CIS Controls v8 — what they are and how to implement them

Organizations building cybersecurity programs face a fundamental challenge: where to start. The threat landscape is vast, budgets are finite, and the number of possible security controls runs into the hundreds. The Center for Internet Security (CIS) addresses this problem directly with two complementary resources — CIS Controls and CIS Benchmarks — that provide a prioritized, actionable path from basic cyber hygiene to comprehensive defense.

This guide examines both CIS Controls and CIS Benchmarks in depth: what they contain, how they are structured, how they compare to other frameworks, and how to implement them effectively in a real-world environment.

What Is CIS?

The Center for Internet Security (CIS) is a nonprofit organization founded in 2000, dedicated to developing best practices for securing IT systems and data. CIS operates through a community-driven model: thousands of cybersecurity professionals, government agencies, and technology vendors contribute to developing and maintaining its resources.

CIS produces two primary artifacts that have become industry standards:

CIS Controls — a prioritized set of cybersecurity safeguards (formerly known as the SANS Top 20 or CIS Critical Security Controls)
CIS Benchmarks — detailed, consensus-based configuration guides for hardening specific technologies

These two resources serve different but complementary purposes. Controls answer the question “what should we do?” while Benchmarks answer “how exactly should we configure this system?”

CIS Controls v8: The 18 Safeguards

CIS Controls version 8, released in May 2021, reorganized and modernized the framework to reflect the current threat landscape — including cloud adoption, remote work, and increasing supply chain attacks. The structure moved from 20 controls in v7.1 to 18 controls in v8, with a total of 153 individual safeguards distributed across those controls.

The 18 Controls

Each control addresses a specific area of cybersecurity defense:

Control 1 — Inventory and Control of Enterprise Assets. You cannot protect what you do not know exists. This control requires organizations to actively manage all hardware devices on the network, including servers, workstations, IoT devices, mobile phones, and cloud instances. Unauthorized or unmanaged devices must be identified and addressed.

Control 2 — Inventory and Control of Software Assets. Parallel to hardware inventory, this control demands a complete and continuously updated catalog of all authorized software. Unauthorized software — whether malicious or simply unapproved — must be detected and removed or isolated.

Control 3 — Data Protection. This control covers the identification, classification, and protection of sensitive data throughout its lifecycle. It includes encryption at rest and in transit, data loss prevention mechanisms, and proper data disposal procedures.

Control 4 — Secure Configuration of Enterprise Assets and Software. Default configurations are almost always insecure. This control requires establishing, implementing, and maintaining hardened configurations for all assets — which is precisely where CIS Benchmarks come into play.

Control 5 — Account Management. Managing user accounts, service accounts, and administrative accounts through their entire lifecycle: creation, usage, dormancy, and deletion. This includes processes for assigning and revoking access based on role and business need.

Control 6 — Access Control Management. Building on account management, this control focuses on defining and enforcing access rights based on the principle of least privilege. It covers role-based access, privileged access management, and access reviews.

Control 7 — Continuous Vulnerability Management. A systematic process for identifying, prioritizing, and remediating vulnerabilities across the organization’s technology stack. This includes regular scanning, risk-based prioritization, and defined remediation timelines.

Control 8 — Audit Log Management. Collecting, alerting on, reviewing, and retaining audit logs of security-relevant events. Without adequate logging, incident detection and forensic analysis become impossible.

Control 9 — Email and Web Browser Protections. Email remains the primary attack vector for phishing and malware delivery. This control covers URL filtering, attachment scanning, DMARC/SPF/DKIM implementation, and browser hardening.

Control 10 — Malware Defenses. Preventing, detecting, and controlling the installation and execution of malicious software through endpoint protection platforms, anti-malware signatures, and behavioral detection mechanisms.

Control 11 — Data Recovery. Establishing and maintaining data recovery practices — backups, tested restoration procedures, and recovery time objectives — sufficient to restore assets to a known, trusted state after an incident.

