CIS Controls: Prioritized cybersecurity with practical measures
Receive a quote tailored to your needs
The CIS Controls, managed by the Center for Internet Security (CIS), provide a structured step by step approach to improve an organization’s cybersecurity. They consist of 18 main controls, each with concrete and directly applicable safeguards, developed by an international community of cybersecurity experts. The controls are updated regularly.
Structure of the CIS Controls
The 18 controls are divided into safeguards, where each safeguard describes one specific security action that can be implemented directly to strengthen an organization’s security. The measures are grouped into Implementation Groups (IG1, IG2, IG3), allowing organizations to select the level that fits their risk profile and maturity.
Examples of themes include:
- Inventory of hardware and software
- Vulnerability management and patch management (security hardening)
- Secure configuration of systems and applications, also referred to as cyber hygiene
- Management of access rights and multi factor authentication
- Logging and monitoring of activities
- Incident response and recovery procedures
Why CIS Controls are important
CIS Controls help organizations set clear priorities and effectively reduce their most significant cyber risks. They are practical and focused on implementable technical measures, align well with frameworks such as the NIS2 directive and ISO/IEC 27001 and are used worldwide by organizations of different sizes and across many sectors. They also form a valuable addition to CIS Benchmarks and other best practices.
Which organizations are CIS Controls suitable for?
CIS Controls are relevant for organizations of any size that want to strengthen their cybersecurity, particularly when they:
- Have limited security capacity
- Are looking for a practical starting point for technical security measures
- Want to implement demonstrable and directly applicable controls
CIS Controls and ISO 27001: complementing governance and policy
Where ISO/IEC 27001 focuses on policy, governance and risk management within an ISMS, CIS Controls provide a practical implementation of technical measures. They help organizations implement the ‘how’ of cybersecurity in concrete terms, while ISO 27001 defines the ‘what’ and ‘why’ of security policy. Organizations often use CIS Controls as an implementation guide alongside ISO 27001 to introduce technical measures more quickly and effectively, without certification being the primary objective.
Want to learn more about CIS Controls?
Kiwa supports organizations in mapping, implementing and testing CIS Controls within their organization. Our approach combines knowledge of international standards with practical experience, helping you strengthen your security in a structured and sustainable way. Contact us for tailored advice and to learn how CIS Controls can add value to your organization.
ISO 27001 certification: protect your business’ data
Working in accordance with the ISO 27001 standard helps you take a structured approach to information security. Kiwa’s experts have everything you need to prepare your organisation for ISO 27001 certification. We have extensive experience with this standard, from developing a step-by-step information security plan to implementing a full Information Security Management System (ISMS).
NIS2 Supply Chain: Demonstrable Cybersecurity Compliance
NIS2 certification has become an essential requirement for companies operating in critical supply chains or providing services to NIS2-regulated organizations. With NIS2 Supply Chain certification, previously know as the NIS2 Quality Mark, your organization demonstrates both cybersecurity resilience and compliance with the new legal obligations.
NEN 7510 certification: take care of your confidential information
Kiwa was the first in the Netherlands to have a NEN 7510 accreditation and has a great deal of experience with regard to the NEN 7510 certification. Look here for more info!
