CIS Critical Security Controls are the most pragmatic security framework in active use — a prioritised, action-oriented set of cybersecurity safeguards maintained by the Center for Internet Security since 2008. Where ISO 27001 is a certifiable management system and NIST PF is an analytical risk methodology, CIS Controls answer a different question: given the attacks happening right now, what should we actually do? The current version 8.1 (released June 2024) contains 18 Controls broken into 153 Safeguards, organised into three Implementation Groups, mapped to MITRE ATT&CK, and aligned to NIST CSF 2.0. It is voluntary, free, and increasingly the working baseline for organisations that need defensible security without certification overhead.
The cleanest way to understand CIS Controls is as a question-and-answer pair. Every other major security framework asks "how should you build a security program" — CIS asks something more pointed: "given what attackers are actually doing, what should you do today." The answer is a concrete, prioritised list of safeguards mapped to real-world attack data through MITRE ATT&CK. Voluntary, free, evidence-based — and increasingly the security baseline organisations adopt when ISO 27001 certification is too expensive, NIST PF is too analytical, and the reality is "we just need to know what to do."
CIS Controls answer the practitioner's most basic security question. Not "what good looks like in principle" — but "what do we actually need to be doing today, given the attacks happening right now."
A consensus-driven catalogue of the most effective security activities, organised by what they protect against rather than what they protect. Activity-centric — designed for cloud, hybrid, and remote-first environments.
Version 8 consolidated the previous 20 controls down to 18, restructured around activities rather than device categories. The shift directly addressed cloud, hybrid, and remote-work environments where device-centric thinking had stopped working. Each control covers a distinct activity domain — inventory, protection, detection, response, recovery, governance — and contains its own set of Safeguards calibrated by Implementation Group. The list below shows every Control with the IG levels at which it applies.
Active management of every device connected to the enterprise — endpoints, servers, IoT, cloud instances, virtual machines. The starting work that everything else depends on.
Active management of all software running in the enterprise — installed, authorised, unauthorised. Software inventory and approval discipline.
Identification, classification, secure handling, retention and disposal of data. The privacy-adjacent control that underwrites GDPR Art. 32, KSA PDPL Art. 19, UAE PDPL Arts. 19-20.
Establishing and maintaining secure configuration of hardware and software. The hardening discipline. CIS Benchmarks pair directly with this control.
User accounts, service accounts, admin accounts — inventory, classification, lifecycle. Where most breaches actually start.
Granting, modifying, removing access rights. RBAC, MFA, privileged access management. The operational arm of identity-and-access governance.
Continuously identifying, assessing, prioritising and remediating vulnerabilities. Scanning cadence, patch SLAs, exposure reduction.
Collection, retention, review and analysis of audit logs. Forensic readiness. The capability that turns "we got breached" into "we know what happened."
The two highest-volume attack surfaces in modern organisations. Email gateway controls, browser hardening, attachment scanning, URL filtering.
Anti-malware, EDR, behaviour-based detection across endpoints and servers. The detection layer for known and emerging malicious code.
Backup, recovery, ransomware-resistant data protection. The capability that determines whether an incident is recoverable or business-ending.
Secure design, configuration, and operation of network infrastructure. Segmentation, access control, secure remote access architecture.
Network-level traffic analysis, intrusion detection, traffic flow analysis. SOC operations and SIEM workflows. From IG2 onwards.
Awareness programmes, role-specific training, phishing simulations. The human-factor controls that statistically prevent the most common attacks.
Third-party risk discipline. Vendor inventory, security assessment, contractual obligations, ongoing monitoring. Where supply-chain compromises live.
Secure software development lifecycle. SAST, DAST, secrets management, dependency security. The DevSecOps domain. From IG2 onwards.
IR plan, playbooks, defined roles, communication protocols, exercise cadence. The capability that turns a security event into a managed outcome.
Validation of controls through simulated attack. External, internal, social engineering tests. The reality check on whether controls actually work. From IG2 onwards.
CIS 03 (Data Protection) is where this framework lands closest to privacy work. For organisations where CIS Controls are the security baseline and a privacy program needs underwriting, Control 03's Safeguards — data classification, encryption, retention, secure disposal — directly underwrite GDPR Art. 32, KSA PDPL Art. 19, UAE PDPL Arts. 19-20, DPDP s.8(5). The rest of the catalogue underwrites the operational security obligations these regimes impose without naming.
The Implementation Groups solve the framework's hardest problem: how to make the same set of Safeguards work for both a fifty-person SMB and a Fortune 500 enterprise. The answer is a nested subset model — IG1 contains the 56 essential safeguards every organisation should implement; IG2 adds another set for organisations with more resources and exposure; IG3 contains the full 153 Safeguards for the largest and most complex organisations. The relationship is strictly cumulative: IG2 includes everything in IG1, IG3 includes everything in IG2.