Control 12 — Network Infrastructure Management. Securely managing network devices (routers, switches, firewalls, wireless access points), including their configurations, firmware updates, and architecture design to enforce segmentation.

Control 13 — Network Monitoring and Defense. Operating processes and tools to detect, analyze, and respond to network-based threats. This includes intrusion detection/prevention systems, network traffic analysis, and security information and event management (SIEM).

Control 14 — Security Awareness and Skills Training. Establishing and maintaining a security awareness program to influence behavior and equip personnel with the skills to reduce cybersecurity risk. This is one of the most cost-effective controls available.

Control 15 — Service Provider Management. Managing the security posture of third-party service providers who handle sensitive data or operate critical infrastructure components. This includes due diligence assessments, contractual security requirements, and ongoing monitoring.

Control 16 — Application Software Security. Managing the security lifecycle of internally developed, hosted, or acquired software — including secure development practices, vulnerability testing, and dependency management.

Control 17 — Incident Response Management. Establishing a program to prepare for, detect, and rapidly respond to security incidents. This includes incident response plans, defined roles, communication procedures, and post-incident analysis.

Control 18 — Penetration Testing. Testing the effectiveness of security controls by simulating the tactics, techniques, and objectives of real-world attackers. This includes both external and internal penetration tests, as well as red team exercises.

Implementation Groups (IGs)

One of the most valuable aspects of CIS Controls v8 is the concept of Implementation Groups. Rather than presenting all 153 safeguards as equally urgent, CIS organizes them into three tiers based on organizational profile:

Implementation Group 1 (IG1) — Essential Cyber Hygiene. Contains 56 safeguards applicable to every organization regardless of size or sector. IG1 represents the minimum standard of information security that all enterprises should meet. These safeguards defend against the most common, non-targeted attacks. Examples include maintaining an inventory of assets, ensuring software is current, controlling administrative privileges, and maintaining secure configurations.

Implementation Group 2 (IG2) — Expanded Controls. Adds 74 safeguards on top of IG1, totaling 130. IG2 is designed for organizations that employ individuals responsible for managing and protecting IT infrastructure, handle sensitive client or organizational data, and can tolerate short interruptions to service. IG2 safeguards address more sophisticated attacks and require centralized management capabilities.

Implementation Group 3 (IG3) — Comprehensive Security. Includes all 153 safeguards. IG3 targets organizations that store or process highly sensitive data, are subject to regulatory oversight, face advanced persistent threats, and must ensure service availability. These organizations typically have dedicated security teams and the resources to implement and maintain advanced controls.

The IG model is critically important because it prevents the paralysis that comes from trying to implement everything at once. An organization with limited resources can focus on IG1, achieve meaningful risk reduction, and then progressively adopt IG2 and IG3 safeguards as their maturity and resources grow.

CIS Benchmarks: Hardening at the Configuration Level

While CIS Controls operate at the strategic level, CIS Benchmarks operate at the tactical and operational level. A CIS Benchmark is a detailed configuration guide for a specific technology — an operating system, a database, a cloud platform, a network device, or an application — that specifies exactly how to harden that technology against known attack vectors.

Scope and Coverage

As of 2026, CIS maintains over 100 Benchmarks covering:

Operating systems — Windows Server 2022, Windows 11, Ubuntu 24.04, Red Hat Enterprise Linux 9, macOS Sequoia, Debian 12, SUSE, Oracle Linux, Alpine Linux
Cloud platforms — AWS Foundations, Microsoft Azure, Google Cloud Platform, Oracle Cloud, Alibaba Cloud, IBM Cloud
Containers and orchestration — Docker, Kubernetes, Amazon EKS, Azure AKS, Google GKE
Databases — Microsoft SQL Server, Oracle Database, PostgreSQL, MySQL, MongoDB, MariaDB
Web servers — Apache HTTP Server, Nginx, Microsoft IIS
Network devices — Cisco IOS, Palo Alto, Juniper, Fortinet
Middleware and applications — Apache Tomcat, Microsoft 365, Google Workspace, Zoom
Desktop software — major web browsers (Chrome, Edge, Firefox, Safari)

