Governance & law · Control framework

CIS Controls v8.1

The CIS Critical Security Controls are a prioritised, prescriptive set of 18 controls from the Center for Internet Security. They tell you not just what to do but in what order — making them one of the most practical starting points for a small or growing security programme. This is a compressed walkthrough of the framework.

18 Controls 153 Safeguards IG1–IG3 Benchmarks CIS-RAM

What CIS is

CIS is the Center for Internet Security. Its Critical Security Controls distil the most effective defensive actions into a single ordered list. The current release, v8.1, keeps the 18-control structure introduced in v8 and refines it — including better alignment to the NIST Cybersecurity Framework and updated safeguard descriptions.

The big shift in v8 was moving from device-centric thinking to activity-centric, and folding the old "sub-controls" into safeguards — there are 153 of them in total. The controls also map across to many established standards and frameworks, including the NIST CSF, NIST SP 800-53, the ISO 27000 series, PCI DSS and HIPAA.

The five functions

CIS aligns to the same five functions you'll recognise from the NIST Cybersecurity Framework — a clean way to think about where each control sits in the lifecycle:

IdentifyUnderstand assets, data, risk and business context to prioritise effort.
ProtectSafeguards that limit or contain the impact of an event.
DetectActivities that surface a security event in good time.
RespondActing on a detected incident to contain its impact.
RecoverRestoring impaired capabilities and returning to normal operations.
If this feels familiar, it should — it's the same backbone as the NIST CSF, and it echoes the detect / respond / recover thinking in ISO 27001 Annex A.16 and A.17.

Implementation Groups (IG1–IG3)

Not every organisation needs all 153 safeguards on day one. CIS sorts them into three Implementation Groups by maturity and risk, so you can start with the essentials and grow into the rest.

IG1
56
Essential cyber hygiene — the baseline every organisation should meet. Small entities with limited resources.
IG2
130
IG1 plus 74 more. Organisations managing more sensitive data and greater operational complexity.
IG3
153
IG2 plus the final 23. Mature organisations facing sophisticated, targeted threats.
The key idea: IG1 is not a watered-down version — it's the defined floor of essential cyber hygiene. Hit IG1 first, completely, before reaching for IG2/IG3 safeguards.

The 18 Controls

The full ordered list. The IG badge shows the lowest implementation group in which each control first appears.

01
Inventory & Control of Enterprise AssetsKnow every device — serial, count, make, user. You can't protect what you can't see.
IG1
02
Inventory & Control of Software AssetsTrack installed software — version, licensing, subscription. Block the unauthorised.
IG1
03
Data ProtectionIdentify, classify and handle data securely across its lifecycle.
IG1
04
Secure Configuration of Enterprise Assets & SoftwareHarden systems from defaults — consistent baselines, no loose ends.
IG1
05
Account ManagementGovern the lifecycle of accounts and credentials (was "Account Monitoring & Control" in v7.1).
IG1
06
Access Control ManagementLeast privilege and need-to-know; control administrative rights.
IG1
07
Continuous Vulnerability ManagementFind, prioritise and remediate vulnerabilities on an ongoing basis.
IG1
08
Audit Log ManagementCollect, store and analyse logs — where they go, how they're reviewed, and that they're there when you need them.
IG1
09
Email & Web Browser ProtectionsReduce the attack surface of the two most-targeted entry points (e.g. DMARC).
IG1
10
Malware DefensesPrevent and control the installation and spread of malicious code.
IG1
11
Data RecoveryTested backups and the ability to restore — your safety net against ransomware.
IG1
12
Network Infrastructure ManagementSecurely manage network devices, ports, protocols and services.
IG1
13
Network Monitoring & DefenseBoundary defence and monitoring — firewall, IDS/IPS, log analysis.
IG2
14
Security Awareness & Skills TrainingBuild a security-conscious workforce through an ongoing programme.
IG1
15
Service Provider ManagementManage the security of third parties that hold or process your data.
IG1
16
Application Software SecuritySecure the software you build or acquire across its lifecycle.
IG2
17
Incident Response ManagementHave a plan, roles and procedures ready before the incident.
IG1
18
Penetration TestingTest defences for real — pen tests and red-team exercises.
IG2
Note from v7.1 → v8: Wireless Access Control was removed as a standalone control, and several controls were renamed and consolidated as the framework moved from 20 controls to 18.

CIS Benchmarks

Separate from the Controls, CIS Benchmarks are configuration baselines — consensus-built, best-practice hardening guides for specific technologies. There are 100+ benchmarks covering more than 14 technology groups.

GroupExamples
Operating systemsWindows (desktop & server), Ubuntu, Debian, RHEL, SUSE, macOS, Solaris, AIX
Server softwareIIS, NGINX, Apache, Tomcat, MS SQL, PostgreSQL, MongoDB, Oracle DB, Docker, Kubernetes
Cloud providersAWS, Microsoft Azure, Google Cloud Platform
MobileApple iOS, Android
Network devicesCisco, Juniper, Palo Alto, Check Point Firewall
Desktop softwareChrome, Edge, Firefox, Safari

Each benchmark recommendation references one or more CIS Controls, and each goes through two phases of consensus review before publication. They're the practical "how do I actually configure this box" layer beneath the Controls.

CIS-RAM — the risk model

CIS-RAM (Risk Assessment Method), currently v2.1, is the method for assessing how well your security posture implements the Controls against your acceptable level of risk. Its guiding principles are refreshingly plain:

That last principle is the useful one in practice: it gives you a defensible way to say "this control isn't proportional here" — the same logic that underpins risk treatment in ISO 27005.

How it fits with ISO and NIS2

CIS and ISO aren't rivals — they're complementary layers. ISO 27001 gives the governance and management-system frame; CIS gives the prioritised, technical "do this first" detail; CIS Benchmarks give the box-level configuration.