CIS 20 and HIPAACIS 20 or SANS 20 is the name to reference a list of security controls that are intended to be used in the absence of any framework like NIST or HIPAA requirements.  If you are trying to get the most bang for your buck and you know you are way behind on your security program CIS 20 may be the thing for you.


HIPAA For MSPs by David Sims CIS20 and HIPAA
00:00:00 00:00:00

CIS 20 and HIPAA

These controls were built by the SANS Institute and later transferred to the Center for Internet Security (CIS) to maintain.  Since there are 20 of them we have the CIS 20.  In many ways, it is the all-important checklist that people want us to give them.  You know the checklist I complete and I am HIPAA compliant from that point forward.  It really won’t do that for you but it does present the security controls in phases that are broken down into steps to follow.  There is even a mapping to HIPAA that helps you sort out what is getting done.  You are supposed to do them in order to build a security program that protects your systems and data.

Since we have to review these types of discussions often, why not use it for a solution to those who have this need.  Here is how it stacks up.

How much of HIPAA do you really get done with the CIS 20?

According to advocates of the 20 it was designed with the Pareto Principle in mind.  Most of us know that as the 80/20 rule.  80% of your results actually come from 20% of your overall work.  I always hear it relating to sales.  You talk to 10 people to get 8 no’s and 2 yes’s.  The 20 uses the same concept.  If you do the first 5 controls you will prevent 80% of the Internet-based attacks.

Before you get all excited that you only have to do 5 things let’s be clear.  The controls are more like projects to complete than switches to flip.  It is very much like using the NIST CSF or any other framework.  It just doesn’t look at the big picture of the organization.  It only looks at essentially what security pros see as the bare minimums in the first 5.  As you continue through the phases, you are becoming a more complete security program.

The bottom line is you have to do the work no matter how you want to approach it.  This one is based on Know, Protect, and Prepare.  NIST CSF is Identify, Protect, Detect, Respond, and Recover.  Do you see how one seems to be sort of like a smaller version of the other?

The phases of the CIS 20 and HIPAA


1 – Inventory and Control of Hardware Assets.  Note: There are 8 sub-controls under this one item.  This isn’t just “do a spreadsheet of hardware” and you are done.

2 – Inventory and Control of Software Assets.  There are 10 sub-controls under this one.

3 – Continuous Vulnerability Management

4 – Controlled Use of Administrative Privileges

5 – Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

6 – Maintenance, Monitoring, and Analysis of Audit Logs

That is what you should focus on first.  Until you are doing these things well, you haven’t done the basics.  All of those things relate directly to HIPAA security rule and assessment requirements.


7 – Email and Web Browser Protections

8 – Malware Defenses

9 – Limitation and Control of Network Ports, Protocols, and Services

10 – Data Recovery Capabilities

11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

12 – Boundary Defense

13 – Data Protection – this is what gets moved to the Basics section under HIPAA.  You need to know where and what you need to protect.  Another difference between this shortcut version and NIST CSF also.

14 – Controlled Access Based on the Need to Know – same as above when it comes to HIPAA

15 – Wireless Access Control

16 – Account Monitoring and Control

Now, you have done the foundations for a successful program.  Again, nothing shocking in this to do list.  What is interesting though is this section is where most IT people want to start.  It is also where most people would assume you would start.  If all of this community of security professionals say you should NOT start here, why would you argue when we want to do steps 1-6?  Just sayin….

As you can see, to follow HIPAA you would need to not just do the first 5 and stop.  You need to get through this phase as well.


17 – Implement a Security Awareness and Training Program

18 – Application Software Security

19 – Incident Response and Management

20 – Penetration Tests and Red Team Exercises

In this section they do make it clear that these are critical, foundational parts of an effective security program but now you are getting to the administrative parts.  The ones that don’t involve specific technical controls to implement.

You can get all of the free and paid options offered by CIS at

One more thing.  They have added a companion guide for Mobile Security and another for IoT security.  We haven’t gone into them here but they will provide a similar solution for those problems.

If you want to use something as an intermediate step to a cybersecurity framework then CIS 20 would be perfect for your introduction.  If you want to up your game from just basic HIPAA security rule compliance you can also use the CIS 20.  If you want to have a step by step list of actions to take and the best order to address them then use the CIS 20.  Clearly, there are many ways that this short list can assist any organization to build a better security program.