Benchmark Structure

Each CIS Benchmark follows a consistent structure:

Profile definitions — typically Level 1 (practical hardening with minimal operational impact) and Level 2 (deeper hardening that may affect functionality)
Recommendations — individual configuration settings, each containing:
- A description of the setting and its security relevance
- The rationale explaining why the setting matters
- An audit procedure to check the current state
- A remediation procedure to apply the recommended configuration
- The CIS Controls mapping, linking the recommendation to the relevant Control and safeguard
- Default values for the technology in question
Scoring status — whether the recommendation can be verified automatically (Scored) or requires manual review (Not Scored)

Level 1 vs Level 2 Profiles

Level 1 recommendations are considered practical and prudent. They are designed to be implemented in most environments without causing significant operational disruption. Examples include disabling unnecessary services, enforcing password complexity, and enabling audit logging.

Level 2 recommendations provide deeper defense but may have a measurable impact on system functionality or administrative overhead. Examples include disabling all USB storage devices, enforcing application whitelisting, or configuring advanced cryptographic settings that may break compatibility with older clients.

Organizations typically start with Level 1 across their estate and selectively apply Level 2 recommendations to high-risk or sensitive systems.

CIS Controls vs ISO 27001 vs NIST CSF

Organizations often struggle to understand how CIS Controls relate to other major cybersecurity frameworks. The three most commonly compared frameworks serve different purposes and operate at different levels of abstraction.

Aspect	CIS Controls v8	ISO 27001:2022	NIST CSF 2.0
Type	Prescriptive safeguards	Management system standard	Risk management framework
Origin	CIS (community-driven)	ISO/IEC (international standard)	NIST (US government)
Focus	Technical “what to do”	Governance + risk management	Risk-based outcomes
Structure	18 controls, 153 safeguards	93 controls in Annex A, ISMS clauses	6 functions, 22 categories
Prioritization	IG1/IG2/IG3	Risk assessment drives selection	Tier-based maturity model
Certification	No formal certification	Yes (accredited certification)	No formal certification
Cost	Free	Standard purchase + audit costs	Free
Best for	Operationalizing technical controls	Demonstrating governance maturity	Enterprise risk communication

How They Work Together

These frameworks are not competitors — they are complementary layers of a comprehensive cybersecurity program:

NIST CSF provides the strategic, risk-based structure. It helps leadership understand cybersecurity in terms of business outcomes: Govern, Identify, Protect, Detect, Respond, and Recover. It is excellent for communicating cybersecurity posture to executives and boards.

ISO 27001 provides the management system. It requires documented risk assessments, a Statement of Applicability, management reviews, internal audits, and continuous improvement. It is the standard to pursue when the organization needs demonstrable, certifiable security governance.

CIS Controls provide the technical implementation guide. When ISO 27001 says “implement access control” (Annex A Control 8.3), CIS Controls 5 and 6 tell you exactly what that means: maintain an access granting process, restrict administrator privileges, require MFA for externally-exposed applications, define and enforce access on a role basis.

CIS publishes official mapping documents that cross-reference every CIS safeguard to the corresponding ISO 27001 Annex A controls and NIST CSF subcategories. This mapping enables organizations to implement CIS Controls while simultaneously satisfying the technical requirements of ISO 27001 and aligning with the NIST CSF structure.

Regulatory Mapping: NIS2 and DORA

For organizations operating within the European Union, two regulations have significantly increased the urgency of adopting structured cybersecurity controls.

NIS2 Directive

The NIS2 Directive (Directive (EU) 2022/2555), which EU member states were required to transpose into national law by October 2024, substantially expands the scope and requirements of cybersecurity obligations for essential and important entities across critical sectors.

NIS2 Article 21 mandates that organizations implement “appropriate and proportionate technical, operational and organizational measures” including — among others — risk analysis, incident handling, business continuity, supply chain security, network security, access control, and encryption.

