CIS Critical Security Controls v8

CIS Controls v8 compliance guide

The CIS Critical Security Controls provide 18 prioritized safeguards to protect organizations from cyber threats. Whether you're implementing IG1 essentials or IG3 advanced protections, we help you build effective cybersecurity defenses with clear actions and evidence.

Start security assessmentBook implementation call

What are CIS Controls?

The CIS Critical Security Controls (CIS Controls) are a prioritized set of actions developed by the Center for Internet Security to protect organizations from known cyber attack vectors. Version 8 includes 18 controls with 153 safeguards organized into three Implementation Groups.

Why this matters: CIS Controls are built from real-world attack patterns and defense strategies. They're vendor-agnostic, actionable and widely recognized by cyber insurance providers and auditors as evidence of security due diligence.

Prioritized

Focus on highest-impact defenses first

Actionable

Specific technical safeguards to implement

Maps to NIST CSF, ISO 27001 and SOC 2 requirements.

Who should implement CIS Controls?

Small to medium businesses

Organizations seeking essential cyber hygiene with IG1

Enterprise organizations

Companies with IT departments implementing IG2 or IG3

Critical infrastructure

Organizations protecting essential services and systems

Regulated industries

Financial services, healthcare meeting compliance requirements

Managed service providers

MSPs implementing CIS Controls for clients

Government agencies

Public sector organizations securing sensitive data

How VerifyWise supports CIS Controls compliance

Concrete capabilities that address implementation across all safeguards

Asset inventory and management

Maintain comprehensive inventories of hardware, software and data assets with automated discovery. The platform tracks all devices, applications and sensitive information across your environment, addressing CIS Controls 1 and 2 requirements.

Addresses: Controls 1, 2: Inventory and control of enterprise assets

Vulnerability and patch management

Identify, track and remediate security vulnerabilities across systems. The platform monitors patch status, prioritizes critical updates and maintains audit trails for vulnerability management aligned with Control 7.

Addresses: Control 7: Continuous vulnerability management

Access control and authentication

Manage user accounts, privileges and authentication policies. The platform enforces least privilege principles, tracks account lifecycle and monitors privileged access in line with Controls 5 and 6.

Addresses: Controls 5, 6: Account and access control management

Security monitoring and logging

Collect, analyze and retain security logs from critical systems. The platform centralizes log management, enables threat detection and maintains evidence for incident investigation per Controls 8 and 13.

Addresses: Controls 8, 13: Audit log management and network monitoring

Incident response and recovery

Manage security incidents with structured workflows and recovery procedures. The platform documents incident handling, tracks remediation and enables post-incident analysis aligned with Control 17.

Addresses: Control 17: Incident response management

Policy and compliance tracking

Maintain security policies, standards and compliance evidence. The platform provides templates for CIS-aligned policies, tracks control implementation and generates reports for audits per Control 1.

Addresses: Control 1: Security program and policy management

All security activities are tracked with timestamps, assigned owners and approval workflows. This audit trail demonstrates systematic control implementation for cyber insurance reviews and compliance audits.

Complete CIS Controls v8 safeguards coverage

VerifyWise provides dedicated tooling for all 153 safeguards across three Implementation Groups

18

CIS Controls

153

Safeguards with dedicated tooling

3

Implementation Groups

IG156/56

Essential cyber hygiene for all organizations

IG2131/131

Organizations with IT staff and resources

IG3153/153

Organizations with dedicated security teams

Built for CIS Controls from the ground up

Asset inventory tracking

Automated discovery and management for Controls 1-2

Vulnerability management

Continuous scanning and patch tracking for Control 7

Insurance readiness

Evidence packages for cyber insurance applications

Multi-framework mapping

Crosswalk to NIST CSF, ISO 27001 and SOC 2

18 CIS Critical Security Controls

Prioritized safeguards to defend against known cyber attack vectors

Control 1

Inventory and control of enterprise assets

Actively manage all enterprise assets connected to the infrastructure, ensuring only authorized devices can access the network.

IG1IG2IG3
  • Establish and maintain asset inventory
  • Address unauthorized assets
  • Utilize asset management tools
  • Ensure proper asset addressing

Control 2

Inventory and control of software assets

Actively manage all software on the network so that only authorized software is installed and can execute.

