Get A Quote

SANS CIS 20 Controls and GDPR Compliance

The new EU (European Union) General Data Protection Regulation (GDPR) came into effect on May 25, 2018.

The Center for Information Security (CIS) provides some highly-effective and adequate security controls that help organizations comply with GDPR. The CIS Controls state that the roles and responsibilities of the data controller and data processor are to implement some technical and organizational measures that involve cybersecurity solutions and best practices to ensure that data processing is being carried out in accordance with the GDPR.


Related post: NIST, CIS/SANS 20, ISO 27001 – Simplifying Security Control Assessments

Disclaimer: This blog article was written by our compliance experts for general information and does not claim to provide legal advice. To understand the full context of your organization, please consult with a privacy compliance and/or legal professional.


CIS Controls are a suggested set of steps for cyber defense that represent an actionable and specific approach to thwart the most pre-dominant attacks. In fact, CIS Controls tend to be a comparatively "short list" of highly-effective, high-priority defensive actions which provide a "do-first, must-do" starting point for every enterprise trying to enhance their cybersecurity posture.


Which Essential CIS Controls Do You Need to Know for GDRP Compliance?

The following sections describe some top CIS controls as well as their benefits for GDPR compliance.


CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs

Vulnerabilities in security analysis and logging enable malicious actors to hide their locations, malicious applications, and activities on the targeted systems. Even if a victim knows that his system has been compromised, he will be unable to discover further details about the attack and subsequent misdeeds committed by the adversaries without complete and protected logging records. Without a reliable audit log system, the malicious attacks will remain undetected and can result in severe damage to the victim.

The Maintenance, Monitoring and Analysis of Audit Logs control recommends that local logging on all critical systems and networking devices must be activated. Besides, the system must include the detailed information including event sources, source addresses, timestamp, date, user, and other essential information. The enterprises also must deploy central log management, log analytic tools or SIEM solutions, and review logs periodically. Adhering to this control, organizations can comply with Article 30 of the GDPR, which is related to the records of processing activities.


CIS Control 14: Controlled Access Based on the Need to Know

The lack of control over the sensitive or protected information by enterprises can be a massive threat to business continuity. In addition, data theft or espionage may occur due to lack of data security practices, an incomplete or ineffective privacy policy, or the misdeed of disgruntled and negligent employees or customers.

The Controlled Access Based on the Need to Know control enables organizations to segment the network based on sensitivity, to disable workstation to workstation communication, enable firewall filtering between VLANs, encrypt all personal or confidential data at rest and in transit, deploy access control to sensitive data via automated tools, and implement detailed logging for an access or changes to critical data. This control is applicable to various GDPR sections such as Article 5(1)(b), Article 5(1)(f), Article 6(4)(e), Article 25(2), Article (32)(1) (a-d), and Article 35(1).


CIS Control 19: Incident Response and Management

Organizations that even have preventive and detective IT security mechanisms in place could still be vulnerable to notorious data breaches. Companies cannot underestimate the vitality of the incident response and management system that comes into play in the aftermath of a cyber-attack. Without proper incident handling measures in place, organizations will be unable to recover critical data even if the attack is detected successfully. For example, if the attack occurs, it’s too late for the organization to establish the right procedures, data collection, legal protocols, management responsibilities, and reporting that will enable that organization to successfully comprehend, manage, and recover the loss.

The Incident Response and Management control advises companies to document incident response procedures, assign job duties and titles for incident response, devise standards for reporting incidents, designate management personnel to deal with incident handling, perform occasional incident scenario sessions for personnel, publish information with regard to reporting computer incidents and anomalies, and maintain contact information for reporting security incidents.


CIS Control 13: Data Protection

Data vulnerabilities and threats are one of the most evolving topics in today’s cybersecurity realm. Organizations having insufficient and inadequate security controls are on the verge of a data breach. These organizations will certainly bear the brunt of heavy GDPR fines. Nowadays, malicious attackers use sophisticated approaches such as data exfiltration to compromise individuals and companies’ sensitive data.

To thwart GPDR penalties, the enterprise must comply with the guidelines depicted in the CIS Data Protection Control. These guidelines assist enterprises to maintain the inventory sensitive data, remove unnecessary data, block unauthorized network traffic, allow access only to authorized identities, apply encryption to all hardware and software assets, and manage external devices such as USB. Data protection control has paramount importance for organizations as it applies to many GDPR sections including Article 5 (1)f, Article 24 (2), Article 25 (2), Article 28 (4), Article 32 (2), Article 35 (1), and more.


CIS Control 17: Implement a Training and Security Awareness Program

It is appealing to think about cyber defense mainly as a technical challenge; however, the activities of people play a vital part in failure or success of an organization. People fulfill essential functions in each and every phase of the system design, execution, and operations, by following processes and respecting policies. Lack of workforce training can trigger grave damage to the organization. For example, untrained employees might be unaware of phishing and ransomware attacks, password policies, unable to comply with rules and regulations, and may cause a deliberate data theft or damage.

The Implement A Training and Security Awareness Program control helps enterprises perform skills gap analysis, provide training to fill up the skills gap, offer an awareness program, update the awareness contents frequently, and provide awareness to workforce about secure authentication, sensitive data handling, unintentional data exposure, and reporting incidents.


Other CIS Controls to Consider

CIS Control 1: Inventory & Control of Hardware Assets is a control that defines the importance of hardware devices and their key role in organizing and executing the system backup, incident response and data recovery. This control encourages enterprises to actively manage inventory, track, and protect all the hardware devices that are attached to the network. Besides, it also proposes that only authorized devices should have access to the corporate network and unauthorized devices must be prevented from penetrating the company network. Doing so helps organizations to ensure compliance with GDPR.


CIS Control 2: Inventory & Control of Software Assets plays a crucial role. This control helps enterprises protect their vital software assets in the face of cyber-attacks. Using this control, organizations install and execute only the authorized software programs and steer clear of the installation of unmanaged and unauthorized software. Consequently, protecting software assets is indispensable for enterprises’ GDPR compliance.


CIS Control 7: Email & Web Browser Protection control advises organizations to:


CIS Control 8: Malware Defenses control should be able to run in the dynamic environment via rapid updating, "large-scale" automation, and integration with the processes such as incident response.

Also, it should be used at several potential vulnerable points to identify, prevent or control the execution of the malicious program. In addition, this control suggests enterprises to use anti-exploit technologies such as Data Execution Prevention (DEP) to ensure the security of application programs and executables. Devices should be configured in a way that they should automatically detect malware on newly inserted or connected removable media.

Organizations should allow command-line audit logging for command shells such as Microsoft PowerShell. They should also allow DNS query logging to detect hostname lookups for known harmful domains.



In the wake of a thorough and comprehensive discussion, it has been evident that essential CIS controls can help organizations on their path towards GDPR compliance. Non-compliant organizations will have to suffer a massive loss in the form of penalties. Organizations who are now subject to GDPR compliance requirements since May 25, 2018 can certainly leverage the benefits of the CIS controls.

This blog post was first published on May 15, 2018, and has been updated on May 31, 2018.