CIS Controls map directly to these requirements:

Risk analysis and information system security — CIS Controls 1, 2 (asset inventory), 7 (vulnerability management)
Incident handling — CIS Control 17 (incident response management)
Business continuity and crisis management — CIS Control 11 (data recovery)
Supply chain security — CIS Control 15 (service provider management)
Network security — CIS Controls 12, 13 (network infrastructure and monitoring)
Access control and authentication — CIS Controls 5, 6 (account and access management)
Encryption — CIS Control 3 (data protection)

Implementing CIS Controls IG2 or IG3 provides a strong technical foundation for demonstrating NIS2 compliance.

DORA Regulation

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) applies specifically to financial entities — banks, insurance companies, investment firms, payment institutions, and their critical ICT third-party service providers. DORA became applicable on January 17, 2025.

DORA’s requirements for ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management align closely with CIS Controls:

ICT risk management framework (DORA Art. 6-16) — CIS Controls 1-4 (asset management, data protection, secure configuration)
ICT-related incident management (DORA Art. 17-23) — CIS Controls 8, 13, 17 (logging, monitoring, incident response)
Digital operational resilience testing (DORA Art. 24-27) — CIS Control 18 (penetration testing)
ICT third-party risk management (DORA Art. 28-44) — CIS Control 15 (service provider management)

For financial entities, implementing CIS Controls alongside CIS Benchmarks for their specific technology stack provides a concrete, auditable mechanism for demonstrating DORA compliance.

Implementation: A Step-by-Step Approach

Adopting CIS Controls is not a one-time project — it is an ongoing process of assessment, implementation, monitoring, and improvement. The following approach reflects the practical experience of organizations that have successfully adopted the framework.

Step 1: Determine Your Implementation Group

Assess your organization against the IG criteria:

IG1 if you are a small to medium organization with limited cybersecurity expertise, commodity IT, and low data sensitivity
IG2 if you have dedicated IT staff managing infrastructure, handle sensitive data, and need centralized security capabilities
IG3 if you face advanced threats, operate under regulatory scrutiny, process highly sensitive data, and maintain a dedicated security function

Starting with the wrong IG wastes resources. An IG1 organization attempting IG3 safeguards will burn through budget and staff capacity without proportionate risk reduction. Conversely, an IG3 organization implementing only IG1 safeguards leaves critical gaps.

Step 2: Conduct a Baseline Assessment

Before implementing controls, measure where you stand today. Use the CIS Controls Self-Assessment Tool (CIS CSAT) or conduct a manual gap analysis against each safeguard in your target Implementation Group. Document:

Which safeguards are fully implemented
Which are partially implemented (and the gaps)
Which are not implemented at all
The effort and cost estimate to close each gap

This baseline becomes your roadmap and your metric for measuring progress.

Step 3: Prioritize Based on Risk

Even within an Implementation Group, not all safeguards carry equal weight. Prioritize based on:

Attack frequency — safeguards that defend against the most common attack vectors (phishing, credential theft, unpatched vulnerabilities) should come first
Business impact — safeguards protecting the most critical assets and data take precedence
Quick wins — some safeguards are low-effort but high-impact (e.g., enabling MFA, disabling unused accounts)
Dependencies — some safeguards require others to be in place first (you cannot monitor logs you are not collecting)

Step 4: Implement CIS Benchmarks for Critical Systems

With your priority list in hand, begin hardening your most critical systems using CIS Benchmarks. For each system:

Download the relevant CIS Benchmark from the CIS website (free registration required)
Review Level 1 recommendations against your operational requirements
Test the configuration changes in a non-production environment
Document any exceptions (recommendations you choose not to implement, with business justification)
Apply the hardened configuration to production systems
Validate compliance using automated scanning tools

Step 5: Automate Assessment and Remediation

Manual compliance checks do not scale. Implement automated tools to continuously assess your configuration against CIS Benchmarks and alert on drift.

