What You Need to Know About CIS’ Version 7 Top 20 Security Controls

May 01, 2018

CIS, the Center for Internet Security, is the authority when it comes to cybersecurity preparedness and preparation. And as organizations that deal with third party vendors and applications know all too well, there is no such thing as being too prepared when it comes to safeguarding data and information.

CIS releases a regular update of what they call ‘Security Controls’ which, according to them, is a prioritized set of 20 actions that any organization can follow to improve their cybersecurity posture. By implementing these battle-tested controls sourced by experts of the global IT community, your organization can defeat over 85% of common attacks.

To get a head start in implementing these Controls, you can download the entire list of all 20 controls, but we’ll review them in short order below to give you a quick heads-up on what each is, and why they all matter to your organization’s security.

If you’re looking for a streamlined method for self-assessing your organization or your third party vendors against the CIS Top 20 Critical Security Controls, Whistic provides the controls in a questionnaire format for our customers.

Why Do The Controls Evolve?

As technology evolves, so does the sophistication of hackers, phishing attacks, and general threats to corporate security. CIS recognizes that just because a set of controls was effective 5 years ago or even last year, those same recommendations may no longer be enough. The experts at CIS collaborated on CIS Controls V7 (the current version) by consulting with a community of global experts with backgrounds across academia, industry, and government. The public call for comment on this version of Controls included feedback from a community of over 300 individuals dedicated to improving cybersecurity for all. These 20 Controls are the outcome of the expertise and feedback from those closest to cybersecurity information.

How Should The Control Categories Be Applied?

While this version includes the same 20 Controls as the previous version, the recommendations have been re-organized into an easy-to-implement formula that includes basic, foundational, and organizational recommendations. The definitions of each, according to CIS, are as follows:

  • Basic (Controls 1–6): Key controls which should be implemented in every organization for essential cyber defense readiness.
  • Foundational (Controls 7–16): The next step up from basic — these technical best practices provide clear security benefits and are a smart move for any organization to implement.
  • Organizational (Controls 17–20): These controls are different in character from 1–16; while they have many technical elements, CIS Controls 17–20 are more focused on people and processes involved in cybersecurity.

An Overview of CIS’ 20 Controls

While the Controls themselves are extensive and require technical expertise (such as your InfoSec or IT team), we’ll provide a brief explanation of each Control below (as cited in CIS’ Version 7 Controls Best Practices):

  • CIS Control 1: Inventory and Control of Hardware Assets

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

  • CIS Control 2: Inventory and Control of Software Assets

Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

  • CIS Control 3: Continuous Vulnerability Management

Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

  • CIS Control 4: Controlled Use of Administrative Privileges

The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

  • CIS Control 5: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

  • CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs

Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.

  • CIS Control 7: Email and Web Browser Protections

Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.

  • CIS Control 8: Malware Defenses

Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.

  • CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services

Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.

  • CIS Control 10: Data Recovery Capabilities

The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.

  • CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

  • CIS Control 12: Boundary Defense

Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.

  • CIS Control 13: Data Protection

The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.

  • CIS Control 14: Controlled Access Based on the Need to Know

The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.

  • CIS Control 15: Wireless Access Control

The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (WLANs), access points, and wireless client systems.

  • CIS Control 16: Account Monitoring and Control

Actively manage the life cycle of system and application accounts — their creation, use, dormancy, deletion — in order to minimize opportunities for attackers to leverage them.

  • CIS Control 17: Implement a Security Awareness and Training Program

For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.

  • CIS Control 18: Application Software Security

Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.

  • CIS Control 19: Incident Response Management

Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.

  • CIS Control 20: Penetration Tests and Red Team Exercises

Test the overall strength of an organization’s defense (the technology, the processes, and the people) by simulating the objectives and actions of an attacker.

Regardless the size or industry of your organization, it’s critical to understand how these 20 Controls can protect against cybersecurity issues. While CIS’ Organization Controls may be too sophisticated for your current needs, the Basic and Fundamental Controls are a great place to start. And once those Controls have been implemented and tested, your InfoSec team can continue to improve its security posture with more advanced protection methods.

For a streamlined method for self-assessing your organization or your third party vendors against the CIS Top 20 Critical Security Controls, look at how Whistic can help.

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively respond to security assessments.


Why Third Party Security is Critically Important

Request a Live Demo with a Whistic Product Specialist

information security cybersecurity ciso vendor risk assessment

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.