CIS Critical Security Controls: How to Implement v8.1 & Why [+ Checklist]
Organizations today face a variety of threats, which can make cybersecurity seem daunting. How can they protect against so many types of cyber attacks with limited resources?
The CIS Critical Security Controls® (CIS Controls®) are meant to help organizations address this specific challenge. The CIS Controls are a prioritized set of actions that organizations can take to help defend themselves and their data against common cyber attack vectors.
Let’s take a closer look at what these Controls are, why your organization should implement them, and how.
What are the CIS Controls?
The CIS Controls are a set of best practices for cybersecurity developed by the Center for Internet Security, Inc. (CIS®). These Controls aim to help organizations identify, manage, and mitigate the most prevalent cyber threats against systems and networks. They are designed to be comprehensive enough to protect and defend cybersecurity programs for any size enterprise but also prescriptive enough to ease implementation.
Each CIS Control is broken down into CIS Safeguards, or measurable actions. Each Safeguard describes an action that organizations can take to help defend against common cyber attacks, including malware, ransomware, web application attacks, insider threats and misuse, and targeted intrusions, among others.
The CIS Controls are continuously updated as part of CIS's ongoing commitment to ensuring that organizations remain resilient against rapidly changing cyber threats. Let’s take a look at the latest iteration below.
CIS Controls v8.1
CIS Controls v8.1 represents the latest evolution in cybersecurity standards to improve an enterprise's cybersecurity posture. Released in June 2024, this latest iteration addresses the increasing complexities and vulnerabilities in today's cyber landscape by incorporating new asset classes and introducing a governance security function.
CIS Controls v8.1 is an iterative update to version 8.0, refining and enhancing the Controls to better address current cybersecurity challenges. Below are the key aspects and improvements introduced in CIS Controls v8.1:
- Revised asset classes and CIS Safeguard descriptions: Version 8.1 adds Documentation as an asset class, bringing the total to six. These six — Devices, Software, Data, User, Network, Documentation — better match the specific domains of an enterprise's environment that CIS Controls apply to. As a result of this addition and other minor revisions to the asset classes, some Safeguard descriptions were also updated for greater detail, practicality, and/or clarity.
- Included new and expanded glossary definitions for certain terms used throughout the Controls: As a result of the new and revised asset classes and Safeguard descriptions, there are several new or updated glossary definitions in v8.1. New glossary terms include API, data, documentation, Internet of Things (IoT), network, plan, and sensitive data.
- Updated alignment to NIST CSF 2.0: Since they were first released, the CIS Controls have continuously been updated to align with evolving industry standards and frameworks. The recent release of NIST CSF 2.0 helped orchestrate this latest version of the Controls, which includes updated mappings and Safeguards that align with changes made in NIST CSF 2.0.
- The addition of a “Governance” security function: In v8.1, Governance is added as a security function, bringing the total to six. (The other five are Identify, Protect, Detect, Respond, Recover.) In this latest revision, governance topics are specifically identified as recommendations that can be implemented to enhance the governance of a cybersecurity program. This will help organizations better identify the governing pieces of the program in order to steer it toward achieving their enterprise goals and equip organizations with the evidence needed to demonstrate compliance.
Recommended reading
The NIST Cybersecurity Framework 2.0: What Is It & How to Comply [+ Checklist]
Why Implement the CIS Controls?
The CIS Controls aim to streamline the process of designing, implementing, measuring, and managing enterprise security. Below are some key reasons to implement the Controls.
1. Enhance your cybersecurity posture
CIS Controls provide a comprehensive framework for protecting against a wide range of cyber threats. By following these best practices, organizations can strengthen their defenses, reduce vulnerabilities, and enhance their overall security posture. The Controls cover essential areas such as data protection, access control management, and incident response, ensuring a holistic but simplified approach to cybersecurity.
2. Tailor your approach to cybersecurity
CIS Controls are designed to be scalable and flexible, making them suitable for organizations of all sizes and industries. Version 8.1 contains 18 Controls and 153 Safeguards, which are categorized into three Implementation Groups (IGs). IGs are self-assessed categories based on the organization's risk profile and available resources. This categorization allows organizations to adopt a tailored and prioritized approach, implementing Controls that are appropriate for their specific needs and capabilities rather than requiring them to implement all 18 Controls and 153 Safeguards at once.
3. Allocate your resources efficiently
The CIS Controls are designed to prioritize the most critical security actions, making it easier for organizations to focus their efforts where they matter most. This prioritization helps in allocating resources efficiently, addressing the most significant risks first, and achieving meaningful security improvements without overwhelming the organization with too many simultaneous tasks.