IG1IG2IG3
  • Establish and maintain software inventory
  • Address unauthorized software
  • Utilize software inventory tools
  • Use whitelisting and blacklisting

Control 3

Data protection

Develop processes and technical controls to identify, classify, securely handle, retain and dispose of data.

IG1IG2IG3
  • Establish data management process
  • Classify sensitive data
  • Encrypt data at rest and in transit
  • Enforce data retention policies

Control 4

Secure configuration of enterprise assets and software

Establish and maintain secure configurations for enterprise assets and software.

IG1IG2IG3
  • Establish secure configuration process
  • Maintain configuration standards
  • Deploy system configuration management tools
  • Implement automated configuration monitoring

Control 5

Account management

Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts.

IG1IG2IG3
  • Establish access granting process
  • Maintain inventory of accounts
  • Disable dormant accounts
  • Restrict administrator privileges

Control 6

Access control management

Use processes and tools to create, assign, manage and revoke access credentials and privileges for user, administrator and service accounts.

IG1IG2IG3
  • Establish access review process
  • Centralize access control
  • Require multi-factor authentication
  • Define and maintain role-based access control

Control 7

Continuous vulnerability management

Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure.

IG1IG2IG3
  • Establish vulnerability management process
  • Perform automated vulnerability scanning
  • Remediate detected vulnerabilities
  • Manage vulnerability remediation lifecycle

Control 8

Audit log management

Collect, alert, review and retain audit logs of events that could help detect, understand or recover from an attack.

IG1IG2IG3
  • Establish audit log management process
  • Collect audit logs
  • Ensure adequate audit log storage
  • Standardize time synchronization

Control 9

Email and web browser protections

Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior.

IG1IG2IG3
  • Ensure use of only supported browsers and email clients
  • Use DNS filtering services
  • Maintain and enforce email security policies
  • Block unnecessary file types

Control 10

Malware defenses

Prevent or control the installation, spread and execution of malicious applications, code or scripts on enterprise assets.

IG1IG2IG3
  • Deploy anti-malware software
  • Configure automatic anti-malware updates
  • Enable anti-exploitation features
  • Disable autorun and autoplay

Control 11

Data recovery

Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

IG1IG2IG3
  • Establish data recovery process
  • Perform automated backups
  • Protect recovery data
  • Test data recovery regularly

Control 12

Network infrastructure management

Establish, implement and actively manage the security configuration of network infrastructure, including network security controls.

IG2IG3
  • Ensure network infrastructure is up-to-date
  • Establish and maintain secure network architecture
  • Securely manage network infrastructure
  • Deploy network-based IDS

Control 13

Network monitoring and defense

Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats.

IG2IG3
  • Centralize security event alerting
  • Deploy a host-based IDS
  • Perform traffic filtering between network segments
  • Manage access control for remote assets

Control 14

Security awareness and skills training

Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious.

IG1IG2IG3
  • Establish security awareness program
  • Train workforce on secure authentication
  • Train workforce on data handling
  • Train workforce members on identifying social engineering attacks

Control 15

Service provider management

Develop a process to evaluate service providers who hold sensitive data or are responsible for an enterprise's critical IT platforms.

IG2IG3
  • Establish service provider management process
  • Maintain inventory of service providers
  • Classify service providers
  • Review and update service provider contracts

Control 16

Application software security

Manage the security life cycle of in-house developed, hosted or acquired software to prevent, detect and remediate security weaknesses.

IG2IG3
  • Establish application software security program
  • Establish secure coding practices
  • Perform root cause analysis
  • Separate production and non-production systems

Control 17

Incident response management

Establish a program to develop and maintain an incident response capability to discover, contain and recover from attacks.

IG1IG2IG3
  • Designate personnel to manage incidents
  • Establish incident response process
  • Conduct routine incident response exercises
  • Establish and maintain contact information for reporting incidents

Control 18

Penetration testing

Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls.

