The CIS Critical Security Controls provide 18 prioritized safeguards to protect organizations from cyber threats. Whether you're implementing IG1 essentials or IG3 advanced protections, we help you build effective cybersecurity defenses with clear actions and evidence.
The CIS Critical Security Controls (CIS Controls) are a prioritized set of actions developed by the Center for Internet Security to protect organizations from known cyber attack vectors. Version 8 includes 18 controls with 153 safeguards organized into three Implementation Groups.
Why this matters: CIS Controls are built from real-world attack patterns and defense strategies. They're vendor-agnostic, actionable and widely recognized by cyber insurance providers and auditors as evidence of security due diligence.
Focus on highest-impact defenses first
Specific technical safeguards to implement
Small to medium businesses
Organizations seeking essential cyber hygiene with IG1
Enterprise organizations
Companies with IT departments implementing IG2 or IG3
Critical infrastructure
Organizations protecting essential services and systems
Regulated industries
Financial services, healthcare meeting compliance requirements
Managed service providers
MSPs implementing CIS Controls for clients
Government agencies
Public sector organizations securing sensitive data
Concrete capabilities that address implementation across all safeguards
Maintain comprehensive inventories of hardware, software and data assets with automated discovery. The platform tracks all devices, applications and sensitive information across your environment, addressing CIS Controls 1 and 2 requirements.
Addresses: Controls 1, 2: Inventory and control of enterprise assets
Identify, track and remediate security vulnerabilities across systems. The platform monitors patch status, prioritizes critical updates and maintains audit trails for vulnerability management aligned with Control 7.
Addresses: Control 7: Continuous vulnerability management
Manage user accounts, privileges and authentication policies. The platform enforces least privilege principles, tracks account lifecycle and monitors privileged access in line with Controls 5 and 6.
Addresses: Controls 5, 6: Account and access control management
Collect, analyze and retain security logs from critical systems. The platform centralizes log management, enables threat detection and maintains evidence for incident investigation per Controls 8 and 13.
Addresses: Controls 8, 13: Audit log management and network monitoring
Manage security incidents with structured workflows and recovery procedures. The platform documents incident handling, tracks remediation and enables post-incident analysis aligned with Control 17.
Addresses: Control 17: Incident response management
Maintain security policies, standards and compliance evidence. The platform provides templates for CIS-aligned policies, tracks control implementation and generates reports for audits per Control 1.
Addresses: Control 1: Security program and policy management
All security activities are tracked with timestamps, assigned owners and approval workflows. This audit trail demonstrates systematic control implementation for cyber insurance reviews and compliance audits.
VerifyWise provides dedicated tooling for all 153 safeguards across three Implementation Groups
CIS Controls
Safeguards with dedicated tooling
Implementation Groups
Essential cyber hygiene for all organizations
Organizations with IT staff and resources
Organizations with dedicated security teams
Automated discovery and management for Controls 1-2
Continuous scanning and patch tracking for Control 7
Evidence packages for cyber insurance applications
Crosswalk to NIST CSF, ISO 27001 and SOC 2
Prioritized safeguards to defend against known cyber attack vectors
Actively manage all enterprise assets connected to the infrastructure, ensuring only authorized devices can access the network.
Actively manage all software on the network so that only authorized software is installed and can execute.
Develop processes and technical controls to identify, classify, securely handle, retain and dispose of data.
Establish and maintain secure configurations for enterprise assets and software.
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts.
Use processes and tools to create, assign, manage and revoke access credentials and privileges for user, administrator and service accounts.
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure.
Collect, alert, review and retain audit logs of events that could help detect, understand or recover from an attack.
Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior.
Prevent or control the installation, spread and execution of malicious applications, code or scripts on enterprise assets.
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
Establish, implement and actively manage the security configuration of network infrastructure, including network security controls.
Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats.
Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious.
Develop a process to evaluate service providers who hold sensitive data or are responsible for an enterprise's critical IT platforms.
Manage the security life cycle of in-house developed, hosted or acquired software to prevent, detect and remediate security weaknesses.
Establish a program to develop and maintain an incident response capability to discover, contain and recover from attacks.
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls.
Choose the right safeguards for your organization's resources and risk profile
56 safeguards
Essential cyber hygiene for all organizations
Target audience
Small to medium organizations with limited cybersecurity expertise and resources
Characteristics
Includes
Controls 1-11, 14, 17
131 safeguards
Organizations with IT staff and resources
Target audience
Organizations managing multiple departments, systems or locations with dedicated IT resources
Characteristics
Includes
All IG1 controls + Controls 12, 13, 15, 16
153 safeguards
Organizations with dedicated security teams
Target audience
Organizations with significant cybersecurity expertise, protecting sensitive data or critical infrastructure
Characteristics
Includes
All IG1 + IG2 controls + Control 18
Key improvements and changes in the latest version
| Aspect | v7.1 | v8 | Change |
|---|---|---|---|
Total controls | 20 Controls | 18 Controls (consolidated) | Streamlined |
Safeguards | 171 Sub-Controls | 153 Safeguards | Refined and prioritized |
Implementation Groups | 3 IGs (IG1, IG2, IG3) | 3 IGs maintained | Clarified guidance |
Asset types | Focus on traditional IT | Includes cloud, mobile, IoT | Modernized coverage |
Data protection | Control 13 | Control 3 (elevated priority) | Higher emphasis |
Supply chain | Limited guidance | Control 15 (enhanced) | Expanded scope |
Threat focus | General threats | Ransomware and modern attacks | Updated priorities |
Metrics | Basic measurement | Enhanced measurement guidance | Improved tracking |
Migration tip: Organizations on v7.1 should prioritize updated controls like Control 3 (Data Protection), Control 15 (Service Provider Management) and modernized asset inventory for cloud and mobile environments.
View full v8 migration guideA practical path to CIS Controls adoption with clear milestones
Complement CIS Controls with specific configuration guidance for your technology stack
While CIS Controls define what to protect (18 security controls), CIS Benchmarks provide detailed configuration guides for how to secure specific systems. Together, they deliver comprehensive cybersecurity coverage from strategy to implementation.
High-level security best practices and safeguards
Detailed configuration settings for specific technologies
Secure configuration benchmarks for Windows, Linux, macOS and Unix systems
Examples
Security configuration guidelines for major cloud service providers
Examples
Hardening standards for network infrastructure components
Examples
Security benchmarks for database management systems
Examples
Configuration standards for enterprise applications
Examples
Security baselines for mobile operating systems
Examples
Access ready-to-use security policy templates aligned with CIS Controls, NIST CSF and ISO 27001 requirements
Common questions about CIS Controls implementation
Start your cybersecurity journey with our guided assessment and implementation tools.