The CIS Critical Security Controls, often referred to as the CIS 18, represent a prioritized and prescriptive set of cybersecurity best practices designed to help organizations defend against the most pervasive and dangerous cyberattacks. Developed and maintained by the Center for Internet Security (CIS), these controls are informed by real-world threat data and expert consensus across government, academia, and industry. The framework distills complex cybersecurity guidance into actionable steps that focus resources where they matter most—on preventing, detecting, and responding to the most common types of attacks. Unlike theoretical frameworks, the CIS Controls are practical, measurable, and adaptable to enterprises of all sizes. They serve as a foundation for building or strengthening a security program by addressing core areas such as asset management, access control, data protection, incident response, and penetration testing. Together, the 18 Controls form a roadmap toward a defensible security posture that aligns with major frameworks like NIST CSF, ISO 27001, and SOC 2 while remaining accessible to smaller organizations.
Each Control is composed of multiple safeguards—specific technical and procedural measures designed to achieve the desired security outcome. These safeguards are organized into Implementation Groups (IG1, IG2, and IG3), which allow organizations to adopt controls according to their size, resources, and risk tolerance. IG1 represents essential cyber hygiene applicable to nearly every organization, while IG3 applies to enterprises facing sophisticated threats. This scalable design helps teams implement security systematically rather than reactively, ensuring that even limited budgets can produce meaningful risk reduction. The CIS Controls also form the basis for numerous companion guides—covering cloud, IoT, mobile, and industrial environments—that help translate best practices into sector-specific contexts. As cyber threats evolve, the CIS community continually refines these Controls, ensuring that every recommendation remains data-driven, transparent, and aligned with real-world attacker behavior.
Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
Episode Transcript
Welcome to Episode 1, Course Orientation and How to Use This Series, where we begin by setting clear expectations for your learning journey. This course is designed as an audio-based exploration of the Center for Internet Security Critical Security Controls, often called the CIS Controls. You will hear explanations, examples, and context that transform a technical framework into something practical and usable. In this introduction, we will outline how the series is structured, how to use each episode effectively, and what you should expect to take away. Think of this as a guided roadmap, one that will help you connect the dots between control language, evidence requirements, and day-to-day security practice, whether you are leading a program or learning the ropes.
(00:45):
This course was developed for a broad audience, but it speaks especially to those responsible for building or improving cybersecurity programs. It is suitable for analysts, auditors, managers, consultants, and students preparing for certification exams or entering the workforce. Each episode assumes only basic familiarity with cybersecurity terms, so even if you are new, you will not feel lost. Experienced professionals will find the lessons useful for refreshing fundamentals and comparing approaches to frameworks they already know. By the end of this series, everyone will share a consistent understanding of how the CIS Controls fit into modern security operations.
(01:24):
By completing the series, you will build both conceptual understanding and practical capability. The outcome is not a certificate but a set of working skills—how to interpret requirements, collect evidence, and prepare for assessments. You will learn to build a lightweight governance model around the controls and to think about implementation as an ongoing cycle, not a one-time project. The episodes will help you produce documentation, measure your maturity, and communicate results to leadership or auditors. Over time, this process becomes the backbone of an always-ready security program.
(01:59):
To begin, it is useful to know what the CIS Controls actually are. The CIS Controls are a set of prioritized cybersecurity best practices maintained by the Center for Internet Security, a nonprofit organization that gathers experts from across industry and government. The framework includes eighteen major controls and more than one hundred safeguards, each describing a specific defensive action. They are designed to protect organizations of all sizes from the most common and damaging types of attacks. Think of them as the universal checklist of good security hygiene, but expressed in a structured, measurable way that maps to other standards such as NIST and ISO.
(02:39):
Within this framework are the Implementation Groups, which act as tiers of maturity. Implementation Group One focuses on essential cyber hygiene, the basic controls every organization should implement. Implementation Group Two builds on that foundation, adding more robust procedures and automation for enterprises with moderate risk or regulatory needs. Implementation Group Three applies to organizations facing advanced threats and complex environments. Knowing your group helps you right-size your efforts and prevents you from over-engineering solutions that do not match your scale.
(03:14):
Every episode in this series follows a clear structure designed for audio learning. Each begins with a short introduction that explains the focus area, followed by a sequence of paragraphs that unpack the topic in plain language. Rather than lists or diagrams, the narration uses natural flow, linking each concept to the next. This design allows you to absorb information while commuting, walking, or studying without visuals. The last paragraph always closes the idea naturally, providing a sense of completion without abrupt transitions or summaries.
(03:46):
As you move through the episodes, you will learn how to track progress and measure results. The CIS Controls framework encourages organizations to score their implementation levels by reviewing safeguards, documenting status, and identifying gaps. This can be done manually in a spreadsheet or by using free tools from the Center for Internet Security. Tracking progress helps maintain accountability and shows how small improvements accumulate over time. Regular self-assessment also prepares you for formal audits and provides leadership with measurable evidence of growth.
(04:21):
Evidence collection is a cornerstone of good cybersecurity governance. You will learn how to create and maintain an evidence library—a central repository where screenshots, configurations, policies, and reports are stored and labeled according to the controls they support. This practice saves enormous time during audits or compliance reviews. An effective library does not have to be elaborate; even organized folders on a shared drive can serve the purpose if they are structured logically and kept current. The goal is to make proof of implementation quick to find and easy to verify.
(04:56):
Small teams often struggle with tool selection, so the series will discuss pragmatic approaches for limited budgets. You will hear about simple ways to use existing software for inventory, patching, and logging without buying new systems. Open-source or built-in tools can meet many control requirements when combined with sound process design. The focus is not on technology brands but on function—what a tool must do to satisfy a safeguard. By understanding intent first, you can scale your environment wisely and avoid unnecessary complexity.
(05:29):
Running a cybersecurity program requires rhythm and review, so we will also talk about cadence. Program cadence means having scheduled checkpoints—monthly, quarterly, or annually—where progress is reviewed and actions are adjusted. A consistent review process prevents controls from drifting out of compliance and keeps everyone aligned. Many organizations find it helpful to tie reviews to leadership meetings or reporting cycles so that governance becomes part of normal business operations, not a separate event.
(06:00):
These episodes are designed to be useful during audits and assessments. Each narration explains what auditors typically look for and how to prepare documentation in advance. By replaying specific episodes, you can review what evidence is expected for each safeguard or how certain controls interact. The goal is to make audit readiness continuous rather than stressful. When every process leaves a trail of documentation, passing an audit becomes a matter of presentation, not reconstruction.
(06:30):
As with any technical framework, there are common pitfalls. Many teams focus too heavily on purchasing tools and neglect the human and procedural side. Others underestimate the effort of maintaining documentation, or they fail to assign clear ownership for each control. This course emphasizes realistic practices that help you avoid these traps. Through examples, you will learn how to align technical actions with governance so that controls stay effective and measurable over time.
(06:58):
Finally, you will know where to find help and how to give feedback. The Center for Internet Security provides free resources, guides, and community forums where practitioners share their experiences. Many learners also connect through professional groups and online study circles. Your insights from applying these lessons will be valuable to others, and ongoing engagement ensures your knowledge stays current. Collaboration is part of the culture that keeps cybersecurity resilient.
(07:27):
You are now ready to begin the journey through the CIS Controls. The next episode will take you into the first control, exploring how to identify and manage your enterprise assets—the foundation of all security work. Each step builds on the last, so progress through them in order and take notes as you go. By the end of this course, you will have a structured understanding of how to translate best practice frameworks into daily action and how to maintain security that lasts.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.