CIS Controls v8
CIS Controls v8 is a prioritised set of 18 cybersecurity safeguards developed by the Center for Internet Security, designed to mitigate the most common cyber attacks. Each control is broken into individual safeguards categorised across three Implementation Groups (IG1, IG2, IG3) based on organisational maturity. IG1 defines an essential cyber hygiene baseline of 56 safeguards that every organisation should implement regardless of size.
Overview
What are CIS Controls v8?
CIS Controls v8 is a set of 18 top-level cybersecurity controls, each containing specific safeguards (153 total), developed through a community consensus process led by the Center for Internet Security. They are designed to be actionable, prioritised, and measurable, providing a practical implementation roadmap that complements higher-level frameworks like NIST CSF and ISO 27001. CIS Controls are widely used by organisations that want a concrete 'do this first' checklist for cybersecurity.
What are the three Implementation Groups?
CIS Controls uses Implementation Groups (IGs) to help organisations prioritise safeguards based on their risk profile and resources:
- IG1 (Essential Cyber Hygiene): 56 safeguards representing the minimum standard of information security for all organisations. Suitable for small and medium enterprises with limited IT expertise. Covers the basics: inventory, secure configuration, access control, malware defences, data recovery, and awareness training.
- IG2 (Moderate): Adds 74 safeguards (130 total) for organisations with moderate risk, dedicated IT staff, and regulatory compliance requirements. Includes email and web protections, vulnerability management, audit log management, and incident response.
- IG3 (Advanced): Adds 23 safeguards (153 total) for organisations facing sophisticated adversaries. Includes penetration testing, application security testing, and advanced threat detection.
What are the 18 CIS Controls?
The 18 controls are ordered by priority and cover the full spectrum of cybersecurity defence:
- Controls 1-2: Inventory and Control of Enterprise Assets and Software Assets
- Controls 3-4: Data Protection and Secure Configuration of Enterprise Assets and Software
- Controls 5-6: Account Management and Access Control Management
- Controls 7-8: Continuous Vulnerability Management and Audit Log Management
- Controls 9-10: Email and Web Browser Protections, and Malware Defences
- Controls 11-12: Data Recovery and Network Infrastructure Management
- Controls 13-14: Network Monitoring and Defence, and Security Awareness and Skills Training
- Controls 15-16: Service Provider Management and Application Software Security
- Controls 17-18: Incident Response Management and Penetration Testing
How do CIS Controls map to NIST CSF?
CIS Controls serve as practical implementation guidance for the higher-level NIST CSF outcomes. The CIS website publishes an official mapping showing which CIS safeguards address which NIST CSF subcategories. Our platform extends this with 858 cross-framework mappings, allowing you to see how CIS Controls align with ISO 27001, PCI DSS, HIPAA, and hundreds of other standards simultaneously.
Key Controls
| ID | Control |
|---|---|
| 1.1 | Enterprise Asset Inventory |
| 2.1 | Software Inventory |
| 3.1 | Data Management Process |
| 4.1 | Secure Configuration Process |
| 5.1 | Account Inventory |
| 7.1 | Vulnerability Management Process |
| 8.1 | Audit Log Management Process |
| 17.1 | Incident Response Plan |
Domains
Compare CIS Controls v8
Implementation Guides
Compare CIS Controls v8
Related Articles
CIS Controls v8 by Industry
CIS Controls v8 by Role
Frequently Asked Questions
What is CIS Controls v8?
Where does CIS Controls v8 apply?
What frameworks does CIS Controls v8 map to?
How do I get started with CIS Controls v8 compliance?
How ready are you for CIS Controls v8?
Answer 25 questions and get a professional readiness report with gap analysis, maturity scores, and prioritised action items. Results in 5 minutes.