Step 6: Establish Governance and Continuous Improvement

Define processes for:

Regular reassessment — quarterly or semi-annual gap analysis against your target IG
Exception management — a formal process for documenting and reviewing configurations that deviate from CIS Benchmarks
Change management — ensuring new systems are hardened before deployment and that changes do not introduce configuration drift
Progress reporting — communicating compliance metrics to leadership in meaningful terms

Tools for CIS Assessment and Compliance

CIS-CAT Pro

CIS-CAT (Configuration Assessment Tool) Pro is the official assessment tool provided by CIS. It is available to CIS SecureSuite members (a paid membership program). CIS-CAT Pro scans target systems against CIS Benchmark recommendations and generates detailed compliance reports showing:

Overall compliance percentage
Pass/fail status for each recommendation
Remediation guidance for failed checks
Historical trend data for tracking improvement

CIS-CAT Pro supports agentless and agent-based scanning for Windows, Linux, macOS, and various network devices. It exports results in HTML, CSV, and JSON formats for integration with other reporting tools.

CIS-CAT Lite

A free, limited version of CIS-CAT that supports a subset of Benchmarks. It is useful for initial assessments and small environments but lacks the automation, API access, and broad coverage of the Pro version.

OpenSCAP

OpenSCAP is an open source framework for SCAP (Security Content Automation Protocol) compliance checking. It can consume CIS Benchmark content in XCCDF/OVAL format and perform automated assessments against Linux systems. OpenSCAP includes:

oscap — command-line scanner
SCAP Workbench — graphical interface for running assessments
OpenSCAP Daemon — for scheduled, continuous compliance monitoring

Red Hat, Ubuntu, and other Linux distributions ship with SCAP content that includes CIS Benchmark profiles, making OpenSCAP particularly effective for Linux hardening programs.

SCAP Protocol

SCAP (Security Content Automation Protocol) is a suite of specifications maintained by NIST for expressing and manipulating security-related information in standardized ways. SCAP components relevant to CIS implementation include:

XCCDF (Extensible Configuration Checklist Description Format) — defines checklists and benchmarks
OVAL (Open Vulnerability and Assessment Language) — describes system states for compliance checking
CPE (Common Platform Enumeration) — identifies hardware and software
CVE (Common Vulnerabilities and Exposures) — references known vulnerabilities

CIS Benchmarks are available in SCAP format, enabling automated ingestion by any SCAP-compatible tool.

Commercial Solutions

Several commercial platforms integrate CIS Benchmark scanning into broader vulnerability and compliance management:

Tenable Nessus / Tenable.io — includes CIS compliance audit files for automated scanning
Qualys Policy Compliance — supports CIS Benchmarks across infrastructure and cloud
Rapid7 InsightVM — policy assessment against CIS Benchmarks
Prisma Cloud (Palo Alto) — CIS Benchmark checks for cloud environments (AWS, Azure, GCP)
AWS Security Hub — native integration with CIS AWS Foundations Benchmark

Best Practices for CIS Implementation

Start with IG1 and Expand Gradually

The most successful CIS implementations begin with IG1 and achieve broad coverage before moving to IG2. An organization that has fully implemented IG1 across all assets is in a significantly stronger security posture than one that has partially implemented IG3 on a subset of systems.

Treat Benchmarks as Baselines, Not Ceilings

CIS Benchmarks represent consensus minimum security configurations. For high-value assets — domain controllers, database servers storing sensitive data, internet-facing applications — consider going beyond Level 2 recommendations with additional hardening measures tailored to your threat model.

Automate Configuration Management

Use configuration management tools (Ansible, Puppet, Chef, Salt, or cloud-native equivalents like AWS Systems Manager) to deploy and enforce CIS Benchmark configurations at scale. Infrastructure-as-code approaches ensure that every new system is deployed with a hardened baseline and that configuration drift is automatically corrected.

Document All Exceptions

Every deviation from a CIS Benchmark recommendation should be formally documented with:

The specific recommendation that is not implemented
The business or technical justification
The compensating controls in place (if any)
A review date for reassessing the exception

This exception register is invaluable during audits and incident investigations.