IG3
  • Establish penetration testing program
  • Perform periodic external penetration tests
  • Remediate penetration test findings
  • Validate security controls

Implementation Groups explained

Choose the right safeguards for your organization's resources and risk profile

Implementation Group 1 (IG1)

56 safeguards

Essential cyber hygiene for all organizations

Target audience

Small to medium organizations with limited cybersecurity expertise and resources

Characteristics

  • Limited IT and security resources
  • Baseline security controls
  • Essential protection measures
  • Foundation for security maturity

Includes

Controls 1-11, 14, 17

Implementation Group 2 (IG2)

131 safeguards

Organizations with IT staff and resources

Target audience

Organizations managing multiple departments, systems or locations with dedicated IT resources

Characteristics

  • Dedicated IT staff
  • Moderate security complexity
  • Enhanced monitoring capabilities
  • Risk-based approach

Includes

All IG1 controls + Controls 12, 13, 15, 16

Implementation Group 3 (IG3)

153 safeguards

Organizations with dedicated security teams

Target audience

Organizations with significant cybersecurity expertise, protecting sensitive data or critical infrastructure

Characteristics

  • Dedicated security team
  • Advanced threat protection
  • Comprehensive security program
  • Regulatory compliance focus

Includes

All IG1 + IG2 controls + Control 18

CIS Controls v8 vs v7.1

Key improvements and changes in the latest version

Aspectv7.1v8Change
Total controls
20 Controls18 Controls (consolidated)Streamlined
Safeguards
171 Sub-Controls153 SafeguardsRefined and prioritized
Implementation Groups
3 IGs (IG1, IG2, IG3)3 IGs maintainedClarified guidance
Asset types
Focus on traditional ITIncludes cloud, mobile, IoTModernized coverage
Data protection
Control 13Control 3 (elevated priority)Higher emphasis
Supply chain
Limited guidanceControl 15 (enhanced)Expanded scope
Threat focus
General threatsRansomware and modern attacksUpdated priorities
Metrics
Basic measurementEnhanced measurement guidanceImproved tracking

Migration tip: Organizations on v7.1 should prioritize updated controls like Control 3 (Data Protection), Control 15 (Service Provider Management) and modernized asset inventory for cloud and mobile environments.

View full v8 migration guide

36-week implementation roadmap

A practical path to CIS Controls adoption with clear milestones

Phase 1Weeks 1-6

Foundation

  • Determine appropriate Implementation Group (IG1, IG2, or IG3)
  • Establish asset inventory for hardware and software
  • Define secure configurations and standards
  • Implement basic access control policies
Phase 2Weeks 7-16

Core controls

  • Deploy vulnerability scanning and patch management
  • Implement audit logging and monitoring
  • Establish data protection and encryption
  • Configure email and web browser protections
Phase 3Weeks 17-26

Advanced protection

  • Deploy network segmentation and monitoring
  • Implement incident response procedures
  • Establish security awareness training program
  • Configure malware defenses and backup systems
Phase 4Weeks 27-36

Maturity & optimization

  • Conduct penetration testing (IG3)
  • Review and optimize service provider management
  • Enhance application security practices
  • Establish continuous improvement cycle

CIS Benchmarks integration

Complement CIS Controls with specific configuration guidance for your technology stack

While CIS Controls define what to protect (18 security controls), CIS Benchmarks provide detailed configuration guides for how to secure specific systems. Together, they deliver comprehensive cybersecurity coverage from strategy to implementation.

CIS Controls

High-level security best practices and safeguards

CIS Benchmarks

Detailed configuration settings for specific technologies

Operating Systems

Secure configuration benchmarks for Windows, Linux, macOS and Unix systems

Examples

  • • Windows Server
  • • Ubuntu Linux
  • • macOS
  • • Red Hat Enterprise Linux

Cloud Platforms

Security configuration guidelines for major cloud service providers

Examples

  • • AWS Foundations
  • • Microsoft Azure
  • • Google Cloud Platform
  • • Oracle Cloud

Network Devices

Hardening standards for network infrastructure components

Examples

  • • Cisco IOS
  • • Palo Alto Networks
  • • Fortinet FortiGate
  • • Juniper Networks

Databases

Security benchmarks for database management systems

Examples

  • • Microsoft SQL Server
  • • Oracle Database
  • • MySQL
  • • PostgreSQL

Applications

Configuration standards for enterprise applications

Examples

  • • Microsoft 365
  • • Google Workspace
  • • Docker
  • • Kubernetes

Mobile Devices

Security baselines for mobile operating systems

Examples

  • • Apple iOS
  • • Google Android
  • • Mobile Device Management
Explore CIS Benchmarks
Policy templates

Complete security policy repository

Access ready-to-use security policy templates aligned with CIS Controls, NIST CSF and ISO 27001 requirements

Asset management

  • • Asset Inventory Policy
  • • Hardware Asset Management
  • • Software Asset Management
  • • Data Classification Policy
  • • Secure Configuration Standards
  • • Change Management Policy
  • + 4 more policies

