Acronyms, Abbreviations, and Initialisms
|Short Form||Full Form|
|CIS||Center for Internet Security|
|CSC||Critical Security Controls (formerly)|
The CIS Controls (formerly referred to as the Critical Security Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today's most pervasive and dangerous attacks.
Implementation Groups (IGs) are the recommended guidance to prioritize implementation of the CIS Controls. In an effort to assist enterprises of every size, IGs are divided into three groups. They are based on the risk profile and resources an enterprise has available to them to implement the CIS Controls.
An IG1 enterprise is small to medium-sized with limited IT and cybersecurity expertise to dedicate towards protecting IT assets and personnel.
An IG2 enterprise employs individuals responsible for managing and protecting IT infrastructure.
An IG3 enterprise employs security experts that specialize in the different facets of cybersecurity (e.g., risk management, penetration testing, application security).
|Control 01||Inventory and Control of Enterprise Assets|
|Control 02||Inventory and Control of Software Assets|
|Control 03||Data Protection|
|Control 04||Secure Configuration of Enterprise Assets and Software|
|Control 05||Account Management|
|Control 06||Access Control Management|
|Control 07||Continuous Vulnerability Management|
|Control 08||Audit Log Management|
|Control 09||Email and Web Browser Protections|
|Control 10||Malware Defenses|
|Control 11||Data Recovery|
|Control 12||Network Infrastructure Management|
|Control 13||Network Monitoring and Defense|
|Control 14||Security Awareness and Skills Training|
|Control 15||Service Provider Management|
|Control 16||Application Software Security|
|Control 17||Incident Response Management|
|Control 18||Penetration Testing|
- The CIS Controls contain 18 controls.