If you have ever asked your IT provider "are we secure?" and gotten an answer full of acronyms and buzzwords, you are not alone. Cybersecurity can feel like a foreign language. But there is a straightforward framework that even non-technical business owners can understand, and it is considered the gold standard for protecting organizations of any size. It is called CIS Controls Version 8.

This guide walks you through all 18 controls in plain English. No jargon. No acronyms without explanations. Just a clear picture of what good cybersecurity looks like, so you can have smarter conversations with your IT team, your insurance provider, and your clients.

What Are the CIS Controls?

The CIS Controls are a set of 18 cybersecurity best practices published by the Center for Internet Security, a nonprofit organization. Think of them as a prioritized to-do list for protecting your business from cyberattacks. They are not a product you buy. They are actions you take.

The controls are used by organizations worldwide, from small businesses to Fortune 500 companies to government agencies. They are regularly updated based on real-world attack data, which means they focus on what actually works, not theoretical risks. Version 8, released in 2021, is the current edition and was designed to work regardless of whether your systems are on-site, in the cloud, or a mix of both.

Why Should a Business Owner Care?

You do not need to become a cybersecurity expert. But understanding the basics helps you in three important ways:

  • Insurance: Cyber insurance companies increasingly ask whether you follow CIS Controls or a similar framework. Understanding them helps you answer those questionnaires accurately and potentially lower your premiums.
  • Vendor trust: If your clients or partners ask about your security posture, pointing to a recognized framework like CIS Controls gives them confidence that you take security seriously.
  • Accountability: When you understand what good security looks like, you can hold your IT provider accountable. You will know the right questions to ask.

The 18 CIS Controls, Explained Simply

The controls are numbered 1 through 18, and they are listed roughly in priority order. The first few are the most fundamental. If you are just getting started, focus on Controls 1 through 6 first. They address the most common ways businesses get breached.

Control 1: Inventory and Control of Enterprise Assets

In plain English: Know every device connected to your network.

You cannot protect what you do not know exists. This control says you should maintain a complete, up-to-date list of every computer, laptop, phone, tablet, server, and network device your business uses. That includes personal devices employees use for work.

Why it matters to you: If an employee leaves and still has a company laptop, or if someone plugs an unauthorized device into your network, those are security gaps you cannot fix if you do not know about them. A proper inventory also helps you plan budgets and replacements.

Control 2: Inventory and Control of Software Assets

In plain English: Know every piece of software running on your systems.

Just like with devices, you need to know what software is installed across your business. This includes applications, browser extensions, cloud services, and mobile apps. If it is not on your approved list, it should not be there.

Why it matters to you: Unauthorized or outdated software is one of the most common ways attackers get in. That free PDF tool someone downloaded? It might have come with malware. That old version of accounting software no one updated? It might have a known vulnerability that hackers actively exploit.

Control 3: Data Protection

In plain English: Know where your sensitive data lives and protect it.

This control is about identifying your most valuable information, such as client records, financial data, employee Social Security numbers, and intellectual property, and making sure it is encrypted, backed up, and only accessible to people who need it.

Why it matters to you: If you get breached, the first question your insurance company, your lawyers, and your clients will ask is: "What data was exposed?" If you do not know where your sensitive data lives, you cannot answer that question, and you cannot protect it in the first place.

Control 4: Secure Configuration of Enterprise Assets and Software

In plain English: Set up your systems securely from the start, and do not leave default settings in place.

Most devices and software come with factory settings that prioritize convenience over security. Default passwords, unnecessary features turned on, guest accounts enabled. This control says you should configure everything according to security best practices before putting it into use.

Why it matters to you: Attackers know the default settings for every popular device and application. Leaving a router with its factory password or a server with unnecessary services running is like leaving your front door unlocked. A proper initial setup prevents most of these easy-win attacks.

Control 5: Account Management

In plain English: Control who has accounts on your systems, and what they can access.

Every person who accesses your business systems should have their own unique account with only the access they need. When someone leaves the company or changes roles, their access should be updated immediately. Shared accounts should be eliminated wherever possible.

Why it matters to you: If three people share one login and something goes wrong, you have no way to know who did what. If a former employee's account is still active months after they left, that is an open door into your business. Proper account management is about accountability and limiting damage if something goes wrong.

Control 6: Access Management

In plain English: Make sure people prove who they are before accessing your systems, and limit what they can reach.

This control covers multi-factor authentication (MFA), strong passwords, and the principle of least privilege, which means people only get access to what they need for their specific job. Your accountant does not need access to your marketing files, and your marketing person does not need access to payroll.

Why it matters to you: Stolen passwords are the number one way businesses get hacked. MFA stops the vast majority of those attacks. And limiting who can access what means that even if one account is compromised, the attacker cannot reach everything.

Control 7: Continuous Vulnerability Management

In plain English: Regularly check your systems for known weaknesses and fix them.

