Framework: The Center for Internet Security (CIS) Top 18 Controls
The **CIS Critical Security Controls Audio Course** is a comprehensive, audio-first training series that guides listeners through all eighteen **CIS Controls**, transforming one of the world’s most respected cybersecurity frameworks into clear, actionable learning. Designed for professionals, students, and auditors alike, this series explains each control in practical, plain language—focusing on how to implement, assess, and sustain them in real environments. With eighty-three structured episodes, the course walks you step by step through the safeguards that define effective cybersecurity, helping you understand not only what to do but why each measure matters. The **CIS Controls**, maintained by the Center for Internet Security, represent a globally recognized set of prioritized actions proven to reduce the most common and dangerous cyber risks. Organized across eighteen control families—from inventory and configuration management to incident response and data recovery—the framework provides a practical roadmap for building defensible, risk-aligned security programs. This course explores how organizations can adopt the controls incrementally, measure maturity over time, and map them to other standards such as NIST, ISO 27001, and PCI DSS for comprehensive alignment. Developed by **BareMetalCyber.com**, the CIS Critical Security Controls Audio Course delivers structured, exam-aligned instruction that bridges policy and practice. Each episode reinforces understanding through real-world context, helping listeners translate framework requirements into measurable actions that strengthen organizational resilience and long-term security maturity.
Episodes
The CIS Critical Security Controls, often referred to as the CIS 18, represent a prioritized and prescriptive set of cybersecurity best practices designed to help organizations defend against the most pervasive and dangerous cyberattacks. Developed and maintained by the Center for Internet Security (CIS), these controls are informed by real-world threat data and expert consensus across government, academia, and industry. T...
Implementing the CIS 18 effectively begins with understanding how the Controls fit into your organization’s governance, risk management, and compliance efforts. The framework is intentionally flexible, allowing it to integrate seamlessly with existing standards and policies rather than replace them. The first step is conducting a baseline assessment against each Control to determine your organization’s current level of mat...
In the context of the CIS framework, a “control” is a broad security domain representing a strategic objective, while a “safeguard” refers to a specific, actionable measure within that control. Each of the 18 CIS Controls addresses a distinct functional area—such as asset management, access control, or data protection—and defines its importance in defending against real-world attacks. Safeguards, previously called sub-cont...
Understanding cybersecurity language is fundamental to applying the CIS Controls effectively. Many terms describe foundational components of systems, threats, and defenses that appear throughout the framework. Asset refers to any device, software, or data that the organization must protect, while enterprise assets include servers, workstations, and IoT devices that store or process information. Vulnerability denotes a flaw...
As cybersecurity practices mature, professionals encounter more specialized terminology that connects operational tactics to governance and technical architecture. Multi-Factor Authentication (MFA) enhances login security by requiring two or more proofs of identity—something you know, have, or are. Encryption transforms readable data into a coded form to protect its confidentiality both in transit and at rest. Patch manage...
Asset management is the cornerstone of every effective cybersecurity program because you cannot protect what you do not know exists. Control 1 of the CIS framework—Inventory and Control of Enterprise Assets—focuses on developing a precise, continually updated record of all devices, systems, and components connected to the enterprise environment. These include desktops, laptops, servers, network devices, mobile phones, and ...
Safeguard 1.1 directs organizations to establish and maintain a detailed inventory of all enterprise assets capable of storing or processing data. This includes not just traditional endpoints and servers but also virtual machines, network appliances, IoT devices, and cloud instances. The goal is to produce a living, authoritative record that accurately reflects the organization’s digital environment. Each entry in the inve...
Safeguard 1.2 emphasizes the importance of identifying and responding to unauthorized assets that appear within the enterprise environment. Unapproved devices can range from rogue wireless access points and personal laptops to forgotten test systems and decommissioned servers still connected to the network. Each represents a potential backdoor for attackers. The safeguard requires organizations to maintain an active proces...
The remaining safeguards under Control 1 build upon the foundation of asset inventory and unauthorized asset management by introducing proactive detection and continuous monitoring techniques. Safeguards 1.3 through 1.5 recommend using a combination of active, passive, and DHCP-based discovery methods to maintain a real-time view of connected assets. Active discovery tools periodically probe the network to identify devices...
