Knowledge Center / CIS Controls
Center for Internet Security · Global

CIS Controls

A prioritised set of 18 safeguards that stop the most common attacks.

The CIS Critical Security Controls are a prioritised, community-developed set of safeguards to defend against the most prevalent cyber attacks. Version 8 has 18 controls broken into specific, measurable safeguards. Their strength is prioritisation — they tell you what to do first for the biggest risk reduction.

The 18 CIS Controls (v8)

#Control
1Inventory and Control of Enterprise Assets
2Inventory and Control of Software Assets
3Data Protection
4Secure Configuration of Enterprise Assets and Software
5Account Management
6Access Control Management
7Continuous Vulnerability Management
8Audit Log Management
9Email and Web Browser Protections
10Malware Defenses
11Data Recovery
12Network Infrastructure Management
13Network Monitoring and Defense
14Security Awareness and Skills Training
15Service Provider Management
16Application Software Security
17Incident Response Management
18Penetration Testing

Implementation Groups (IG1–IG3)

GroupForMeaning
IG1Every organisationEssential cyber hygiene — the baseline all should meet
IG2Organisations with moderate resources/riskIG1 plus safeguards for more complex environments
IG3Mature, high-risk enterprisesAll safeguards, including those for sophisticated threats

Each control contains safeguards tagged to an Implementation Group, so you can adopt a defensible subset matched to your risk and resources.

Adoption roadmap

  1. Choose your Implementation Group (IG1 for most starting points).
  2. Inventory enterprise assets and software first (Controls 1–2) — you cannot protect what you cannot see.
  3. Implement data protection, secure configuration and account/access management (Controls 3–6).
  4. Add vulnerability management, logging, malware and recovery (Controls 7–11).
  5. Mature network defense, awareness, vendor management and application security (Controls 12–16).
  6. Establish incident response and penetration testing (Controls 17–18).
  7. Measure safeguard implementation and close gaps.

CIS Benchmarks

Beyond the Controls, CIS publishes CIS Benchmarks — consensus secure-configuration baselines for operating systems, cloud platforms, databases and applications. They are widely used to implement Control 4 (secure configuration) and are freely available.

Readiness checklist

  • Asset and software inventories are complete and maintained.
  • Secure configuration baselines (CIS Benchmarks) are applied.
  • Account and access management enforce least privilege and MFA.
  • Continuous vulnerability management and patching operate.
  • Centralised audit logging and monitoring are in place.
  • Backups exist and recovery is tested.
  • Security-awareness training runs.
  • Service-provider risk is managed.
  • Incident response is documented and tested; penetration testing is scheduled.

CIS mapped to other frameworks

FrameworkRelationship
NIST CSFCIS safeguards implement CSF outcomes; official mappings exist
ISO 27001CIS safeguards satisfy many Annex A controls
PCI DSSCIS Benchmarks help meet secure-configuration requirements
How CyberSigma helps
We baseline you against the CIS Controls at the right Implementation Group, apply CIS Benchmark configurations, and turn gaps into a prioritised hygiene programme that also advances your ISO 27001 / NIST goals.

Frequently asked questions

What are CIS Implementation Groups?
IG1–IG3 are tiers of safeguards. IG1 is the minimum "essential cyber hygiene" every organisation should meet; IG2 and IG3 add safeguards for higher-risk enterprises.
Are CIS Controls free?
Yes, the CIS Controls and many supporting resources (like CIS Benchmarks) are freely available from the Center for Internet Security.

Need help with CIS Controls?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.