CIS Controls v8: Prioritised Security Implementation

What Are the CIS Controls?

The Center for Internet Security (CIS) Controls are a prioritised set of 18 cybersecurity safeguards designed to mitigate the most common cyber attacks. Version 8, released in 2021, restructured the controls around activities rather than device ownership, reflecting modern cloud and hybrid environments.

Implementation Groups Explained

CIS Controls v8 introduces three Implementation Groups (IGs) that help organisations prioritise based on their risk profile and resources:

• IG1 (Essential Cyber Hygiene): For organisations with limited cybersecurity expertise. Contains 56 safeguards representing the minimum standard of information security.
• IG2 (Moderate): For organisations with moderate resources and increased risk. Adds 74 safeguards to the IG1 baseline, totalling 130.
• IG3 (Comprehensive): For organisations facing sophisticated threats. Includes all 153 safeguards across the 18 controls.

Every organisation should start with IG1 and progress as capabilities mature.

The 18 Controls at a Glance

The controls cover the full spectrum of cybersecurity: Inventory and Control of Enterprise Assets (1), Software Assets (2), Data Protection (3), Secure Configuration (4), Account Management (5), Access Control (6), Vulnerability Management (7), Audit Log Management (8), Email and Web Protections (9), Malware Defences (10), Data Recovery (11), Network Infrastructure (12), Network Monitoring (13), Security Awareness Training (14), Service Provider Management (15), Application Security (16), Incident Response (17), and Penetration Testing (18).

Starting with Asset Inventory

Controls 1 and 2 form the foundation. You cannot protect what you do not know you have. Begin by deploying automated asset discovery tools, maintaining an accurate inventory with assigned owners, identifying and removing unauthorised assets, and reviewing the inventory at least quarterly.

Access Control Fundamentals

Control 5 (Account Management) and Control 6 (Access Control Management) address the most exploited attack vector: compromised credentials. Key actions include:

• Establishing an account lifecycle process covering creation, modification, and deactivation
• Implementing multi-factor authentication for all administrative and remote access
• Applying the principle of least privilege across all accounts
• Reviewing access rights quarterly and revoking unnecessary permissions
• Disabling default and dormant accounts

Building an Incident Response Capability

Control 17 addresses incident response, critical even for IG1 organisations. At minimum:

• Designate an incident response team with defined roles
• Create a basic incident response plan covering detection, containment, eradication, and recovery
• Establish communication procedures for stakeholders
• Conduct tabletop exercises at least annually
• Document lessons learned after each incident

Phased Implementation Strategy

For organisations just starting:

1. Assess your organisation against IG1 safeguards to establish a baseline
2. Prioritise closing critical gaps, especially in asset management and access control
3. Implement safeguards in phases, using a 90-day rolling plan
4. Measure progress using the CIS Controls Assessment Specification
5. Graduate to IG2 safeguards once IG1 is consistently maintained

The CIS Controls provide a practical, community-driven roadmap that complements broader frameworks like NIST CSF and can be mapped to regulatory requirements to demonstrate due diligence.