What are CIS critical security controls?
CIS Critical Security Controls are a set of 18 specific actions you can take to defend your organization against the most common cyber attacks. The Center for Internet Security (CIS), a nonprofit organization, created these controls by working with security experts from around the world to identify what actually works.
These controls tell you exactly what to do, not just what to think about. Instead of saying "manage your risk," they say "create an inventory of all your devices and keep it updated." This makes them different from broader security frameworks that focus on processes rather than specific technical steps.
Note: CIS Controls are different from CIS Benchmarks. CIS Controls are the 18 high-level security actions your organization should take (like 'manage vulnerabilities' or 'control access'). CIS Benchmarks are detailed configuration guides for specific technologies—like hardening Windows Server, securing AWS accounts, or configuring Kubernetes clusters. You use CIS Benchmarks to implement Control 4 (Secure Configuration) across your specific technology stack.
The controls are updated regularly to keep up with new threats and technology changes. Right now, they're designed to work in modern environments that include cloud computing, remote work, and mobile devices.
Guide to Data Governance and Compliance in the Cloud
Our Guide to Data Governance and Compliance in the Cloud provides a straightforward, 7-step framework to help you strengthen your cloud governance approach with confidence.
The 18 CIS critical security controls framework
The framework breaks down into 18 distinct controls that cover everything from basic inventory to advanced testing. Each control targets a specific security area and tells you what actions to take.
Here's what each control does:
Control 1: Inventory and Control of Enterprise Assets - Know what devices connect to your network so you can monitor and protect them. This includes computers, servers, network equipment, and IoT devices.
Control 2: Inventory and Control of Software Assets - Track all software on your network to make sure only authorized programs can run and block everything else.
Control 3: Data Protection - Create processes to identify, classify, and protect your data from theft or unauthorized access.
Control 4: Secure Configuration of Enterprise Assets and Software - Set up your devices and software securely to prevent attackers from exploiting default settings and known vulnerabilities.
Control 5: Account Management - Control who gets access credentials and manage those accounts to prevent unauthorized access.
Control 6: Access Control Management - Assign and manage permissions for users, administrators, and service accounts across your systems.
Control 7: Continuous Vulnerability Management - Scan for security weaknesses regularly and fix them quickly to reduce the window attackers have to exploit them.
Control 8: Audit Log Management - Centralize, retain, and protect audit logs with time synchronization across all systems to support threat detection, investigation, and recovery from security incidents.
Control 9: Email and Web Browser Protections - Protect against threats from email and web browsing since these are common ways attackers get in.
Control 10: Malware Defenses - Stop malicious software from installing, spreading, or running on your systems.
Control 11: Data Recovery - Maintain backups and recovery processes so you can restore systems to a trusted state after an incident.
Control 12: Network Infrastructure Management - Secure configuration and lifecycle management of network infrastructure (VPCs, subnets, security groups, gateways, firewalls, routing tables, and load balancers) to reduce exploitable network services.
Control 13: Network Monitoring and Defense - Monitor your network continuously and defend against threats across your infrastructure.
Control 14: Security Awareness and Skills Training - Train your workforce to recognize and respond to security threats appropriately.
Control 15: Service Provider Management - Evaluate and monitor third-party providers who handle your sensitive data or critical systems.
Control 16: Application Software Security - Manage security throughout the development and deployment of your applications.
Control 17: Incident Response Management - Develop and maintain plans, procedures, and teams to respond quickly when attacks happen.
Control 18: Penetration Testing - Test your defenses by simulating real attacks to find weaknesses before attackers do.
CIS controls v8.1: Key changes and improvements
Version 8 reorganized the framework from 20 to 18 controls and shifted from device-focused to task-focused safeguards, making them more applicable to cloud environments. Version 8.1 refined language for clarity and updated compliance framework mappings without changing the control structure.
The biggest change is the shift from device-focused controls to task-focused ones. Instead of having separate controls for servers, workstations, and mobile devices, v8 groups actions by what you're trying to accomplish. This makes the framework work better for cloud environments where the traditional idea of a "server" doesn't always apply.
The language got simpler too. Controls now use clearer terms that make them easier to understand and implement. This helps security teams explain what they need to do and why it matters.
Implementation groups: Prioritizing controls based on organizational maturity
CIS Controls use Implementation Groups to help you figure out where to start based on your organization's size and security maturity. This prevents you from getting overwhelmed by trying to do everything at once.
The three groups work like this:
Implementation Group 1 (IG1) covers basic cyber hygiene for small to medium organizations with limited security resources. It includes 56 safeguards that defend against common, non-targeted attacks. Start here if you're building your security program from scratch.
Implementation Group 2 (IG2) adds 74 more safeguards (130 total) for organizations managing more complex environments and sensitive data. Use this level when you need to defend against more sophisticated, targeted attacks.
Implementation Group 3 (IG3) includes all 153 safeguards for mature organizations with dedicated security teams protecting critical assets. This level helps you defend against advanced, persistent threats from skilled attackers.
Watch 12-minute demo
Learn about the full power of the Wiz cloud security platform. Built to protect your cloud environment from code to runtime.
Watch now
Implementing CIS controls in cloud environments
Cloud environments move fast and change constantly, which makes traditional security approaches ineffective. You need tools that can keep up with the speed of cloud development while maintaining strong security.
The key is automation. Manual processes can't track resources that spin up and down in minutes. You need systems that connect directly to your cloud provider's APIs to see everything in real time. Unified, graph-based context across identities, data, vulnerabilities, and exposure helps you prioritize safeguards that actually reduce risk—for example, focusing on internet-exposed databases with admin credentials rather than isolated dev servers.