The minimum viable security baseline. Covers the controls that prevent the most common, opportunistic attacks. Limited IT/security staff, modest budgets, lower-sensitivity data. The starting point for any organisation taking security seriously for the first time.
Foundation for IG2 & IG3Builds on IG1 with controls that defend against more sophisticated, targeted attacks. Dedicated IT and security staff, structured governance, exposure to regulated data or critical operations. Most enterprise security programs land here as their target state.
Includes all 56 IG1 + 74 IG2-specificThe full catalogue. Builds on IG2 with controls for organisations facing sophisticated, persistent, well-resourced adversaries. Critical infrastructure, defence, financial services at scale, government entities. Where comprehensive coverage is non-negotiable.
Includes all 153 SafeguardsMost organisations target IG2. IG1 is too thin for organisations holding regulated data; IG3 is more than most need. The pragmatic posture for enterprise security work is "comprehensive IG1, substantial IG2, selective IG3" — implement every Safeguard at IG1, most at IG2, and the IG3 Safeguards relevant to specific exposures. The Implementation Groups are not certification levels; they are scoping guidance. An organisation can claim "we implement Safeguards through IG2" without any third-party validation, but defensible claims require evidence of operating effectiveness.
CIS Controls v8.1 — released June 2024 — is an iterative update to v8.0 rather than a structural redesign. The substantive change: alignment with NIST Cybersecurity Framework 2.0, which had been released in February 2024 with its new Govern function. CIS added 25 new Govern-function safeguards across the Controls, introduced a new Documentation asset class, and expanded glossary definitions for terms like "plan," "process," and "sensitive data." The structural shape is unchanged; the governance discipline is sharpened.
The single most material change in v8.1 is the introduction of governance as a security function — mirroring NIST CSF 2.0's structural addition. Twenty-five new Safeguards across the existing 18 Controls now address policies, procedures, decision-rights, and accountability infrastructure. For organisations that had been running v8.0 with strong technical controls but loose governance, this is the gap-closing update.
Plus a new Documentation asset class covering plans, policies, and procedures — making governance artefacts inventoriable and auditable.
For organisations on v8.0, the transition to v8.1 is straightforward. Most existing technical controls map across unchanged; the work concentrates on building the governance overlay — written policies, decision-right documentation, defined accountability, periodic review cadence. Organisations starting fresh in 2026 should implement to v8.1 directly. CIS does not enforce a transition deadline (unlike ISO transitions); v8.0 references remain valid but increasingly look outdated against vendor and customer expectations.
The most underrated value of CIS Controls is mapping leverage. Implementing the 153 Safeguards produces evidence usable across multiple compliance regimes simultaneously — ISO 27001, NIST CSF 2.0, HIPAA, PCI DSS, SOC 2, CMMC, even GDPR Article 32. CIS publishes official mapping documents that translate Safeguards directly into the language of each target framework. For organisations facing multiple compliance regimes, this is often more valuable than the security work itself: one implementation, many regulatory audiences.
| Target framework | CIS Controls coverage |
|---|---|
| NIST CSF 2.0 National Institute of Standards & Technology · USA Voluntary cybersecurity framework. Six Functions: Govern, Identify, Protect, Detect, Respond, Recover. v8.1 explicitly aligned to CSF 2.0. | Full alignment CIS Safeguards map directly to CSF Subcategories. The most natural pairing — implementing CIS Controls automatically produces CSF Profile evidence. |
| ISO/IEC 27001:2022 International Organization for Standardization Certifiable Information Security Management System. 93 Annex A controls in 4 themes. The international gold standard. | Complementary CIS Safeguards substantially cover ISO Annex A controls. CIS work feeds Statement of Applicability decisions; doesn't replace certification audit. Read the ISO 27001 page. |
| PCI DSS v4.0 PCI Security Standards Council Mandatory for organisations handling payment card data. Twelve high-level requirements with detailed sub-requirements. | Full alignment CIS Safeguards cover most PCI DSS requirements. CIS work produces evidence usable for PCI DSS attestation; payment-handling organisations frequently use CIS as the operational backbone. |
| HIPAA Security Rule US Department of Health & Human Services Mandatory for US healthcare entities and their business associates. Administrative, physical, and technical safeguards. | Full alignment CIS Safeguards cover HIPAA Security Rule technical and administrative safeguards. Physical safeguards require additional implementation specific to physical infrastructure. |
| SOC 2 Trust Services Criteria AICPA · USA Audit-report-based attestation focused on Security, Availability, Processing Integrity, Confidentiality, Privacy. | Full alignment CIS Safeguards substantially cover the Security TSC plus large parts of Availability and Confidentiality. CIS work produces the operational evidence SOC 2 audits look for. |
| CMMC 2.0 US Department of Defense Cybersecurity Maturity Model Certification. Mandatory for US Defense Industrial Base contractors. | Full alignment CIS Controls v8.1 IG2 substantially aligns with CMMC Level 2. For contractors in the US Defense supply chain, CIS often used as the foundation for CMMC implementation. |
| GDPR Art. 32 · KSA PDPL Art. 19 · UAE PDPL Arts. 19-20 EU · KSA SDAIA · UAE PDPL Office "Appropriate technical and organisational measures" requirements imposed by major privacy regulations. | Complementary CIS Safeguards underwrite the security obligations these regulations impose. Evidence accepted by privacy regulators looking for substantive security posture. Does not address substantive privacy obligations like consent, DSR, transparency. |
| MITRE ATT&CK MITRE Corporation Knowledge base of adversary tactics, techniques, and procedures observed in real-world attacks. | Threat-mapped CIS Safeguards mapped to MITRE ATT&CK techniques. Provides defensible "we defend against X technique" answers. This mapping is the empirical foundation of the entire CIS approach. |
For multi-regulatory organisations, the CIS-as-baseline pattern often produces 60-80% of compliance evidence with one implementation. The remaining 20-40% is regulation-specific work — privacy obligations under GDPR / PDPL beyond Article 32, payment data handling beyond PCI's technical scope, healthcare-specific obligations beyond HIPAA's Security Rule. The leverage is real but bounded; CIS Controls is the security baseline, not a complete compliance solution.
