The CIS Critical Security Controls are a prioritised, community-developed set of safeguards to defend against the most prevalent cyber attacks. Version 8 has 18 controls broken into specific, measurable safeguards. Their strength is prioritisation — they tell you what to do first for the biggest risk reduction.
The 18 CIS Controls (v8)
| # | Control |
|---|---|
| 1 | Inventory and Control of Enterprise Assets |
| 2 | Inventory and Control of Software Assets |
| 3 | Data Protection |
| 4 | Secure Configuration of Enterprise Assets and Software |
| 5 | Account Management |
| 6 | Access Control Management |
| 7 | Continuous Vulnerability Management |
| 8 | Audit Log Management |
| 9 | Email and Web Browser Protections |
| 10 | Malware Defenses |
| 11 | Data Recovery |
| 12 | Network Infrastructure Management |
| 13 | Network Monitoring and Defense |
| 14 | Security Awareness and Skills Training |
| 15 | Service Provider Management |
| 16 | Application Software Security |
| 17 | Incident Response Management |
| 18 | Penetration Testing |
Implementation Groups (IG1–IG3)
| Group | For | Meaning |
|---|---|---|
| IG1 | Every organisation | Essential cyber hygiene — the baseline all should meet |
| IG2 | Organisations with moderate resources/risk | IG1 plus safeguards for more complex environments |
| IG3 | Mature, high-risk enterprises | All safeguards, including those for sophisticated threats |
Each control contains safeguards tagged to an Implementation Group, so you can adopt a defensible subset matched to your risk and resources.
Adoption roadmap
- Choose your Implementation Group (IG1 for most starting points).
- Inventory enterprise assets and software first (Controls 1–2) — you cannot protect what you cannot see.
- Implement data protection, secure configuration and account/access management (Controls 3–6).
- Add vulnerability management, logging, malware and recovery (Controls 7–11).
- Mature network defense, awareness, vendor management and application security (Controls 12–16).
- Establish incident response and penetration testing (Controls 17–18).
- Measure safeguard implementation and close gaps.
CIS Benchmarks
Beyond the Controls, CIS publishes CIS Benchmarks — consensus secure-configuration baselines for operating systems, cloud platforms, databases and applications. They are widely used to implement Control 4 (secure configuration) and are freely available.
Readiness checklist
- Asset and software inventories are complete and maintained.
- Secure configuration baselines (CIS Benchmarks) are applied.
- Account and access management enforce least privilege and MFA.
- Continuous vulnerability management and patching operate.
- Centralised audit logging and monitoring are in place.
- Backups exist and recovery is tested.
- Security-awareness training runs.
- Service-provider risk is managed.
- Incident response is documented and tested; penetration testing is scheduled.
CIS mapped to other frameworks
| Framework | Relationship |
|---|---|
| NIST CSF | CIS safeguards implement CSF outcomes; official mappings exist |
| ISO 27001 | CIS safeguards satisfy many Annex A controls |
| PCI DSS | CIS Benchmarks help meet secure-configuration requirements |
Frequently asked questions
Need help with CIS Controls?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