Here's what works in the cloud:
Agentless and API-based discovery: Tools that integrate with cloud provider APIs (AWS, Azure, GCP) build near-real-time inventories without installing software on every resource, though some runtime or deep OS signals may still require agents or snapshots for complete visibility
Continuous monitoring: Automated systems check configurations constantly and alert you immediately when something drifts from your cloud security standards
Policy as code: Define your security requirements in code so they're automatically enforced every time someone deploys new resources
Shift-left security: Scan infrastructure code before deployment to catch misconfigurations before they reach production
Example: Prioritizing internet-exposed VMs with critical CVEs and broad IAM permissions addresses Control 4 (secure configuration), Control 6 (access control), Control 7 (vulnerability management), and Control 13 (network monitoring) safeguards in a single sprint—demonstrating how unified context reduces effort across multiple controls.
Cloud providers handle some security responsibilities, but your obligations vary by service model:
IaaS (EC2, Azure VMs, GCP Compute): You manage OS patching (C7), secure configurations (C4), access controls (C5–C6), and logging (C8). The provider secures the physical infrastructure.
PaaS (RDS, Azure SQL, Cloud Run): You manage data protection (C3), access policies (C6), and application security (C16). The provider handles OS patching and infrastructure security.
SaaS (Microsoft 365, Salesforce): You manage user access (C5–C6), data classification (C3), and security training (C14). The provider handles most infrastructure and application security.
Understanding this shared responsibility model helps you know which CIS Controls you must implement yourself versus which the provider addresses.
Security and business benefits of CIS controls
The controls give you a clear path to better security that also delivers business value. You're not just checking boxes—you're actually reducing risk in ways that matter.
You get measurable improvements because the controls target the attacks that actually happen. They're based on real-world data about how breaches occur, so implementing them directly addresses your biggest threats.
Your security program becomes more mature and organized. The Implementation Groups give you a roadmap that shows where you are and where you need to go next. This makes it easier to plan budgets and justify security investments.
Compliance gets simpler because CIS Controls map to other major frameworks. CIS provides official crosswalks to NIST CSF, NIST SP 800-53, ISO/IEC 27001, SOC 2, HIPAA Security Rule, and PCI DSS. For example, CIS Control 5 (Account Management) maps to NIST CSF PR.AC-1, ISO 27001 A.9.2, and PCI DSS Requirement 8. This alignment lets you satisfy overlapping requirements across multiple audits with a single set of controls.
Your team works more efficiently because the controls are prioritized. Instead of trying to fix everything at once, you focus on the actions that reduce the most risk. Context-aware prioritization—such as focusing on exposed, exploitable paths to sensitive data—cuts alert fatigue and MTTR. For example, addressing an internet-exposed VM with a critical CVE and broad IAM permissions delivers more risk reduction than patching an isolated dev server.
Common implementation challenges and solutions
Organizations run into predictable problems when implementing CIS Controls, but you can plan for these challenges ahead of time.
Limited resources hit smaller organizations hardest. You might not have enough people or budget to tackle all 18 controls at once. The solution is to start with IG1 and use automation wherever possible. Modern security platforms can handle many controls automatically, letting a small team accomplish more.
Tool sprawl creates confusion when you're using different products for each control. You end up switching between dashboards and manually correlating data. A single platform with shared policy and code-to-cloud visibility prevents duplicate findings, speeds ownership routing to the right teams, and lets you trace risks from IaC templates through runtime—reducing the time spent managing tools while improving your ability to implement controls consistently.
Visibility gaps happen in dynamic environments where resources come and go quickly. Traditional scanning can't keep up with cloud environments that change by the minute. Tools that connect to cloud provider APIs provide continuous visibility without workload performance impact, automatically discovering resources as they spin up.
How Wiz supports CIS critical security controls implementation
Wiz gives you a unified cloud security platform that addresses CIS Critical Security Controls across your entire cloud environment—from AWS and Azure to GCP—through one agentless deployment.
The platform automatically discovers all your cloud assets as they spin up and down: EC2 instances, containers, Kubernetes clusters, serverless functions, storage buckets, databases, and software packages. This continuous, API-based inventory satisfies Control 1 and Control 2 without agents slowing down your workloads.
Wiz's CSPM capabilities check cloud configurations against CIS Benchmarks in real time, catching drift the moment it happens across security groups, IAM policies, storage permissions, and network configurations. The platform's CIEM functionality finds overprivileged cloud identities, excessive permissions, and unused credentials across your multi-cloud environment, letting you enforce least privilege systematically for Control 5 and Control 6.
Wiz's Security Graph shows you which cloud vulnerabilities actually matter by mapping them to attack paths through your cloud infrastructure. You see risks based on internet exposure, exploitability, lateral movement potential, and access to sensitive data—not just CVE scores.The platform integrates with CloudTrail, Azure Activity Logs, and GCP Audit Logs to centralize cloud audit data for Control 8 requirements.
Wiz Defend provides real-time detection and response capabilities for cloud workloads and runtime threats. Wiz Code scans IaC templates, container images, and dependencies in your CI/CD pipelines before they reach your cloud environment, shifting security left to prevent misconfigurations from ever deploying.
Wiz prioritizes cloud security findings by actual risk using the Security Graph and gives you clear remediation steps tied to specific cloud resources and services. Because Wiz is agentless and built for cloud-native architectures, you get comprehensive CIS Controls coverage across your entire cloud footprint in hours instead of months.
Get a demo to see how Wiz simplifies CIS Controls implementation and strengthens your cloud security posture.
See Wiz in action
Learn what makes Wiz the platform to enable your cloud security operation