CIS Controls work is fundamentally implementation work — building, operating, and demonstrating effectiveness of specific Safeguards. Most engagements split into IG-targeting (which IG to land), gap analysis (where current state is against that target), implementation (closing gaps), and ongoing measurement (proving it's working). The absence of certification audit means the back end is lighter than ISO 27001; the front-end implementation work is comparable in scope.
Determination of target Implementation Group based on organisational size, sensitivity of data, attack surface, regulatory exposure. The strategic decision that shapes scope of all subsequent work.
Comprehensive enterprise asset inventory across the seven asset classes — devices, users, applications, data, networks, software, documentation. The substantive precondition for everything downstream.
Per-Safeguard assessment against current state. Maturity scoring, gap inventory, remediation prioritisation by attack-frequency risk. The map that turns into the implementation roadmap.
The substantive work — implementing the Safeguards required by the target IG. Engineering, operations, HR, governance involvement depending on Safeguard mix. The largest workstream.
v8.1's 25 new Govern Safeguards. Policy framework, decision rights, accountability documentation, review cadence. The governance overlay that v8.0 organisations frequently lack.
Production of evidence packs for the target compliance regimes — ISO 27001 SoA, NIST CSF Profile, PCI DSS attestation evidence, SOC 2 control documentation. The leverage moment.
Validation of Safeguards against MITRE ATT&CK techniques. Attack-path coverage analysis. "We defend against X tactic" defensible mapping. The empirical layer that justifies the investment.
Per-Safeguard measurement methodology. Operational metrics, control effectiveness scoring, drift monitoring. The discipline that distinguishes "we implemented" from "it actually works."
CIS Control 18 (Penetration Testing) requirements for IG2/IG3. External, internal, social engineering test scope, vendor selection, finding remediation discipline.
CIS Control 15 implementation. Vendor inventory, security assessment, contractual obligations, ongoing monitoring. The supply-chain risk discipline particularly important for cloud-heavy organisations.
Annual reassessment of Safeguard implementation, IG-coverage tracking, drift identification, refresh against latest CIS Controls version. The maintenance discipline that keeps the implementation current as attacks evolve.
CIS Controls work is delivered through one of three engagement shapes — typically lighter than ISO 27001 builds because there is no certification audit at the back end, but with comparable front-end implementation effort. CIS engagements often run as "the security baseline" for organisations that subsequently pursue ISO 27001 certification, NIST CSF Profile development, or SOC 2 attestation; the Safeguard implementation produces the operational evidence the certification frameworks need.
For organisations needing structured assessment against CIS Controls v8.1. Per-Safeguard diagnostic, IG-coverage scoring, prioritised remediation roadmap. Most common entry point for organisations evaluating CIS as their security baseline.
For organisations building CIS-aligned security from scratch or remediating substantial gaps. End-to-end Safeguard implementation, Govern function build, multi-framework evidence production, MITRE ATT&CK validation. Often delivered ahead of ISO 27001 / SOC 2 / NIST CSF Profile work.
For organisations with established CIS implementations needing senior backup on harder questions — annual review cycles, version transitions, framework integration with ISO 27001 / NIST CSF / SOC 2, board reporting on Safeguard effectiveness, novel threat-pattern coverage analysis.
Common questions on CIS Controls in early 2026 — particularly from organisations evaluating CIS against ISO 27001, organisations with multi-framework compliance obligations looking for leverage, and organisations needing to understand how the v8.1 Govern update affects their existing implementation.
CIS Controls is the framework for organisations that want to actually do the security work, not just claim they have. A 30-minute scoping call costs nothing — we will tell you honestly which Implementation Group fits your situation, what the realistic gap-to-target looks like, and whether CIS as a baseline plus ISO 27701 / 27001 as the certified overlay is the right pattern for you.
Schedule a call