Access & protection

  • • Account Management Policy
  • • Access Control Policy
  • • Multi-Factor Authentication
  • • Data Protection Policy
  • • Encryption Standards
  • • Vulnerability Management
  • + 5 more policies

Monitoring & response

  • • Audit Log Management
  • • Security Monitoring Policy
  • • Incident Response Plan
  • • Malware Defense Policy
  • • Data Backup & Recovery
  • • Security Awareness Training
  • + 3 more policies
Browse all policy templates

Frequently asked questions

Common questions about CIS Controls implementation

CIS Controls are voluntary best practices, but they're widely adopted as a security standard. Many cyber insurance providers require CIS Controls implementation, and they're referenced in regulatory frameworks like NIST CSF and PCI DSS. See the official CIS Controls v8 page for the complete framework.
Select IG1 (56 safeguards) if you're a small organization with limited IT resources. Choose IG2 (131 safeguards) if you have dedicated IT staff and moderate complexity. Implement IG3 (153 safeguards) if you have a dedicated security team or protect highly sensitive data. Most organizations start with IG1 and progress as their security maturity grows.
CIS Controls provide specific, actionable safeguards while NIST CSF offers a higher-level framework for organizing cybersecurity activities. The two complement each other: NIST CSF provides strategic structure (Identify, Protect, Detect, Respond, Recover) while CIS Controls offer tactical implementation steps. Many organizations use both together.
CIS Controls are high-level security best practices for what to protect (18 controls). CIS Benchmarks are detailed configuration guides for how to secure specific systems (Windows, AWS, Docker, etc.). Use CIS Controls to guide your overall security program and CIS Benchmarks to implement secure configurations for individual technologies.
CIS Controls v8 consolidated 20 controls into 18, refined 171 sub-controls into 153 safeguards, elevated data protection (now Control 3), enhanced supply chain risk management (Control 15), and updated guidance for cloud, mobile and IoT environments. The Implementation Group structure remained but with clearer guidance.
Timeline varies by Implementation Group. IG1 typically takes 3-6 months for basic implementation, IG2 requires 6-12 months with dedicated IT resources, and IG3 can take 12-18 months for comprehensive deployment. Start with IG1 essentials and build incrementally rather than attempting full implementation at once.
Yes, many cyber insurance providers require or strongly recommend CIS Controls implementation. Insurers often ask specific questions about controls like multi-factor authentication (Control 6), data backup (Control 11), incident response (Control 17) and vulnerability management (Control 7). Documented CIS Controls compliance can reduce premiums and improve coverage.
Absolutely. CIS Controls v8 specifically designed IG1 (56 safeguards) for small organizations with limited IT resources. IG1 focuses on essential cyber hygiene like asset inventory, secure configurations, access control and basic monitoring. These foundational controls provide significant security improvement without requiring large security teams or budgets.
CIS Controls v8 includes ransomware-specific guidance across multiple controls: Control 11 (data backup and recovery), Control 10 (malware defenses), Control 7 (vulnerability management), Control 9 (email protections) and Control 17 (incident response). Together, these controls establish defense-in-depth against ransomware attacks and ensure recovery capabilities.
Maintain asset inventories (Controls 1-2), security policies and procedures (Control 1), configuration standards (Control 4), access control records (Controls 5-6), vulnerability scan results (Control 7), audit logs (Control 8), backup verification (Control 11) and incident response plans (Control 17). Documentation demonstrates control implementation for audits and insurance reviews.
CIS Controls v8 updated multiple controls for cloud adoption. Control 1 includes cloud assets, Control 3 addresses cloud data protection, Control 15 covers cloud service providers, and specific safeguards address cloud configuration, access management and monitoring. Use CIS Cloud Benchmarks (AWS, Azure, GCP) alongside CIS Controls for comprehensive cloud security.
Yes, VerifyWise maps its governance controls to CIS Controls requirements. Our platform helps you track asset inventories, conduct vulnerability assessments, manage access controls, maintain audit logs and generate compliance reports. We provide implementation guidance for each safeguard and support crosswalks to other frameworks like NIST CSF and ISO 27001.

Ready to implement CIS Controls?

Start your cybersecurity journey with our guided assessment and implementation tools.

Start security assessmentSchedule consultation
CIS Controls v8: all 18 controls, 153 safeguards, and IG1-IG3 explained