¿Sabes qué es la Matriz de Controles CIS de seguridad?

Do you know what the CIS Security Controls Matrix is?

February 19, 2025 Iñigo Ladrón Morales

Due to the proliferation of increasingly complex and sophisticated cyber threats , it is essential to have a robust framework to protect digital assets against possible cyber attacks and cyber intrusions . The CIS Controls Matrix is one of them.

It is a tool, developed by the Center for Internet Security (CIS) (a non-profit organization dedicated to improving cybersecurity around the world, providing standards, resources and practical guidance to mitigate cyber risks associated with cyber threats ) , which brings together a huge set of recommendations, guidelines and best practices for companies to strengthen their cybersecurity .

The CIS controls serve as a practical guide to help companies identify, implement and maintain effective cybersecurity measures. By following these guidelines, organizations can significantly reduce their exposure to cyber risks and improve their ability to to detect and respond to potential cyber threats.

These controls are based on a “cybersecurity by layers”, addressing different aspects of information security, such as data protection, access management and event monitoring. Each control is designed to mitigate a specific cyber risk and all of them together form a comprehensive framework that protects against a wide range of cyber threats.

The CIS Controls Matrix consists of several hundred controls, each designed to address a specific aspect of the cybersecurity. These are applicable to a wide range of business environments and sectors of all types of activities and characteristics.

Considering that this is a fairly flexible framework, the CIS controls can be customized to meet the specific or unique needs of each organization and type of organization.

Implementation of CIS controls begins with a comprehensive evaluation of the specific cyber risks that an organization faces.

Based on this evaluation, the task of identification of the relevant controls that must be be implemented to mitigate the cyber risks detected.

Once implemented, it is important to maintain and review the controls to ensure its continued effectiveness in the face of constant evolution of cyber threats and those of new appearance.

With the application of this framework, organizations strengthen their cybersecurity posture and protect their digital assets against a wide range of cyber threats. Implementing CIS controls could make the difference between cybersecurity and vulnerability.

CIS controls are defined and developed by a community of technology and data experts. -mce-fragment="1">cybersecurity that apply their enormous experience to create cybersecurityaccepted globally. These come from a wide range of business sectors, different from each other, that share intelligence and cyber intelligence (information about cyber attacks and cyber attackers), document and share tools, track cyber threats, cybercriminals and attack vectors, and map the CIS controls to the regulatory, regulatory and compliance frameworks, among other of your responsibilities.

For their work they are based on the principles of a robust cyber defense system:

intelligence and cyber intelligence. Which aims to provide information related to cyber attacks The objective is to continually learn from them to be able to build better cyber defenses.
Prioritization. Through which greater relevance is given to the controls that more cyber risks
Measurements and metrics. Establishment of variables, magnitudes, values and measurement ranges of situations that can be interpreted by all those involved, both people with a technical profile and without it.
Diagnosis and mitigation. Periodic measurements to test the controls and the established measures, which allow working on a control model. continuous improvement.
Automation. Mechanization of cyber defenses.

The real value of this model and the CIS controls does not consist of a mere and extensive list of tasks to be carried out by organizations, but rather taking advantage of the experience of a community of people and companies collaborating to make improvements to cybersecuritythrough knowledge sharing.

The CIS Controls Matrix groups the security controls at different types of levels:

Level 1: Basic (Basic). Simplest set of controls that all companies should implement to establish a strong cybersecurity foundation .
Level 2: Hybrid (Foundational). They are additional controls that, when applied, increase the cybersecurity of a company beyond the previous basic requirements, adapting to higher cyber risk.
Level 3: Advanced (Organizational). It involves a larger and more complete group of controls, designed specifically for companies that have security needs. Very demanding cybersecurity (governments, public administration, critical services, military sector, etc.) .

Los controles de Nivel 1, o Básicos, o Basic, son los correspondientes a los siguientes activos digitales:

Hardware (inventory of authorized and unauthorized devices).
Software (services and applications).
Continuous evaluation and management of vulnerabilities.
Controlled use of administrative privileges.
Secure configuration of hardware and software belonging to different mobile devices, laptops, workstations and servers.
Maintenance, monitoring and analysis of records, logs, or audit trails.

Los controles de Nivel 2, o Híbridos, o Foundational, son los correspondientes a los siguientes activos digitales:

Protecting email and web browsers.
Defensas contra malware.
Limitation and control of network ports, protocols and services.
Capabilities for data recovery.
Secure configuration of network devices and equipment, such as firewalls, routers and switches.
Protection and defense of the corporate perimeter.
Protection of data.
Access control, based on the “need to know/know ”.
Access control to wireless networks (WiFi, Wireless, WLAN, access points).
Monitoring, tracking and control of user accounts.

The Level 3 controls, or Advanced, or Organizational, are those corresponding to the following digital assets:

Implementation of cybersecurity services and programs.
Security of the software.
Management and incident response.
Tests de penetración y ejercicios de Red Team.

Within each of these categories or levels, there will be controls (and sub-controls) to apply.

More information about the CIS Controls Matrix can be obtained by consulting the official public document of the CIS , where, for each of the controls, it is indicated:

Its description, definition and objective.
The reasons why said control is considered relevant.
The table with each of the sub-controls that make it up and their descriptions.
The procedures and resources involved in this control.
Other possible frameworks, compatible with similar controls, on which each control can be mapped (NIST, OWASP, etc.).
The system entity relationship diagram.

In the case of the Zerolynx service catalog, in addition to being based on the NIST CSF (NIST Cybersecurity Framework) of the NIST (US National Institute of Standards and Technologies) , they are also aligned with the CIS Controls Matrix .

An example of this is the “ Cybersecurity Fast Review for SMEs ” service, where we review the cybersecurity status of each SME , checking compliance with the priority controls of the CIS Matrix :