Just as organizations must maintain visibility into their hardware, they must also control the software that runs on it. Control 2 of the CIS framework—Inventory and Control of Software Assets—addresses the risks introduced by unauthorized, outdated, or vulnerable applications. Every piece of software represents potential entry points for attackers, whether through unpatched flaws or malicious code disguised as legitimate ...
Safeguard 2.1 focuses on creating and maintaining a detailed, authoritative inventory of all software within an organization’s environment. This includes operating systems, applications, utilities, and any other programs capable of executing code or processing data. Each software entry should record its title, publisher, version, installation date, business purpose, and deployment mechanism. The inventory acts as the digit...
Safeguard 2.2 builds on inventory management by enforcing the principle that only approved and supported software should exist within the enterprise environment. Unauthorized or unmaintained applications can become significant liabilities, often introducing unpatched vulnerabilities or violating licensing and compliance obligations. This safeguard requires organizations to classify all software as either authorized or unau...
The remaining safeguards under Control 2 emphasize automation, enforcement, and continuous verification of software integrity. Safeguards 2.3 through 2.7 outline the operational lifecycle for managing software once the inventory and authorization baselines are established. They include removing or documenting exceptions for unauthorized software, using automated tools to detect installations, and deploying allowlists for a...
Data protection is the third pillar of the CIS Controls, and it addresses one of the most critical aspects of cybersecurity: safeguarding the organization’s most valuable asset—its information. Control 3 emphasizes the need to identify, classify, and secure data throughout its entire lifecycle, from creation to destruction. Unlike purely technical controls, data protection requires coordination across departments, blending...
Safeguard 3.1 instructs organizations to establish and maintain a structured data management process, beginning with classification and inventory. This process determines what data exists, where it resides, who owns it, and how sensitive it is. Classification typically categorizes information as public, internal, confidential, or restricted, though labels may vary depending on industry or regulation. The goal is to assign ...
Safeguard 3.2 ensures that organizations implement structured, defensible practices for retaining and disposing of data. Every enterprise accumulates vast amounts of information—some vital for business continuity, and some obsolete or redundant. Retaining data indefinitely increases both storage costs and security exposure. Attackers often exploit forgotten archives and unsecured backups because they contain sensitive info...
Safeguard 3.3 requires organizations to protect sensitive data through encryption, both when stored (at rest) and when moving across networks (in transit). Encryption transforms readable information into an unreadable form using cryptographic algorithms, ensuring that even if data is intercepted or stolen, it cannot be easily exploited. Encrypting data at rest protects information stored on servers, databases, laptops, or ...
The remaining safeguards under Control 3 extend data protection across its entire lifecycle, ensuring that sensitive information is both managed and monitored. These include establishing clear ownership of data, documenting data flows, segmenting storage environments by sensitivity, and deploying Data Loss Prevention (DLP) solutions. Data ownership assigns accountability—every dataset has a custodian responsible for its ha...
Secure configuration management forms the backbone of system hardening and operational stability. Control 4—Secure Configuration of Enterprise Assets and Software—addresses the risks associated with default settings, open services, and weak baseline security. Out-of-the-box configurations prioritize usability and convenience rather than protection, often leaving unnecessary features enabled or outdated protocols active. At...
Safeguard 4.1 requires organizations to establish and maintain formal, secure configuration processes for all enterprise assets and software. This means defining standard settings that enforce the principles of least functionality and defense in depth. Each configuration baseline should specify security parameters such as user permissions, network services, authentication methods, and encryption requirements. For example, ...
Popular Podcasts
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
The official podcast of comedian Joe Rogan.
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Clay Travis and Buck Sexton Show. Clay Travis and Buck Sexton tackle the biggest stories in news, politics and current events with intelligence and humor. From the border crisis, to the madness of cancel culture and far-left missteps, Clay and Buck guide listeners through the latest headlines and hot topics with fun and entertaining conversations and opinions.
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com