The CIS Controls 7.1, also known as CIS critical security controls, are a set of best practices designed by the Center for Internet Security to help organizations automate their defenses and mitigate prevalent cyber-attacks. Recognized for their effectiveness and practicality in information security and across operating systems, these controls cover a broad spectrum of cybersecurity strategies for various organizations and entities.
This blog post will start by exploring CIS Controls 7.1 and provide a free security questionnaire template for organizations to assess compliance with these benchmarks. This template can be customized to any specific needs, including security requirements and security standards, and is also used to evaluate the cybersecurity posture of third parties, ensuring cyber hygiene and reducing security risk.
Explore how UpGuard’s BreachSight facilitates risk assessment and risk management >
What are the CIS Controls 7.1?
Introduced in 2019 by the Center for Internet Security (CIS), CIS Controls 7.1 is an updated set of best cybersecurity practices. These controls, including various sub-controls, provide organizations with a scalable framework for cyber defense and align with different regulatory standards. Implementing the CIS Controls also provides a pathway to compliance with other cybersecurity frameworks such as the NIST cybersecurity framework, PCI DSS, ISO 27001, and NIST SP 800-53. Additionally, CIS provides a self-assessment tool called CIS CSAT, which helps security leaders track their implementation.
The latest version, 7.1, addresses the evolving digital landscape and the increasing complexity of cyber threats like ransomware. The controls are categorized into three tiers: Basic, Foundational, and Organizational Controls, and include 20 different security controls, each addressing a distinct level of security maturity and operational complexity.
Basic Controls
Basic Controls are essential for establishing a foundation in asset inventory, configuration management, and patch management. They are the cornerstone of any cybersecurity program, focusing on endpoint security and incident handling. These controls address aspects like identifying hardware and software on the network and ensuring secure configurations.
By implementing these controls, an organization can establish a robust foundation for its cybersecurity strategy, covering the most critical and frequently exploited security gaps. Included in this category are:
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Maintenance, Monitoring, and Analysis of Audit Logs
Foundational Controls:
Organizations that have successfully implemented Basic Controls focus on prioritizing Foundational Controls. Foundational Controls provide a deeper layer of security against more complex vulnerabilities, including strategies like web application protection, data recovery capabilities, and malware defense.
By implementing Foundational Controls, organizations can fortify their defenses beyond the basics and establish a more comprehensive and resilient cybersecurity framework. This category includes the following controls:
- Email and Web Browser Protections
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Data Recovery Capabilities
- Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
Organizational Controls
Organizational Controls emphasize the human and procedural factors in cybersecurity, integrating technology-based defenses with security program considerations and cyber hygiene practices. These controls recognize that well-informed, prepared individuals and well-designed organizational processes must complement technology-based defenses. They emphasize security awareness training, incident handling, and regular testing like penetration tests.
These controls are essential for creating a security-conscious culture within the organization, ensuring that personnel integrate security practices into every level of the organization's operations and decision-making processes. Included in this category are:
- Implementing a Security Awareness and Training Program
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
CIS Controls 8
In 2021, CIS Controls 8 introduced changes reflecting the modern digital ecosystem and modules for multi-factor authentication. Most notably, CIS 8 reduced the total controls from 20 to 18 by merging similar topics and added Service Provider Management, which focuses on cloud computing, supply chain security, and software-as-a-service.
CIS Controls 7.1 Security Questionnaire
The following security questionnaire is an assessment tool designed to check an organization's implementation of the CIS controls and the effectiveness of its safeguards. Organizations can map this self-assessment and validation tool to fit specific needs, including security policies, mitigation strategies, and risk management goals.
Basic Controls
Inventory and Control of Hardware Assets
Do you maintain a complete and updated inventory of all hardware devices?
- Yes
- No
- [Open Field]
Are unauthorized devices automatically detected and prevented from accessing the network?
- Yes
- No
- [Open Field]
Is there a process to regularly review and validate the hardware inventory?
- Yes
- No
- [Open Field]
Inventory and Control of Software Assets
Is there an up-to-date inventory of all installed software?
- Yes
- No
- [Open Field]
Are unauthorized software installations detected and resolved promptly?
- Yes
- No
- [Open Field]
Do you regularly review and validate the software inventory for compliance?
- Yes
- No
- [Open Field]
Continuous Vulnerability Management
Do you conduct regular vulnerability scanning on all systems?
- Yes
- No
- [Open Field]
Is there a process for timely remediation of identified vulnerabilities?
- Yes
- No
- [Open Field]
Are vulnerability scan reports reviewed and acted upon regularly?
- Yes
- No
- [Open Field]
Controlled Use of Administrative Privileges
Are administrative privileges granted only based on roles and responsibilities?
- Yes
- No
- [Open Field]
Do you track and audit the use of administrative privileges?
- Yes
- No
- [Open Field]
Is there a process to revoke administrative privileges when they are no longer required?
- Yes
- No
- [Open Field]
Secure Configuration for Hardware and Software
Are secure configurations applied to all hardware and software upon installation?
- Yes
- No
- [Open Field]
Do you regularly update and validate secure configurations?
- Yes
- No
- [Open Field]
Are deviations from secure configurations detected and corrected promptly?
- Yes
- No
- [Open Field]
Foundational Controls
Email and Web Browser Protections
Do you have mechanisms to filter out malicious email and web content?
- Yes
- No
- [Open Field]
Are email and web browser security settings configured and regularly updated?
- Yes
- No
- [Open Field]
Do you regularly train employees on email and web security best practices?
- Yes
- No
- [Open Field]
Malware Defenses
Is anti-malware software installed and active on all systems?
- Yes
- No
- [Open Field]
Are anti-malware definitions updated regularly?
- Yes
- No
- [Open Field]
Do you regularly review and respond to anti-malware alerts?
- Yes
- No
- [Open Field]
Limitation and Control of Network Ports, Protocols, and Services
Are unnecessary network ports, protocols, and services disabled on all systems?
- Yes
- No
- [Open Field]
Is there a process to regularly review and validate network port, protocol, and service configurations?
- Yes
- No
- [Open Field]
Do you monitor and log network port, protocol, and service activities?
- Yes
- No
- [Open Field]
Data Recovery Capabilities
Do you have a data backup and recovery plan in place?
- Yes
- No
- [Open Field]
Are backups tested regularly to ensure they can be restored?
- Yes
- No
- [Open Field]
Is backup data stored in a separate and secure location?
- Yes
- No
- [Open Field]
Secure Configuration for Network Devices
Are secure configurations applied to network devices such as firewalls, routers, and switches?
- Yes
- No
- [Open Field]
Do you regularly review and update network device configurations?
- Yes
- No
- [Open Field]
Are changes to network device configurations logged and audited?
- Yes
- No
- [Open Field]
Boundary Defense
Do you have perimeter defenses (e.g., firewalls, intrusion detection systems)?
- Yes
- No
- [Open Field]
Are inbound and outbound network traffic monitored for suspicious activities?
- Yes
- No
- [Open Field]
Do you regularly update and test the effectiveness of boundary defenses?
- Yes
- No
- [Open Field]
Data Protection
Is sensitive data identified and classified?
- Yes
- No
- [Open Field]
Are controls in place to prevent unauthorized access to sensitive data?
- Yes
- No
- [Open Field]
Is data encrypted during transit and at rest?
- Yes
- No
- [Open Field]
Controlled Access Based on the Need to Know
Is access to sensitive information restricted based on a need-to-know basis?
- Yes
- No
- [Open Field]
Are access controls reviewed and updated regularly?
- Yes
- No
- [Open Field]
Do you maintain logs of access to sensitive information?
- Yes
- No
- [Open Field]
Wireless Access Control
Are wireless networks secured and encrypted?
- Yes
- No
- [Open Field]
Do you monitor and control wireless network access?
- Yes
- No
- [Open Field]
Are unauthorized wireless access points detected and disabled?
- Yes
- No
- [Open Field]
Account Monitoring and Control
Are user accounts regularly reviewed for necessary permissions?
- Yes
- No
- [Open Field]
Are inactive accounts disabled promptly?
- Yes
- No
- [Open Field]
Do you monitor and log account activity, especially for privileged accounts?
- Yes
- No
- [Open Field]
Organizational Controls
Implement a Security Awareness and Training Program
Do you have a formal security awareness training program for all employees?
- Yes
- No
- [Open Field]
Is security training conducted regularly and updated to address new threats?
- Yes
- No
- [Open Field]
Do you test employee awareness, for example, through phishing simulations?
- Yes
- No
- [Open Field]
Application Software Security
Are security practices integrated into your software development lifecycle?
- Yes
- No
- [Open Field]
Do you conduct regular security testing of applications?
- Yes
- No
- [Open Field]
Are application security incidents logged and analyzed?
- Yes
- No
- [Open Field]
Incident Response and Management
Do you have an incident response plan?
- Yes
- No
- [Open Field]
Is the incident response plan regularly tested and updated?
- Yes
- No
- [Open Field]
Are all employees trained on their roles in the incident response plan?
- Yes
- No
- [Open Field]
Penetration Tests and Red Team Exercises
Do you conduct regular penetration tests to evaluate security?
- Yes
- No
- [Open Field]
Are results from penetration tests used to improve security measures?
- Yes
- No
- [Open Field]
Do you employ red team exercises to simulate real-world attacks?
- Yes
- No
- [Open Field]
Enhance Your Organization’s Cybersecurity Posture with UpGuard
The CIS Controls 7.1 is the perfect foundation for a strong cybersecurity posture, but if your organization wants to take a step further, UpGuard is here to help. Our all-in-one external attack surface management platform, BreachSight, has everything you need to comprehensively manage your cybersecurity efforts, from risk identification to remediation and beyond.
BreachSight helps you understand the risks impacting your external security posture and ensures your assets are constantly monitored and protected. Our user-friendly platform makes it easy to view your organization’s cybersecurity at a glance and communicate internally about risks, vulnerabilities, or current security incidents. Other features include:
- Data Leak Detection: Protect your brand, intellectual property, and customer data with timely detection of data leaks and avoid data breaches
- Continuous Monitoring: Analysis tools provide real-time information and manage exposures, including domains, IPs, and employee credentials
- Attack Surface Reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting
- Shared Security Profile: Eliminate having to answer security questionnaires by creating an UpGuard Trust Page
- Workflows and Waivers: Simplify and accelerate how you remediate issues, waive risks, and respond to security queries
- Reporting and Insights: Access tailor-made reports for different stakeholders and view information about your external attack surface