4. Continuously improve over time
CIS Controls emphasize continuous monitoring, measurement, and improvement of security practices. By regularly assessing the effectiveness of the Controls you implement and updating them as needed, organizations can stay ahead of emerging threats and maintain a robust cybersecurity posture over time. This proactive approach helps in adapting to the evolving cyber threat landscape and ensures long-term resilience.
5. Manage security cost-effectively
By addressing the most critical vulnerabilities and improving incident response capabilities, the CIS Controls can help organizations minimize the likelihood and financial and operational impact of cyber attacks. Additionally, the prioritized nature of the Controls ensures that resources are used efficiently, providing maximum security benefits with optimal investment.
6. Demonstrate a reasonable level of security
In the United States, there is no national, statutory, cross-sector minimum standard for information security. Instead, multiple U.S. states require organizations to implement a “reasonable” level of security. While there are multiple ways to do this, several of these state laws and regulations specifically mention the CIS Controls as a way of demonstrating a reasonable level of security.
7. Simplify multi-framework compliance
The CIS Controls don’t just include foundational security measures that any organization can use to achieve essential cyber hygiene and protect themselves against a cyber attack. They also map to and are referenced by multiple legal, regulatory, and policy frameworks, including PCI DSS, NIST CSF, NIST 800-171, NIST 800-53, HIPAA, GDPR, and ISO 27001. Implementing the Controls can help organizations achieve compliance with these standards and regulations, reducing duplicate work.
Why CIS Controls are preferred by IT service providers
The CIS Controls have become one of the most prominent frameworks that MSPs use for security due to the benefits above and other key reasons. Let's take a closer look at these reasons below.
- Comprehensive and actionable for any organization: The CIS Controls provide a comprehensive set of best practices for securing IT systems and data. These controls are designed to be actionable and can be implemented by organizations of all sizes.
- Prioritized controls: CIS Controls are prioritized, meaning that they guide organizations on which security measures to implement first based on their impact and ease of implementation. This helps MSPs focus on the most critical areas to improve security posture efficiently.
- Widely recognized and respected: The CIS Controls are widely recognized and respected within the cybersecurity community. This recognition helps MSPs build trust with their clients by adhering to a well-known and accepted security framework.
- Mapping to other frameworks: CIS Controls can be mapped to other major security frameworks and regulations such as NIST, ISO, and GDPR. This compatibility allows MSPs to align their security practices with various compliance requirements their clients might have.
- Regularly updated: The CIS Controls are regularly updated to address new and emerging threats. This ensures that MSPs using the framework can stay current with the latest security best practices.
- Ease of implementation: The CIS Controls are designed to be straightforward to implement, making it easier for MSPs to integrate them into their service offerings without excessive complexity or cost.
- Scalability: The framework is scalable, meaning it can be applied to small businesses as well as large enterprises. This flexibility allows MSPs to cater to a wide range of clients with varying security needs.
- Community and support: The CIS community provides resources, tools, and support for organizations implementing the controls. MSPs can leverage these resources to enhance their security offerings and ensure they are effectively protecting their clients.
Recommended reading
How to Build a Compliance Program that Meets Your Business Expansion Goals
CIS Controls List
Below is a high-level overview of the 18 CIS Controls in version 8.1. For a more detailed overview of the Controls and the Safeguards, asset types, and security functions within each Control.
Title | Description |
Inventory and Control of Enterprise Assets | Actively manage all enterprise assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. |
---|---|
Inventory and Control of Software Assets | Actively manage all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. |
Data Protection | Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. |
Secure Configuration of Enterprise Assets and Software | Establish and maintain the secure configuration of enterprise assets and software. |
Account Management | Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. |
Access Control Management | Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. |
Continuous Vulnerability Management | Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information. |
Audit Log Management | Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. |
Email and Web Browser Protections | Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement. |
Malware Defenses | Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets. |
Data Recovery | Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state. |
Network Infrastructure Management | Establish, implement, and actively manage network devices, in order to prevent attackers from exploiting vulnerable network services and access points. |
Network Monitoring and Defense | Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base. |
Security Awareness and Skills Training | Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise. |
Service Provider Management | Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately. |
Application Software Security | Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise. |
Incident Response Management | Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack. |
Penetration Testing | Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls and simulating the objectives and actions of an attacker. |
CIS Implementation Groups
First introduced in CIS v7.1, IGs are designed to help organizations with varying resources and risk exposure to implement the CIS Controls as well as to create and manage an effective cyber defense program.
Each IG identifies which of the 18 Controls and 153 Safeguards are reasonable to implement for an organization with a similar risk profile and resources. These are self-assessed categories. Meaning, organizations classify themselves to better focus their cybersecurity resources and expertise when implementing the CIS Controls.