Software companies discover security flaws in their products all the time and release patches to fix them. This control says you should regularly scan your systems for these known vulnerabilities and apply patches promptly. It is not a one-time activity. It is an ongoing process.

Why it matters to you: Most successful cyberattacks exploit vulnerabilities that already have patches available. The attackers are not using some secret technique. They are walking through doors you left open. Regular patching closes those doors. This is why keeping your software updated is so critical.

Control 8: Audit Log Management

In plain English: Keep records of what happens on your systems so you can investigate if something goes wrong.

Audit logs are like security cameras for your digital systems. They record who logged in, when, from where, what files they accessed, what changes they made, and whether anything unusual happened. This control says you should collect those logs, store them securely, and review them regularly.

Why it matters to you: If you experience a breach, investigators will ask for your logs. Without them, you may never know what the attacker accessed or how they got in. Logs are also essential for compliance in regulated industries like healthcare, finance, and legal services. They are your evidence trail.

Control 9: Email and Web Browser Protections

In plain English: Lock down the two things employees use most: email and web browsers.

Email and web browsing are the primary ways attackers deliver malware and phishing attacks to your employees. This control covers email filtering, blocking dangerous attachments, restricting browser extensions, and preventing users from visiting known malicious websites.

Why it matters to you: Over 90% of cyberattacks start with an email. Your employees interact with email and web browsers every single day, making them the most exposed part of your business. Proper email and browser protections stop most threats before your employees ever see them.

Control 10: Malware Defenses

In plain English: Use modern security software to detect and stop malicious programs.

This goes beyond traditional antivirus. Modern malware defenses use behavioral analysis to detect suspicious activity, not just known virus signatures. They can identify ransomware as it starts encrypting files, detect fileless attacks that live entirely in memory, and automatically isolate compromised devices.

Why it matters to you: The old "antivirus" approach of matching known threats is no longer enough. Modern attacks are specifically designed to evade signature-based detection. You need endpoint protection that watches for suspicious behavior patterns and can respond automatically before damage spreads across your network.

Control 11: Data Recovery

In plain English: Back up your data so you can recover it if something goes wrong.

This control requires regular, automated backups of all important business data, stored in a secure location separate from your primary systems. Critically, it also requires you to test those backups regularly to make sure you can actually restore from them when you need to.

Why it matters to you: Ransomware attackers make money because businesses cannot afford to lose their data. If you have clean, tested, recent backups stored somewhere the attacker cannot reach, you can recover without paying a ransom. Backups also protect against hardware failure, accidental deletion, and natural disasters. They are your ultimate safety net.

Control 12: Network Infrastructure Management

In plain English: Manage and secure your network equipment properly.

Your routers, switches, firewalls, wireless access points, and other network equipment need the same attention as your computers. This control covers keeping network device firmware updated, using secure configurations, segmenting your network into zones, and monitoring network traffic for anomalies.

Why it matters to you: Your network is the highway that connects everything in your business. If an attacker compromises your router or firewall, they can see and potentially intercept all your traffic. Network segmentation, which means separating your network into sections, ensures that a breach in one area does not automatically give the attacker access to everything.

Control 13: Network Monitoring and Defense

In plain English: Watch your network traffic for signs of attack.

This control goes beyond managing network equipment. It is about actively monitoring what is happening on your network in real time. Intrusion detection systems, traffic analysis, and alerting on suspicious activity all fall under this control.

Why it matters to you: The average breach goes undetected for over 200 days. During that time, attackers are quietly accessing your data, setting up backdoors, and expanding their reach. Active monitoring shrinks that detection window from months to hours or minutes, dramatically limiting the damage.

Control 14: Security Awareness and Skills Training

In plain English: Train your employees to recognize and avoid threats.

Technology cannot stop everything. Your employees are your last line of defense, and often the first target. This control requires regular security awareness training, including simulated phishing exercises, so your team knows how to spot and report suspicious emails, phone calls, and other social engineering tactics.

Why it matters to you: The most sophisticated security technology in the world cannot prevent an employee from willingly entering their password on a fake login page. Training turns your team from your biggest vulnerability into an active part of your defense. It also builds a culture where people feel comfortable reporting suspicious activity without fear of punishment.

Control 15: Service Provider Management

In plain English: Make sure the companies you do business with are also handling security responsibly.

Your business does not operate in isolation. You share data with accounting firms, law firms, cloud providers, payroll companies, and countless other vendors. This control says you should evaluate the security practices of any company that handles your data, include security requirements in your contracts, and monitor their compliance.

Why it matters to you: Some of the biggest breaches in history happened through third-party vendors. If your payroll provider gets hacked, your employees' data is exposed regardless of how good your own security is. You are only as strong as your weakest vendor. For more on this topic, read our guide on the hidden risk of integrations.

Control 16: Application Software Security

In plain English: If your business develops software or custom applications, build security into the process.

