CIS 18 Critical Security Controls — Simplified for Everyday Use
A plain-English walkthrough of the 18 controls that any organization — from a two-person shop to an enterprise — can use to dramatically raise the bar against attackers.
Cybersecurity can feel overwhelming — there are dozens of frameworks and a thousand “best practices.” The CIS Controls cut through that noise with 18 prioritized, practical steps. Here’s each one in plain English: what to do, and what happens if you don’t.
The CIS Critical Security Controls (currently at version 8.1) are a prioritized set of safeguards maintained by the Center for Internet Security. They’re free, framework-agnostic, and map cleanly to NIST CSF, ISO 27001, and PCI DSS. The key idea: you don’t have to do everything at once. Start with the highest-impact controls and layer in the rest over time.
Below, we’ve grouped the 18 controls into four logical themes so they’re easier to digest — but we’ve kept them in their original numbered order so you can match them back to the official list.
Critical Controls
Underlying Safeguards
Implementation Groups
Cost to Get Started
Each control card tells you the action to take and the consequence of skipping it. If you’re just getting started, focus on Controls 1–6 first — they form the foundation everything else builds on.
Know Your Environment
You can’t protect what you can’t see. The first four controls are about gaining full visibility into your devices, software, data, and how everything is configured.
Do: Keep an updated list of every device — computers, servers, mobile, IoT, and cloud instances.
Skip it: Unknown or rogue devices slip into your network unnoticed.
Foundational
Do: Track all software in use and only allow approved applications to run.
Skip it: Unverified or outdated software opens the door to malware and exploits.
Foundational
Do: Identify sensitive data, protect it in transit and at rest, and delete it when it’s no longer needed.
Skip it: Data leaks or accidental exposure damage reputation and trust.
High Priority
Do: Harden system settings and apply secure baselines across devices and apps.
Skip it: Default or weak settings are exploited easily.
High Priority
Identity, Access & Hygiene
Once you know what you have, control who can touch it — and keep everything patched and watched. These five controls cover accounts, privileges, patching, logging, and the two riskiest doorways: email and the browser.
Do: Properly create, change, and remove user accounts across their lifecycle.
Skip it: Dormant or shared accounts get hijacked by attackers.
Access
Do: Give users only the access they need — the principle of “least privilege.”
Skip it: Over-privileged accounts make every breach far worse.
Access
Do: Regularly scan for and patch vulnerabilities.
Skip it: Attackers exploit known flaws faster than you’d expect.
Patching
Do: Collect and review logs for suspicious activity.
Skip it: Incidents go undetected and can’t be investigated properly.
Visibility
Do: Use filters, security add-ons, and safe browsing policies.
Skip it: Phishing and drive-by malware are just one click away.
Top Threat Vector
Defense & Resilience
This group is about stopping malware, surviving the worst day, and keeping eyes on your network. If something does get through, these controls determine how fast you recover.
Do: Run and update antivirus and EDR (Endpoint Detection and Response) tools.
Skip it: One infected system spreads across your network fast.
Critical
Do: Maintain secure backups and actually test your restore process.
Skip it: You may lose everything after a ransomware attack.
Ransomware Defense
Do: Configure and maintain routers, firewalls, and switches securely.
Skip it: Misconfigurations quietly expose internal systems.
Network
Do: Continuously watch for abnormal traffic and intrusions.
Skip it: Breaches can persist undetected for months.
Detection
Control 11 (Data Recovery) is the single most important defense against ransomware. Tested, offline backups turn a business-ending event into an inconvenient afternoon. Backups you’ve never restored from are just hope, not a plan.
People, Process & Validation
Technology alone won’t save you. The final five controls cover your people, your vendors, how you build software, and how you prove the whole thing actually works.
Do: Teach staff how to recognize and avoid cyber risks.
Skip it: People remain your weakest and easiest attack surface.
Human Layer
Do: Vet and monitor third-party vendors for security compliance.
Skip it: A vendor’s breach quickly becomes your breach.
Supply Chain
Do: Build and deploy software securely, and test it for vulnerabilities.
Skip it: Insecure apps leak data or allow remote exploits.
Development
Do: Plan, train, and test how you’ll detect and respond to attacks.
Skip it: Chaos reigns when an incident actually hits.
Critical
Do: Simulate real attacks to find weaknesses before hackers do.
Skip it: You’ll never know how effective your defenses really are.
Validation
CIS sorts these safeguards into three Implementation Groups (IG1, IG2, IG3). IG1 is the “essential cyber hygiene” baseline — start there. Most small businesses can fully implement IG1 and already shut down the large majority of common attacks.
Why These Controls Matter
These 18 controls aren’t just theory — they’re battle-tested practices used worldwide to reduce cyber risk. By implementing even a handful of them, you significantly raise the bar for attackers and force them to work harder, make noise, and trip your defenses.
Start small. Automate what you can. Educate your team. Over time, these steps stop being a “project” and become part of your everyday operations — and your organization’s strongest, most durable defense.
If you’d like help mapping the CIS Controls to your specific environment — or figuring out which IG1 safeguards to tackle first — the OrcaSecure team is here to help.
Based on the official CIS Controls list at cisecurity.org/controls/cis-controls-list, with plain-English notes and groupings added by the OrcaSecure team.