Integrate CIS into Your SDLC

For organizations developing or deploying applications, CIS Benchmarks should be integrated into the deployment pipeline. Container images should be scanned against the CIS Docker and Kubernetes Benchmarks before reaching production. Cloud infrastructure provisioned through Terraform or CloudFormation should be validated against CIS cloud Benchmarks as part of the CI/CD process.

Map CIS to Your Regulatory Requirements

If your organization is subject to NIS2, DORA, PCI DSS, HIPAA, or other regulations, create and maintain a mapping document that shows how each regulatory requirement is addressed by specific CIS Controls and Benchmarks. This mapping simplifies audit preparation and demonstrates due diligence to regulators.

Leverage the CIS Community

CIS Benchmarks are developed through a community consensus process. Participate in the CIS WorkBench community to contribute to Benchmark development, access draft Benchmarks before release, and learn from practitioners implementing the same controls in similar environments.

Measure and Report Progress

Define meaningful metrics for tracking CIS implementation:

Percentage of assets covered by automated CIS Benchmark scanning
Average compliance score across the estate (and trend over time)
Number of IG safeguards fully implemented vs. target
Mean time to remediate failed CIS Benchmark checks
Number of active exceptions and their risk ratings

Regular reporting to leadership keeps cybersecurity investment aligned with measurable risk reduction.

Frequently Asked Questions (FAQ)

What is the difference between CIS Controls and CIS Benchmarks?

CIS Controls are 18 high-level cybersecurity safeguards that define what an organization should do to defend against threats. CIS Benchmarks are detailed, technology-specific configuration guides that define how to harden individual systems like Windows Server, Linux, AWS, or Cisco IOS. Controls set strategy; Benchmarks provide implementation specifics.

Are CIS Controls mandatory?

CIS Controls are voluntary best practices, not legally mandated requirements. However, many regulatory frameworks — including NIS2, DORA, PCI DSS, and HIPAA — reference or align with CIS Controls. Implementing them demonstrates due diligence and can simplify compliance with mandatory regulations.

How do CIS Controls relate to ISO 27001?

CIS Controls and ISO 27001 are complementary. ISO 27001 is a management system standard focused on governance, risk assessment, and continuous improvement. CIS Controls provide a prioritized, technically prescriptive set of safeguards. Organizations often use CIS Controls to implement the technical controls required by ISO 27001 Annex A.

What is a CIS Implementation Group and which one should I start with?

CIS defines three Implementation Groups (IGs) based on organizational size, resources, and risk profile. IG1 contains 56 essential safeguards suitable for any organization — it represents minimum cyber hygiene. IG2 adds 74 more safeguards for organizations with dedicated IT staff. IG3 covers all 153 safeguards for organizations facing sophisticated threats.

What tools are available for assessing CIS compliance?

CIS provides CIS-CAT Pro, an automated assessment tool that scans systems against CIS Benchmarks and generates compliance reports. Open source alternatives include OpenSCAP, which uses SCAP (Security Content Automation Protocol) content. Commercial solutions like Tenable, Qualys, and Rapid7 also include CIS Benchmark scanning capabilities.

Summary

CIS Controls and CIS Benchmarks represent one of the most practical, actionable approaches to cybersecurity available today. The Controls provide a prioritized roadmap of what to do, organized into Implementation Groups that match organizational maturity and risk profile. The Benchmarks provide the precise, technology-specific configurations needed to harden individual systems. Together, they bridge the gap between strategic security intent and operational security reality.

Their strength lies in their community-driven development, free availability, and explicit mapping to regulatory frameworks like NIS2, DORA, ISO 27001, and NIST CSF. An organization that systematically implements CIS Controls starting from IG1, hardens its infrastructure using CIS Benchmarks, and maintains continuous compliance monitoring through tools like CIS-CAT or OpenSCAP has established a defensible, measurable, and auditable cybersecurity posture — regardless of whether it is a 50-person company or a multinational enterprise.