What Are the CIS Controls (Critical Security Controls)?
The CIS Controls (CIS Critical Security Controls) are a prioritized set of cybersecurity best practices maintained by the Center for Internet Security. The current version, v8.1, organizes defense into 18 controls and 153 safeguards, ordered from the most essential to the most advanced, based on real attack data. Unlike a law, the CIS Controls are not mandatory: they are a practical roadmap that answers the question “where do I start?” and that serves as a base for meeting frameworks such as the NIST CSF and CMMC.
How the CIS Controls work in practice
The strength of the CIS Controls is the order of priority: they say not just what to do, but what to do first. Instead of a list of 153 loose tasks, the company picks its group and moves forward. The cycle has four steps.
Choose the implementation group
IG1, IG2 or IG3: the group sets how many safeguards apply, based on the size, complexity and threat level the company faces.
Start with essential hygiene (IG1)
The 56 safeguards of IG1 are the floor every company should have: asset inventory, access control, backup, email and browser defense.
Measure and close the gaps
Each safeguard is a measurable task, which lets you score where the company stands and prioritize what is missing by the greatest defensive gain.
Map to the other frameworks
The CIS Controls cross-map to NIST CSF, ISO 27001 and others, so the effort here advances compliance there.
Source: Center for Internet Security (CIS), CIS Critical Security Controls v8.1.
The three Implementation Groups (IG)
- IG1 (Essential cyber hygiene) The 56 safeguards every company should have, regardless of sector or size. It is the floor of defense.
- IG2 (Moderate complexity) Adds safeguards for companies with more systems and regulatory obligations, reaching 130 in total.
- IG3 (Sophisticated threat) Brings together all 153 safeguards, for organizations that face advanced adversaries and high-value data.
Why a prioritized roadmap matters so much
Most companies do not suffer for lack of a tool, but for not knowing where to start, and for leaving the basics open. The CIS Controls exist to attack that: they are built from real attack data, cross-referencing MITRE ATT&CK and the Verizon Data Breach Investigations Report, to focus effort on what attackers actually exploit. The gain is concrete: a large share of incidents exploit precisely the essential-hygiene flaws that IG1 covers, such as missing MFA, outdated systems and an incomplete inventory. Starting with IG1 is the move with the greatest security return for the investment made, before moving on to more sophisticated controls.
How a company adopts the CIS Controls
Adopting the CIS Controls is less about buying something and more about executing in the right order. The most direct path:
- Do the inventory firstYou cannot protect what you do not know. The first control is precisely knowing which devices and software exist in the environment.
- Implement IG1 in fullTreat the 56 essential safeguards as the non-negotiable floor: MFA, tested backup, vulnerability patching, access control.
- Score yourself and prioritize the gapsMeasure how much of your group is already implemented and attack the gaps by the greatest defensive gain, not by the order of the list.
- Move up a group as risk growsCompanies with more exposure advance to IG2 and IG3, always building on what the previous group already secured.
In practice
The question that reveals the real risk: does the company have today a reliable inventory of every device and piece of software running on its network, or a list that went stale months ago?
How Zamak uses the CIS Controls
Zamak Technologies uses the CIS Controls as one of the roadmaps of Governance and Compliance in the Zamak Method: implementing essential hygiene (IG1), measuring the posture and sustaining the evidence on a compliance platform. A good starting point is the Compliance Audit Express, which shows in minutes where the company is most exposed.