About This File
The CIS Controls® started as a simple grassroots activity to identify the most common
and important real-world cyber-attacks that affect enterprises every day, translate that
knowledge and experience into positive, constructive action for defenders, and then
share that information with a wider audience. The original goals were modest—to help
people and enterprises focus their attention and get started on the most important
steps to defend themselves from the attacks that really mattered.
Led by the Center for Internet Security® (CIS®), the CIS Controls have matured into an
international community of volunteer individuals and institutions that:
• Share insights into attacks and attackers, identify root causes, and translate that
into classes of defensive action
• Create and share tools, working aids, and stories of adoption and problem-solving
• Map the CIS Controls to regulatory and compliance frameworks in order to ensure
alignment and bring collective priority and focus to them
• Identify common problems and barriers (like initial assessment and implementation
roadmaps), and solve them as a community
The CIS Controls reflect the combined knowledge of experts from every part of the
ecosystem (companies, governments, individuals), with every role (threat responders
and analysts, technologists, information technology (IT) operators and defenders,
vulnerability-finders, tool makers, solution providers, users, policy-makers, auditors,
etc.), and across many sectors (government, power, defense, finance, transportation,
academia, consulting, security, IT, etc.), who have banded together to create, adopt, and
support the CIS Controls.
