How to Use the CIS Controls Framework for Your Business

Posted on January 15, 2020 - by Justin Gratto - in Building Your InfoSec Program

For businesses, leveraging a framework like CIS Controls makes sure your company and customer data stay safe. You want to use trusted security and privacy frameworks for your business and we think the controls in the CIS framework are an excellent fit for many businesses or even startups.

Customer data breaches, ransomware, theft of company secrets or intellectual property, phishing attacks — cybercrime has become a primary concern for businesses of every size. Protecting your company requires the thoughtful deployment of cybersecurity best practices. That’s where security frameworks come in.

As organizations increasingly adopt digital tools to conduct their business processes, there are more and more opportunities for hackers to steal the valuable data upon which all companies rely upon. It’s not enough to create strong passwords and monitor traffic behind a firewall – modern companies are much more complex. 

Developing strong security controls that can meet the challenges created by a dynamic digital environment is central to any cybersecurity strategy. Read on to learn about using CIS Controls to secure your company.

Choosing a Cybersecurity Framework: CIS Controls

When it comes to cybersecurity best practices, it can be difficult to know where to start. Fortunately, businesses can gain a sense of direction by adopting a security framework.

CIS Controls are a set of 20 best practices that can guide you through the process of creating a layered cybersecurity strategy. Research suggests that implementing CIS Controls can reduce the risk of a successful cyberattack in a company by as much as 85 percent.

The CIS Controls align with the NIST Cybersecurity Framework, which was designed to create a common language for managing risk within a company. In other words, it helps companies answer critical questions about their cybersecurity program such as what inventory they need to protect, and where gaps in security lie. Whereas the NIST Cybersecurity Framework has five core concepts, the CIS Controls have 20 actionable points. Your small business or startup can treat these as steps to building your security program.

Any companies looking to adopt the comprehensive NIST cybersecurity framework to guide their security strategy can start with the CIS Controls. Once a baseline has been achieved there are resources available to ease the transition to the NIST Cybersecurity framework, such as CIS Controls V7.1 Mapping to NIST CSF. While the CIS Controls and NIST Cybersecurity Framework are aligned, they aren’t completely interchangeable.

Here’s how to get started with the CIS framework for your security program.

Implementing CIS Controls for a Business

Even if you don’t implement all 20 best practices, your cybersecurity strategy will be made much stronger with this framework.

Using CIS Controls can help a company gain control of its cybersecurity strategy in a methodical, organized way. Organizations that aren’t sure where to start, or that wish to conduct a thorough cybersecurity assessment, should consider working through the 20 steps of the CIS Controls.

CIS Controls are also put into implementation groups (more on this below), so you’ll know what to prioritize and know where to start. This is ideal for startups or small businesses that don’t have professional security experts on their team.

1. Identify the Security Environment with Basic Controls

The first six CIS Controls handle basic cybersecurity best practices, referred to by CIS as “cyber hygiene” controls set. These are all about understanding the people, software, or devices that could have access to your company or customer data. To implement basic controls:

  • Perform an inventory and of company hardware and establish means to control it: You should have a clear view of all devices in a company, including printers, smart devices, and other electronics.
  • Document all software assets: Determine what software is installed on computers or networks either manually or using a management tool.
  • Investigate instances of shadow IT: Survey employees for the tools they use to do their jobs, or manually investigate what software or hardware may have been introduced into the work environment without IT’s knowledge.
  • Identify and limit user account permissions: Identify what users are running with administrator privileges and restrict accounts that don’t need it.
  • Update passwords and software configurations: Make sure all devices are running with secure passwords and the right configurations.
  • Implement and maintain audit logs or another management system: Have a way to track software installations and prevent the use of non-approved applications.

