The 12 CyberFundamentals Control Categories Explained

CyberFundamentals organizes security measures into 12 control categories. Each category addresses a specific aspect of cybersecurity. Here's what they cover and why they matter.

Interlocking gears - systematic security controls
The 12 control categories work together as an integrated system

The NIST Framework Structure

CyberFundamentals follows the NIST Cybersecurity Framework's five core functions:

Identify: Know what you have and your risks Protect: Safeguard your assets Detect: Find security events Respond: Take action on incidents Recover: Restore normal operations

The 12 Categories

AM

Asset Management

Identify
In Small

Know what hardware, software, and data you have. You can't protect what you don't know exists.

Why it matters: Shadow IT and unknown assets are common attack vectors. Complete visibility is fundamental.

Examples:

  • Hardware inventory (computers, servers, network devices)
  • Software inventory and licenses
  • Data classification (what's sensitive, where is it)
  • Asset ownership assignment
  • End-of-life tracking
RA

Risk Assessment

Identify

Identify and evaluate cybersecurity risks to your organization. Understand what could go wrong and how likely it is.

Why it matters: Risk-based decisions ensure you invest resources where they matter most.

Examples:

  • Threat identification
  • Vulnerability assessment
  • Impact analysis
  • Risk prioritization
  • Risk treatment planning
AC

Access Control

Protect
In Small

Ensure only authorized people can access systems and data. The right access for the right people at the right time.

Why it matters: Compromised credentials are involved in 80%+ of breaches. Strong access control is critical.

Examples:

  • User authentication (passwords, MFA)
  • Authorization (who can do what)
  • Least privilege principle
  • Privileged access management
  • Access reviews
AT

Awareness & Training

Protect

Educate employees about security risks and their responsibilities. People are your first line of defense.

Why it matters: Human error causes most security incidents. Trained employees recognize and avoid threats.

Examples:

  • Security awareness training
  • Phishing simulations
  • Role-specific security training
  • Onboarding security orientation
  • Regular refresher training
DS

Data Security

Protect
In Small

Protect data at rest, in transit, and in use. Keep sensitive information confidential and intact.

Why it matters: Data is what attackers want. Encryption and proper handling prevent unauthorized access.

Examples:

  • Data encryption (at rest and in transit)
  • Data backup procedures
  • Data retention policies
  • Secure data disposal
  • Data loss prevention
IP

Information Protection

Protect

Establish policies and processes for handling information securely throughout its lifecycle.

Why it matters: Consistent information handling reduces accidental exposure and compliance violations.

Examples:

  • Information classification policies
  • Document handling procedures
  • Clean desk policy
  • Removable media controls
  • Information sharing guidelines
MA

Maintenance

Protect
In Small

Keep systems updated, patched, and properly maintained. Outdated systems are vulnerable systems.

Why it matters: Unpatched vulnerabilities are easy targets. Regular maintenance closes security gaps.

Examples:

  • Patch management process
  • System updates schedule
  • Maintenance windows
  • Change management
  • Configuration management
PT

Protective Technology

Protect
In Small

Deploy security tools and technologies to protect your environment. Defense in depth.

Why it matters: Technical controls automate protection and catch what humans miss.

Examples:

  • Firewalls and network security
  • Antivirus/antimalware
  • Email security (spam, phishing filters)
  • Web filtering
  • Endpoint protection
PS

Physical Security

Protect
In Small

Protect physical assets, facilities, and equipment. Digital security starts with physical security.

Why it matters: Physical access can bypass digital controls. Lock the door before configuring the firewall.

Examples:

  • Building access controls
  • Visitor management
  • Server room security
  • Device locks and cables
  • CCTV and monitoring
DE

Detection

Detect

Monitor systems and networks to identify security events. Find problems before they become disasters.

Why it matters: Average breach detection takes months. Early detection limits damage.

Examples:

  • Security monitoring
  • Log analysis
  • Intrusion detection systems
  • Anomaly detection
  • Security alerts
RS

Response

Respond

Have plans and capabilities to respond to security incidents. When something happens, act fast and effectively.

Why it matters: Incident response speed determines breach impact. Preparation beats improvisation.

Examples:

  • Incident response plan
  • Response team and roles
  • Communication procedures
  • Containment strategies
  • Evidence preservation
RC

Recovery

Recover

Restore systems and operations after an incident. Get back to normal quickly and safely.

Why it matters: Business continuity depends on recovery capability. Downtime costs money.

Examples:

  • Backup and restore procedures
  • Business continuity plan
  • Disaster recovery plan
  • Recovery testing
  • Post-incident improvement

Controls by Tier

Each tier builds on the previous one:

Small 7 AC, AM, DS, MA, PT, PS (basics)
Basic 34 All categories covered
Important 117 Comprehensive coverage
Essential 140 Maximum protection

Implementation Approach

Work through categories systematically:

  1. 1 Start with categories marked "Small" - they're foundational
  2. 2 Within each category, implement basic controls first
  3. 3 Build evidence and documentation as you go
  4. 4 Progress to advanced controls as resources allow
  5. 5 Review and improve continuously

Need Help with Implementation?

Easy Cyber Protection guides you through each control category with clear tasks, evidence templates, and progress tracking.

Frequently Asked Questions

Do I need to implement all categories?

At minimum, yes - all categories should have some coverage. The depth depends on your tier. Small tier covers basics across key categories. Higher tiers require comprehensive implementation.

Which categories are most important?

Access Control (AC) and Protective Technology (PT) block most attacks. But all categories work together - gaps in one area can undermine others.

How do categories relate to NIS2 requirements?

CyberFundamentals categories map directly to NIS2 Article 21 requirements. Implementing CyberFundamentals at the appropriate tier demonstrates NIS2 compliance.

Can I focus on certain categories first?

Yes. Start with Access Control, Protective Technology, Data Security, and Maintenance (the Small tier focus). These provide the most immediate protection.

How are controls within categories prioritized?

The CCB framework assigns controls to tiers based on importance and effort. Small tier has foundational controls. Each subsequent tier adds more advanced measures.

Related Articles