Critical Security Controls Every Company Needs in 2026

Why the CIS Controls Are the Standard

The Center for Internet Security (CIS) publishes 18 Critical Security Controls — a prioritized set of actions that address the most common attack techniques. Unlike compliance frameworks that tell you what to achieve, CIS Controls tell you specifically what to do.

They're used by the US Department of Defense, CISA, and thousands of organizations as a baseline security standard. For SMBs without a dedicated security team, they're the most practical starting point.

The 2026 release (CIS Controls v8.1) maintains the same 18 controls with updated implementation guidance. Here's what each one covers and how to prioritize for a small organization.

The 18 CIS Critical Security Controls

Implementation Group 1 (IG1) — Every Organization

CIS Control 1: Inventory and Control of Enterprise Assets

You can't protect what you don't know you have. Maintain an active inventory of all hardware assets — laptops, servers, mobile devices, printers, IoT devices — on your network.

Practical implementation: Use your MDM (Jamf, Intune) + network scanner + cloud asset inventory. Update quarterly minimum.

CIS Control 2: Inventory and Control of Software Assets

Document all software authorized for use on corporate devices. Block unauthorized software installation where possible.

Practical implementation: Application allowlisting via MDM. Maintain a software inventory spreadsheet if allowlisting isn't feasible.

CIS Control 3: Data Protection

Classify data by sensitivity and apply appropriate protections. Encrypt sensitive data at rest and in transit. Know where your sensitive data lives.

Practical implementation: Data classification policy (3 tiers: public, internal, confidential). Enforce encryption on laptops and cloud storage. Use DLP tools for email if handling regulated data.

CIS Control 4: Secure Configuration of Enterprise Assets and Software

Default configurations on hardware and software are almost always insecure. Change defaults, disable unused features, and apply security baselines.

Practical implementation: Apply CIS Benchmarks for your operating systems, cloud services, and major SaaS tools. Use your MDM to enforce baseline configurations.

CIS Control 5: Account Management

Manage the lifecycle of all accounts — create, modify, disable, and delete. No orphaned accounts. No shared credentials.

Practical implementation: SSO with automated provisioning/deprovisioning. Quarterly access reviews. Terminate access within 24 hours of employee offboarding.

CIS Control 6: Access Control Management

Apply least-privilege principles. Users should only have the access they need to do their job. Separate privileged accounts from regular user accounts.

Practical implementation: RBAC in all systems. Separate admin accounts for IT staff. Privileged Access Management (PAM) for production systems.

CIS Control 7: Continuous Vulnerability Management

Identify and remediate vulnerabilities before attackers exploit them. This means regular scanning, not one-time assessments.

Practical implementation: Monthly vulnerability scans (Qualys, Tenable, or free Nessus Essentials for smaller environments). Patch critical vulnerabilities within 30 days, high within 60 days.

CIS Control 8: Audit Log Management

Collect, protect, and analyze logs from all enterprise assets. Logs are essential for detecting incidents and conducting forensic investigations.

Practical implementation: Centralized logging (SIEM or log aggregation). Minimum 90-day retention. Alert on failed logins, privilege escalation, and after-hours access.

CIS Control 9: Email and Web Browser Protections

Email is the #1 attack vector. Web browsers are #2. Configure both with enterprise-grade protections.

Practical implementation: DMARC/DKIM/SPF on your domain. Email gateway filtering (Microsoft Defender, Google Workspace, Proofpoint). DNS filtering (Cloudflare Gateway, Cisco Umbrella). Block dangerous file types in email.

CIS Control 10: Malware Defenses

Deploy anti-malware controls across all endpoints. Go beyond signature-based AV to behavior-based detection.

Practical implementation: EDR on all endpoints (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint). Disable macros in Office documents. Monitor for unusual process execution.

CIS Control 11: Data Recovery

If you can't recover from an attack, all other controls are irrelevant. Test your backups. Regularly.

Practical implementation: 3-2-1 backup rule (3 copies, 2 media types, 1 offsite). Immutable backup storage (write-once). Quarterly restore tests. Document recovery time objectives (RTO) and recovery point objectives (RPO).

CIS Control 12: Network Infrastructure Management

Manage and monitor your network devices — routers, switches, firewalls. Apply configurations from known-good baselines.

Practical implementation: Firmware updates on schedule. Segment networks (production, guest, IoT separate from corporate). Document firewall rules with business justification.

CIS Control 13: Network Monitoring and Defense

Monitor network traffic for anomalies and block malicious traffic.

Practical implementation: Intrusion detection/prevention (IDS/IPS). Network traffic analysis for anomalies. Zero trust network access (ZTNA) for remote workers instead of traditional VPN.

CIS Control 14: Security Awareness and Skills Training

Human error causes 85%+ of security incidents. Train your people.

Practical implementation: Annual security awareness training for all employees. Phishing simulations quarterly. Role-specific training for IT and developers. Metrics: phishing click rates, training completion.

CIS Control 15: Service Provider Management

Your vendors have access to your data and systems. Their breaches become your breaches.

Practical implementation: Vendor inventory with access classification. Security questionnaires for critical vendors. Review SOC 2 reports annually. DPAs for all vendors handling personal data.

CIS Control 16: Application Software Security

For companies that build software, secure the software development lifecycle.

Practical implementation: SAST/DAST scanning in CI/CD. Dependency vulnerability scanning (Dependabot, Snyk). Security code review for critical features. Penetration testing annually.

CIS Control 17: Incident Response Management

When (not if) an incident occurs, you need to respond effectively.

Practical implementation: Written incident response plan. Defined incident response team with roles. Tabletop exercises twice per year. Documented contact list for external resources (legal, forensics, PR).

CIS Control 18: Penetration Testing

Test your defenses by having experts try to break them.

Practical implementation: Annual penetration test of critical systems. Scope can be narrow (external perimeter) for smaller organizations. Remediate findings within 60 days.

Where to Start as an SMB

Year 1 priorities (IG1 + highest-impact IG2):

• MFA everywhere (Controls 5, 6)


• EDR on all endpoints (Control 10)


• Centralized logging (Control 8)


• Tested backups (Control 11)


• Email security (Control 9)


• Security awareness training (Control 14)

These six focus areas address 80% of common attack paths at a cost most SMBs can absorb.

Measure your baseline first. Our free security assessment maps your current posture against the CIS Controls and tells you exactly where you stand and what to prioritize.

Related Research

The Ransomware Protection Guide for SMBs covers the 7 specific controls that block 88% of ransomware attacks, with step-by-step implementation guidance. For the broader threat landscape these controls address, the SMB Cybersecurity Report 2026 provides Verizon DBIR + IBM data on what is actually hitting small businesses right now.