¿Sabes qué es la Matriz de Controles CIS de seguridad?

Do you know what the CIS Security Controls Matrix is?

February 19, 2025 Iñigo Ladrón Morales

Due to the proliferation of cyber threats, which are increasingly complex and sophisticated, it is essential to have a robust framework to protect digital assets against potential cyberattacks and cyber intrusions. The CIS Controls Matrix is one of them.

It is a tool developed by the Centre for Internet Security (CIS) (a non-profit organization dedicated to improving cybersecurity worldwide by providing standards, resources, and practical guidance to mitigate the cyber risks associated with cyber threats), which brings together a vast set of recommendations, guidelines, and best practices for companies to strengthen their cybersecurity.

The CIS controls serve as a practical guide to help companies identify, implement, and maintain effective cybersecurity measures. By following these guidelines, organizations can significantly reduce their exposure to cyber risks and improve their ability to detect and respond to potential cyber threats.

These controls are based on a "cybersecurity by layers" approach, addressing different aspects of information security, such as data protection, access management, and event monitoring. Each control is designed to mitigate a specific cyber risk and together they form a comprehensive framework that protects against a wide range of cyber threats.

The CIS Controls Matrix consists of several hundred controls, each designed to address a specific aspect of cybersecurity. These are applicable to a wide range of business environments and sectors of all types of activities and characteristics.

Considering that it is a quite flexible framework, the CIS controls can be customized to meet the specific or unique needs of each organization and type of organization.

The implementation of the CIS controls begins with a thorough assessment of the cyber risks specific to the organization.

Based on this evaluation, the task of identifying the relevant controls that must be implemented to mitigate the cyber risks detected is carried out.

Once implemented, it is important to maintain and review the controls regularly to ensure their continued effectiveness against the constant evolution of cyber threats and emerging ones.

"By applying this framework, organizations strengthen their posture of cybersecurity and protect their digital assets against a wide range of types of cyber threats. The implementation of CIS controls could make the difference between cybersecurity and vulnerability."

The CIS controls are defined and developed by a community of technology and cybersecurity experts who apply their vast experience to create the best practices of cybersecurity that are globally accepted. They come from a wide range of business sectors, different from each other, that share intelligence and cyber intelligence (information about cyber attacks and cyber attackers), document and share tools, track cyber threats, cyber criminals, and attack vectors, and map the CIS controls to regulatory, compliance, and compliance frameworks, among other responsibilities.

For their work, they rely on the principles of a robust cyber defense system:

The intelligence and cyberintelligence. It aims to provide information related to cyberattacks. The goal is to continuously learn from them in order to be able to build better cyberdefenses.
Prioritization. Through which greater relevance is given to the controls that most cyber risks.
Measurements and metrics. Establishment of variables, magnitudes, values, and measurement ranges of situations that can be interpreted by all involved, both technical profile individuals and those without.
Diagnosis and Mitigation. Periodic measurements to test the controls and established measures, allowing for work in a continuous improvement model.
Automation. Mechanization of cyber defenses.

The real value of this model and the CIS controls does not consist of a mere and extensive list of tasks to be performed by organizations, but in leveraging the experience of a community of people and companies collaborating to make improvements in cybersecurity through knowledge sharing.

The CIS Controls Matrix groups the security controls into different types of levels:

Level 1: Basic. The simplest set of controls that all companies should implement to establish a solid foundation of cybersecurity.
Level 2: Hybrid (Foundational). These are additional controls that, when applied, enhance the cybersecurity of a company beyond the previous basic requirements, adapting to environments with higher cyber risk.
Level 3: Advanced (Organizational). Involves a more robust and comprehensive set of controls, specifically designed for organizations with very demanding cybersecurity needs (governments, public administration, critical services, military sector, etc.).

Next, we will describe them in detail:

1. Basic Controls (Essential)

These controls are the most critical and fundamental for any organization.

Inventory and Control of Enterprise Assets: Maintain an up-to-date inventory of physical and virtual assets.
Inventory and Control of Software Assets: Control and authorize software on systems to prevent the execution of unwanted programs.
Data Protection: Implement measures to protect sensitive data at rest and in transit.
Secure Configuration of Enterprise Assets and Software: Apply secure configurations on hardware and software to reduce vulnerabilities.
Account Management: Manage user accounts and privileges to minimize the risk of unauthorized access.
Access Control Management: Implement role-based access control and the minimum necessary privileges.
Continuous Vulnerability Management: Identify, prioritize, and remediate security vulnerabilities continuously.

2. Foundational Controls

They are essential practices to reduce cyber risks.

Audit Log Management: Enable, protect, and review security event audit logs.
Email and Web Browser Protections: Set up security controls in web browsers and emails.
Malware Defenses: Implement mechanisms to prevent and detect malware in systems and networks.
Data Recovery: Establish and test data backup and recovery processes.
Network Infrastructure Management: Apply secure configurations and segmentation in the network infrastructure.
Security Awareness and Skills Training: Train staff on threats and best practices in cybersecurity.

3. Organizational Controls (Organizational)

These controls help to strengthen the resilience of the organization.

Service Provider Management: Evaluate and manage the security of external providers.

Application Software Security: Apply secure development principles and security reviews in applications.

Incident Response Management: Establish incident response plans and improve their effectiveness through drills.

Penetration Testing: Conduct penetration tests to identify and fix vulnerabilities.

Security Awareness and Skills Training: (Reinforced) Improve security training and staff awareness.

Within each of these categories or levels, there will be controls (and sub-controls) that need to be applied.

More information about the CIS Controls Matrix can be found by consulting the official public document from CIS, where, for each of the controls, it is indicated:

Its description, definition, and objective.
The reasons why such control is considered relevant.
The table with each of the sub-controls that make it up and their descriptions.
The procedures and resources involved in that control.
Other possible frameworks, compatible with similar controls, on which each control can be mapped (NIST, OWASP, etc.).
The entity relationship diagram of the system.

In the case of the service catalog of Zerolynx, in addition to being based on NIST CSF (NIST Cybersecurity Framework) from NIST (National Institute of Standards and Technology of the USA), they also align with the CIS Controls Matrix.

An example of this is the service “Fast Review of Cybersecurity for SMEs”, where we review the state of cybersecurity of each SME, checking the compliance with the priority controls of the CIS Matrix: