What are CIS Controls?
CIS Controls are a set of 18 prioritized cybersecurity best practices developed by the Center for Internet Security (CIS). Designed to help organizations protect themselves from the most common cyber threats, CIS Controls provide a clear, actionable roadmap for improving security posture, managing risk, and supporting compliance efforts.
CIS Controls Overview
CIS Controls offer a practical framework for building a layered security strategy to defend systems, networks, and data against modern cyber threats. Organized into 18 top-level categories, each control provides specific safeguards that help organizations prioritize and implement defenses based on their size, resources, and risk profile.
To support scalability, CIS introduced Implementation Groups (IGs) that allow organizations to strategically build their security stack over time:
- IG1 focuses on essential cyber hygiene practices that every organization should implement.
- IG2 adds more advanced protections for organizations with moderate complexity and larger environments.
IG3 provides comprehensive defenses for enterprises managing high-value assets and facing elevated risk.
CIS Controls are widely recognized across industries and align with major compliance frameworks such as NIST, HIPAA, CMMC, and SOC 2. They offer a structured, resource-conscious path for organizations seeking to strengthen security posture without unnecessary complexity.
Why Organizations Use CIS Controls
Organizations adopt CIS Controls to create a focused, prioritized security foundation that addresses real-world threats. The framework is built to be practical, scalable, and achievable—even for resource-constrained teams.
- Responds to the rise of ransomware, phishing, and supply chain attacks
- Offers a structured, phased approach to cybersecurity maturity
- Supports regulatory and customer-driven compliance needs
- Simplifies vendor and client security assurance processes
Security Benefits of CIS Controls
Implementing CIS Controls improves an organization's ability to anticipate, withstand, and respond to cyberattacks. They provide a strong foundation for internal security practices while also supporting organizations in navigating cloud compliance challenges and building trust with external stakeholders.
- Strengthens baseline security with practical, prioritized safeguards
- Streamlines audit preparation for SOC 2, HIPAA, and other frameworks
- Reduces ransomware and phishing risks through preventive controls
- Improves communication between security, IT, and business leadership teams
Types of CIS Controls
CIS Controls are organized into 18 core categories. Several areas are especially important for DNS security:
- Control 4: Secure Configuration of Enterprise Assets and Software
- Enforces trusted DNS settings to reduce vulnerabilities at the network level.
- Enforces trusted DNS settings to reduce vulnerabilities at the network level.
- Control 9: Email and Web Browser Protections
- Recommends DNS filtering to block access to malicious domains and reduce phishing risks.
- Recommends DNS filtering to block access to malicious domains and reduce phishing risks.
- Control 13: Network Monitoring and Defense
- Emphasizes DNS filtering and traffic monitoring to detect and block unauthorized activity.
These controls highlight DNS filtering as a foundational defense against many forms of cyberattack.
CIS Controls and Implementation Groups
CIS Controls are mapped to Implementation Groups (IG1–IG3) to help organizations prioritize actions:
- IG1 (Essential Cyber Hygiene): Minimum safeguards every organization should implement.
- IG2 (Intermediate Protections): Expands protections for organizations with moderate risk.
- IG3 (Advanced Protections): Designed for enterprises managing sensitive or high-impact data.
Organizations can download our CIS Controls Checklist to assess current safeguards and prioritize next steps based on Implementation Groups (IG1–IG3).
CIS Controls vs. CIS Benchmarks vs. NIST
CIS Controls are often used alongside other cybersecurity tools and frameworks. Understanding how they compare to CIS Benchmarks and the NIST Cybersecurity Framework can help clarify when and how to use each one effectively:
|
Framework |
Focus |
Example Use Case |
|
CIS Controls |
What to do (best practices) |
Prioritizing security investments |
|
CIS Benchmarks |
How to configure systems |
Hardening Windows, Linux, cloud platforms |
|
NIST CSF |
Broad risk management framework |
Mapping enterprise-wide security strategy |
While the CIS Controls focus on what actions to take and the CIS Benchmarks define how to securely configure systems, both complement the broader risk strategy offered by the NIST CSF. Together, they provide layered guidance that supports DNS filtering as a practical measure for reducing exposure to common threats and aligning with foundational security best practices.
Examples of CIS Controls in Action
Organizations across industries can strengthen their cybersecurity posture by adopting CIS Controls. Here are examples of who might benefit and how they apply these best practices in real-world scenarios.
Who Might Use CIS Controls?
- Healthcare Provider: Implements IG1 controls to meet HIPAA requirements and protect patient data against ransomware.
- Manufacturing Companies: Uses CIS Controls as a foundation for SOC 2 audit preparation and to reduce phishing and supply chain risks.
- Technology Company: Deploys DNS filtering to comply with Control 9.2 and 13.6, blocking malicious domains and monitoring suspicious network traffic.
Managed service providers (MSPs) and IT teams can learn how MSPs align with CIS Controls and broader compliance frameworks in our expert webinar.
Looking to Strengthen Your Security Foundation?
DNSFilter supports organizations looking to align with CIS Controls by providing DNS filtering that protects users against phishing, malware, and unauthorized access. See how adding DNS security can help reinforce your cybersecurity strategy.
Learn more about DNSFilter’s role in a CIS Controls-based defense →