openskills.info
CIS Controls logo

CIS Controls

itCybersecurity fundamentals and governance

CIS Controls

The CIS Critical Security Controls turn a broad goal into a prioritized set of defensive actions. The broad goal is reducing exposure to common cyber attacks. The actions tell you what capabilities to establish, maintain, and check.

CIS Controls version 8.1 contains 18 Controls and 153 Safeguards. A Control describes a defensive outcome, such as managing enterprise assets or recovering data. A Safeguard defines a specific action that supports that outcome.

This structure matters because a security program can collect policies and tools without reducing much risk. The CIS Controls give you a shared list of outcomes and actions. You can use that list to find gaps, set priorities, assign owners, and track evidence.

The mental model

Think in four layers:

business context and risk
          ↓
Implementation Group
          ↓
Controls → Safeguards
          ↓
owners, procedures, technology, evidence, review

Your business context shapes the right starting scope. An Implementation Group, or IG, selects a prioritized set of Safeguards. The Controls organize those Safeguards by defensive outcome. Your organization then turns each selected Safeguard into operating work.

The last layer prevents a common failure. Selecting a Safeguard is not the same as implementing it. Implementation needs an owner, a repeatable procedure, suitable technology, and evidence that the action occurs. It also needs review because systems, threats, and business goals change.

Controls and Safeguards

The 18 Controls cover the main parts of a cyber defense program:

  1. Inventory and Control of Enterprise Assets
  2. Inventory and Control of Software Assets
  3. Data Protection
  4. Secure Configuration of Enterprise Assets and Software
  5. Account Management
  6. Access Control Management
  7. Continuous Vulnerability Management
  8. Audit Log Management
  9. Email and Web Browser Protections
  10. Malware Defenses
  11. Data Recovery
  12. Network Infrastructure Management
  13. Network Monitoring and Defense
  14. Security Awareness and Skills Training
  15. Service Provider Management
  16. Application Software Security
  17. Incident Response Management
  18. Penetration Testing

The number does not describe a maturity score. It identifies a Control. The practical work lives in its Safeguards.

For example, Control 1 covers enterprise assets. Its Safeguards include maintaining a detailed asset inventory and addressing unauthorized assets. Control 6 covers access. Its Safeguards include documented access-granting and access-revoking processes, plus multifactor authentication for several access paths.

The distinction helps you communicate at two levels. Leaders can discuss Control-level outcomes. Implementers can work from Safeguard-level requirements and evidence.

Start with an Implementation Group

CIS divides the Safeguards into three Implementation Groups. The groups reflect an enterprise's risk profile and available resources.

IG1 is the starting point for every enterprise. CIS calls it essential cyber hygiene. It focuses on foundational defenses against common attacks.

IG2 includes IG1 and adds Safeguards for enterprises with greater operational complexity or risk. These enterprises often manage sensitive data and have people responsible for security.

IG3 includes IG1 and IG2, then adds the remaining Safeguards. It fits enterprises facing more sophisticated threats or consequences.

The groups are cumulative. You do not finish IG1 and discard it when you move to IG2. You keep the earlier Safeguards operating while you add the next set.

An IG is a prioritization aid, not a substitute for risk analysis. Laws, contracts, architecture, and current threats may require a Safeguard outside your selected IG. Use the group as a defensible baseline, then adjust it with documented reasons.

A practical implementation loop

Use this loop for a first assessment or a program refresh:

  1. Choose the working version. Use version 8.1 for new work unless a binding requirement specifies another version.
  2. Select an initial IG. Begin with IG1, then document the factors that justify additional Safeguards.
  3. Define the scope. State which business units, systems, data, and service providers the assessment covers.
  4. Assess each selected Safeguard. Compare the required action with current practice and evidence.
  5. Record gaps and risk. Separate absent capability from weak coverage, stale evidence, or inconsistent operation.
  6. Build a remediation plan. Assign an owner, target state, priority, due date, dependencies, and expected evidence.
  7. Operate and measure. Review evidence and exceptions on a recurring schedule.
  8. Reassess. Update the scope and priorities when the environment or risk changes.

Avoid treating the assessment as a one-time checklist. Many Safeguards use verbs such as establish, maintain, review, update, and remediate. Those verbs describe continuing processes.

Evidence makes implementation visible

Evidence should show both design and operation. A policy can show the intended process. It cannot prove that the process ran.

Useful evidence may include an approved procedure, an asset export, a configuration report, a ticket sample, an access review, a restore-test result, or an incident exercise record. The right evidence depends on the Safeguard.

Ask four questions for each selected Safeguard:

  • Is the required capability defined?
  • Does it cover the stated scope?
  • Does it operate at the required cadence?
  • Can you show current evidence?

These questions expose partial implementation. An asset inventory may exist but omit cloud resources. A vulnerability scanner may run while remediation has no owner. Backups may complete while restore tests fail.

Where the CIS Controls fit

The CIS Controls are prescriptive and prioritized. That makes them useful for deciding what defensive work to do first.

They can coexist with broader frameworks and compliance requirements. The CIS Controls Navigator shows mappings to frameworks such as NIST Cybersecurity Framework 2.0, NIST Special Publications, ISO and IEC 27001, and PCI DSS. A mapping helps you compare concepts. It does not prove compliance with the mapped requirement.

Version 8.1 is an iterative update to version 8.0. CIS revised asset classes and some Safeguard descriptions. It also realigned mappings to the NIST Cybersecurity Framework 2.0 functions, including Govern. Use one explicit version across assessments, reports, and mappings so names and references stay consistent.

Limits and decision points

The CIS Controls do not choose your risk appetite. They do not supply detailed product configurations for every platform. They also do not replace legal, contractual, or sector-specific obligations.

A Safeguard can be correctly selected yet poorly implemented. Coverage may be incomplete. Evidence may be stale. A tool may be installed but unmanaged. Exceptions may have no owner or expiry date.

Do not chase a completion percentage without context. A count gives every selected Safeguard equal weight, while your risks and dependencies do not. Report completion alongside scope, evidence quality, important gaps, accepted exceptions, and remediation age.

Your learning path

Start with the v8.1 overview and the Implementation Groups. Use the Navigator to inspect the Safeguards in your chosen group. Then assess a small, clearly bounded scope and collect real evidence. Expand only after the first loop produces owned remediation work.

Later, study the official mappings and companion resources that match your obligations. The durable skill is not memorizing 153 Safeguards. It is turning prioritized guidance into operating controls with owners, evidence, and review.