Implementation Group 1
Suitable for organizations with limited IT and cybersecurity expertise, this IG focuses on essential cyber hygiene practices to protect against common threats.
IG1 enterprises will likely:
- Store and process low-sensitivity data, like employee and financial information
- Be an SMB with limited resources dedicated to protecting IT assets and personnel
- Have small or home office commercial off-the-shelf (COTS) hardware and software to defend against attacks
- Need to thwart general, non-targeted attacks
- Be primarily concerned with preventing downtime
Consisting of 15 Controls and 56 Safeguards, this set represents the minimum standard of information security for all enterprises. Since every enterprise should start with IG1 to guard against the most common cyber attacks, this group is considered the “on-ramp” to the CIS Controls.
Implementation Group 2
Suitable for organizations with increased operational complexity, this IG includes all the Controls and Safeguards identified in IG1 as well as three additional Controls and 74 additional Safeguards that address a wider range of threats and vulnerabilities.
IG2 enterprises will likely:
- Store and process sensitive client or enterprise information
- Have dedicated individuals who are responsible for managing and protecting IT infrastructure
- Need enterprise-grade technology and specialized expertise to properly install and configure some of the Safeguards
- Support multiple departments with different risk profiles and regulatory compliance burdens
- Be primarily concerned with preventing a data breach that could result in a loss of public confidence
In total, IG2 comprises all 18 Controls and 130 Safeguards.
Implementation Group 3
Designed for large enterprises with sophisticated IT environments and advanced cybersecurity capabilities, this IG comprises all Controls and Safeguards identified in IG1 and IG2 as well as 23 additional Safeguards that provide comprehensive protection against advanced persistent threats (APTs) and other high-level risks.
IG3 enterprises will likely:
- Store and process highly sensitive data that, if its confidentiality, integrity, and/or availability were comprised, would cause significant harm to public welfare
- Employ experts that specialize in different facets of cybersecurity, like risk management, penetration testing, and application security
- Contain sensitive information or functions that are subject to regulatory and compliance oversight
- Need to mitigate targeted and sophisticated attacks and reduce the impact of zero-day attacks
- Be primarily concerned with protecting the availability of services and the confidentiality and integrity of sensitive data in order to protect public welfare
In total, IG3 includes all 18 Controls and 153 Safeguards.
Recommended reading
Data Classification: Policy Examples + Template
How to Implement the CIS Controls
Implementing the CIS Controls can significantly enhance an organization’s cybersecurity posture. Here’s a detailed step-by-step guide on how to implement the Controls effectively.
1. Assess your current security posture
Before implementing the CIS Controls, conduct a thorough assessment to understand your current security posture and identify any gaps or weaknesses. This includes the following activities:
- Asset inventory: Document all hardware and software assets within the organization
- Risk assessment: Identify potential vulnerabilities and threats to these assets
- Gap analysis: Compare your current security measures against the CIS Controls to identify gaps
2. Select your Implementation Group
As mentioned above, CIS Controls v8.1 categorizes Controls into three IGs. These groups provide a scalable and flexible approach to implementing the Controls based on the organization’s risk profile and available resources.
Use the table below to determine which IG best matches your organization’s risk profile and available resources.
Implementation Group | Suitable for | Data sensitivity | Primary aim | Comprised of |
---|---|---|---|---|
IG 1 | All organizations, particularly SMBs with limited IT and cybersecurity expertise | Low | Thwart general, non-targeted attacks to prevent downtime | 15 CIS Controls and 56 Safeguards |
IG 2 | Organizations with increased operational complexity and a dedicated IT team | Medium | Defend IT infrastructure against a larger variety of threats to prevent breaches that would result in loss of public confidence | 18 CIS Controls and 130 Safeguards |
IG 3 | Organizations with high risk exposure and a team of specialized cybersecurity experts | High | Mitigate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks in order to protect public welfare | 18 CIS Controls and 153 Safeguards |
3. Prioritize implementing the most critical Controls
Focus on implementing the most critical Controls in your IG first based on your risk profile. Prioritization can be guided by the following two factors:
- Business impact: Controls that protect high-value assets or critical business functions should be prioritized
- Threat landscape: Implement Controls that address the most relevant and current threats to your organization
4. Develop an implementation plan
Create a detailed plan that outlines the steps, resources, and timeline for implementing all the Controls identified in your IG. This plan should include:
- Roles, responsibilities, and assigned tasks
- Tools, technologies, and training needed
- Realistic milestones and deadlines for each stage of implementation
5. Implement the Controls
Now it’s time to execute your implementation plan. This involves:
- Configuring systems, installing tools, and applying security settings as per the CIS Controls
- Updating policies and procedures to align with the Controls
- Educating staff about the new Controls and their roles in maintaining cybersecurity
- Defining roles and procedures for handling incidents and returning operations to normal as quickly as possible
- Performing penetration tests to test the strength of your company’s defenses
6. Monitor and measure your progress
Continuously monitor the implementation process and measure the effectiveness of the Controls. This can be done through:
- Regular assessments: Conducting periodic reviews to ensure the Controls are in place and functioning correctly
- KPIs: Using key performance indicators (KPIs) to track progress and identify areas for improvement
- Incident tracking: Monitoring security incidents to evaluate the impact of implemented Controls
- Penetration testing: Simulate cyber attacks on your systems to discover areas your organization can improve its information security
CIS Controls Implementation Checklist
This checklist provides a structured approach to begin implementing all 18 Controls in CIS Controls v8.1, ensuring that your organization covers essential areas of cybersecurity. Depending on your Implementation Group, you may not need to implement them all.