This control is most relevant for businesses that develop their own software, websites, or custom applications. It covers secure coding practices, testing for vulnerabilities before deployment, and managing the security of third-party code libraries and components.

Why it matters to you: If your business has a custom application, an internal tool, or a customer-facing web portal, security flaws in that software can be exploited by attackers. Even if you hired a developer to build it, you are responsible for its security. If this does not apply to your business, this control is less of a priority.

Control 17: Incident Response Management

In plain English: Have a plan for what to do when something goes wrong.

This control requires a documented incident response plan that your team has practiced. It covers how to detect an incident, who to notify, how to contain the damage, how to communicate with affected parties, and how to recover normal operations. The plan should be tested at least annually.

Why it matters to you: When a breach happens, panic leads to mistakes. People delete evidence, shut down the wrong systems, or wait too long to act. A practiced plan means everyone knows their role and your business recovers faster. Companies with tested incident response plans save an average of $2 million per breach compared to those without one.

Control 18: Penetration Testing

In plain English: Hire someone to try to break into your systems before the real attackers do.

Penetration testing, or "pen testing," involves hiring ethical hackers to simulate real-world attacks against your business. They try to find and exploit weaknesses in your defenses, then report back with what they found and how to fix it. It is the ultimate test of whether your security actually works.

Why it matters to you: You can have all the policies and tools in the world, but until someone actually tests them, you do not know if they work. Pen testing reveals the gaps that automated tools miss and shows you what an attacker would actually see and do. It is like hiring someone to test your alarm system by actually trying to break in.

How to Get Started (Without Getting Overwhelmed)

You do not need to implement all 18 controls at once. The CIS Controls are designed to be adopted incrementally. Here is a practical approach for a small or mid-sized business:

Start With These 5 Actions

  • Create an inventory -- List every device and piece of software your business uses (Controls 1 and 2). You cannot secure what you do not know about.
  • Enable MFA everywhere -- Turn on multi-factor authentication for email, cloud services, banking, and every other account that supports it (Control 6). This single step blocks over 99% of automated attacks.
  • Automate your updates -- Turn on automatic updates for operating systems, applications, and network equipment (Control 7). Stop leaving known doors open.
  • Back up and test -- Set up automated backups and actually test them by restoring a file at least once per quarter (Control 11). Backups only count if they work.
  • Train your team -- Start with a basic phishing awareness session and build from there (Control 14). Your people are both your biggest risk and your best defense.

Once those foundational steps are in place, work through the remaining controls with your IT provider. A good provider should be able to map their services to CIS Controls and show you where you stand at any given time.

CIS Controls and Your Cyber Insurance

If you have cyber insurance, or if you are applying for it, you will likely encounter questions that map directly to CIS Controls. Insurers want to know:

  • Do you use multi-factor authentication? (Control 6)
  • Do you have endpoint protection on all devices? (Control 10)
  • Do you maintain and test backups? (Control 11)
  • Do you provide security awareness training? (Control 14)
  • Do you have an incident response plan? (Control 17)

Understanding CIS Controls helps you answer these questions accurately and demonstrates to your insurer that you are taking a structured approach to security. This can help you qualify for coverage, avoid claim denials, and potentially reduce your premiums.

How OliveTech Aligns With CIS Controls

At OliveTech, our managed IT services and cybersecurity services are built around frameworks like CIS Controls. When you work with us, you get:

  • Complete asset visibility -- Your LanternOps dashboard shows every device, user, and license across your organization (Controls 1 and 2).
  • Security configuration management -- We configure your systems according to security best practices from day one (Control 4).
  • Access management and MFA enforcement -- We implement and enforce proper access controls so no one has more access than they need (Controls 5 and 6).
  • Continuous monitoring -- Real-time security monitoring, not a report from last month (Controls 8 and 13).
  • Backup management -- Automated, tested backups with verified recoverability (Control 11).
  • Security roadmap -- A clear, prioritized plan for improving your security posture over time, mapped to CIS Controls.

Everything is visible in plain English through your dashboard. No mysteries, no jargon, no waiting for a monthly report to find out what is happening.

The Bottom Line

The CIS Controls are not some abstract academic exercise. They are a practical, prioritized list of actions that protect real businesses from real attacks. You do not need to understand every technical detail. You just need to understand what each control is trying to accomplish and make sure someone on your team, whether internal or an IT partner, is responsible for implementing them.

The most important thing is to start. Even implementing the first five or six controls puts your business ahead of the vast majority of companies your size. Perfect security does not exist, but structured, prioritized security dramatically reduces your risk and demonstrates to clients, partners, and insurers that you take protecting their data seriously.

If you want to see where your business stands against the CIS Controls framework, reach out for a conversation. We will walk you through your current posture, identify the biggest gaps, and give you a clear roadmap for improvement, all in plain English.