent and residual risks of sharing data with a vendor. Whistic was the recipient of the “Best Enterprise” award at the World’s Largest Startup Event: Launch Festival 2016.

For more information about Whistic, visit:

cybersecurity security standards internet saas

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.