CIS Controls Implementation Checklist
Follow this structured approach to begin implementing all 18 Controls in CIS Controls v8.1, ensuring that your organization covers essential areas of cybersecurity.
How the CIS Controls Fit into a Cybersecurity Program
Since the CIS Controls include foundational security measures for strengthening an organization’s cybersecurity posture, they can be a great starting point for any cybersecurity program.
Many of these foundational security measures can also help you meet requirements in other information security frameworks, helping to reduce duplicate work and speed up time-to-compliance for multiple frameworks.
Using the CIS Critical Security Controls Navigator, you can see how the CIS Controls are mapped to and referenced by multiple legal, regulatory, and policy frameworks, including but not limited to:
- Azure Security Benchmark
- CMMC v2.0
- Criminal Justice Information Services (CJIS)
- CSA Cloud Controls Matrix
- Cyber Essentials v2.2
- HIPAA
- ISACA COBIT 19
- ISO/IEC 27002:2002
- MITRE Enterprise ATT&CK v8.2
- NIST 800-171
- NIST 800-53
- NIST CSF 2.0
- NYDFS Part 500
- PCI DSS v4.0
- SOC 2
When using a compliance automation platform like Secureframe, this mapping is done automatically in-platform once you add another framework to your instance. This not only saves time and reduces the potential for human error — it also provides immediate visibility into how far along in the compliance process you already are with any additional frameworks and exactly what gaps you need to fill to become compliant.
A managed service provider can also help integrate the CIS Controls into a broader security program or framework when necessary.
Recommended reading
Control Mapping: What It Is & How It Can Help Simplify Your Compliance Efforts
How Secureframe can Simplify CIS Controls Implementation and Compliance with Other Frameworks
As a CIS SecureSuite® Product Vendor Member, we’ve integrated the CIS Controls content into our platform to further empower organizations and service partners to enhance their security posture and build comprehensive security programs for themselves and/or their customers.
Whether your organization is implementing the CIS Controls itself or working with a managed service provider, Secureframe can help simplify and speed up the process.
With Secureframe, you can:
- Automate evidence collection to eliminate manual tasks like taking screenshots and organizing documentation
- Continuously monitor your tech stack and cloud services to ensure compliance and flag nonconformities
- Deliver and track employee training
- Simplify vendor and personnel management
- Use auditor-approved policy templates to save time spent on policy creation
- Stay current with the latest version of the CIS Controls and other frameworks
- Map Controls and tests you put in place for CIS compliance to other frameworks to speed up time-to-compliance and reduce duplicate work
If you’re a managed service provider, you can use Secureframe’s powerful automation and AI capabilities to revolutionize how you manage security and compliance for your clients.
To see why 97% of users reported strengthening their security and compliance posture with Secureframe, request a demo today. Or if you’re looking to become a Secureframe partner, sign up here.
Compliance Automation Platform Buyer’s Guide
Learn how a compliance automation platform can help streamline and scale your security and compliance efforts, then use a scorecard to fast-track the vendor evaluation process.
FAQs
What are the CIS Controls?
The CIS Controls are a set of 18 best practices for cybersecurity developed by the Center for Internet Security (CIS) to help organizations of all sizes mitigate the most common cyber threats.
What does CIS Controls stand for?
CIS Controls stands for the Center for Internet Security Critical Security Controls.
How many CIS Controls are there?
As of CIS Controls v8.1, there are 18 Controls.
How many CIS Safeguards are there?
There are 153 Safeguards in CIS Controls v8.1.
Why do organizations implement the CIS Controls?
Implementing the CIS Critical Security Controls can greatly strengthen an organization’s cybersecurity posture. By understanding and adopting this set of prescriptive best practices, an organization can build a robust cybersecurity foundation that protects them from common cyber attacks and evolves with the changing digital and threat landscape.