2. Protect Assets with Foundational Controls

Foundational controls provide advanced guidance to improve overall technical aspects of security. They do this by establishing technical security controls that protect the assets that your company uses to conduct its processes – emails, computers, and consumer data. With an assessment of the security environment complete, it’s now possible to implement these controls:

  • Email and browser protection: Make sure you’re using a secure browser and a modern email provider.
  • Malware and virus defenses: Deploy antivirus and malware defenses to keep the network protected.
  • Port and network protection: limit and control network ports, protocols, and other services to prevent unauthorized connection to the network.
  • Data recovery capabilities: Strong data backup and recovery capabilities mitigate data corruption or loss.
  • Secure network configuration: Configure devices that connect to the network, including firewalls, routers, and switches.
  • Boundary defenses: Limit access to the network to only known and trusted IP addresses.
  • Data protection measures: Encrypt hard drives, laptops, or mobile devices that carry sensitive business data. Consider using secure data storage tools.
  • Additional access controls: Further protect data by limiting access to it on a need to know basis.
  • Wireless access controls: Segment networks, configure filters, and audit network traffic accordingly. During this step, encrypt wireless data in transit.
  • Account monitoring and controls: Require the use of multi-factor authentication for all user accounts. Disable accounts that cannot be associated with a specific user or business process.

3. Develop a Security Culture with Organizational Controls

Foundational controls create a strong cybersecurity program. However, all of these strategies are useless if employees aren’t trained in cybersecurity best practices. Therefore, the final four CIS controls emphasize organizational security processes such as awareness, preparedness, and incident response. In this phase, you should:

  • Implement security awareness training: Help employees understand the importance of security and identify any skill gaps that may exist.
  • Manage the security life cycle of software: Establish secure coding or development practices to prevent, detect, and correct any security weaknesses that might occur.
  • Develop incident response and management procedures: Define roles and procedures for handling incidents and returning operations to normal as quickly as possible.
  • Perform penetration tests: Test the strength of your company’s defenses by simulating incidents or breach attempts.

Building Security Programs for Small Businesses or Startups

What if your company doesn’t have the bandwidth to implement all 20 security controls? CIS Controls also uses a tiered model for businesses to self-assess their resource availability, called implementation groups. This addition to CIS Controls helps address resource constraints at businesses of different sizes. That makes it is ideal for small businesses or startups.

Implementation Group 1 is modeled for small businesses and startups, which have limited resources to implement the CIS Controls and sub-controls. Implementation Group 2 is for medium or mid-market enterprises that have moderate resources to implement controls and sub-controls. Finally, Implementation Group 3 can be implemented by large and multinational enterprises with significant resources, capable of implementing all the CIS controls and sub-controls. (We’ll cover more about these Implementation Groups introduced in CIS Controls V7.1 and their value in a later blog post.)

Overall, the implementation groups make it easier for a security team at small or medium businesses to identify the critical security issues which will have the most impact.

Implement Frameworks Like CIS Controls using Securicy

When it comes to security, taking proactive measures is always better than waiting for a breach to occur. A security framework like CIS Controls can provide the foundation that an organization needs to get started developing a cohesive information security strategy.

In the era of cybercrime, it’s not worth it to take risks with security. Companies struggling to acquire the resources or knowledge to enact a security strategy should consider reaching out to experts. Securicy helps companies ranging from startups to large enterprises develop the strategies they need to keep their network safe. All while giving you the tools to showcase your security posture and win new customers.

With expert guidance and free tools to build your security program, your business can stay secure and thrive.


Get custom information security policies generated for your business in minutes. Securicy guides you through creating, implementing, and managing your cybersecurity plan.

Try Securicy Free

About the author

Justin Gratto is a Canadian Army veteran, experienced information security professional, and the Senior Director of Product at Securicy. Justin is accountable for product ownership at Securicy, a SaaS platform that assists businesses through creating, implementing, and managing their information security and privacy compliance program. He leads the customer success team, coordinates advisory service delivery, and holds the responsibility of Security and Privacy Officer at Securicy. When Justin isn’t performing his duties at Securicy, he likes to go on adventures to new places to visit, learn about, and taste different cultures. He is from Nova Scotia, Canada.