CIS Controls

What are the CIS Controls?

The CIS Critical Security Controls (CSC) are published by the Center for Internet Security (CIS) to assist organizations in better defending against well-known threats by converting critical security concepts into executable controls in order to reach a more comprehensive overall cybersecurity defensive strategy. 

The most recent version, v8, was released in May 2021. In the enhanced version, the controls are now arranged into activities and attack styles. As a result, the controls have been reduced from 20 to 18 to better suit cloud, hybrid, and activity-based platforms.

The main purpose of the CIS controls is to keep risks to the absolute minimum. The CIS Controls are intended to safeguard your company’s data and systems against hacking, cyber-attacks, and other online risks.

While many standards and compliance regulations intended to improve overall security can be industry-specific, the CIS CSC was formed by professionals from various government agencies and industry experts to be universally applicable.

What are the requirements for CIS compliance?

The CIS Controls Implementation Groups (IGs) give new recommendations for prioritizing implementation and a streamlined method for assisting enterprises of all sizes in directing their security resources. The following is a list of the 18 CIS controls included in version 8.0:

1. Inventory and control of hardware
2. Inventory and control of Software
3. Data protection
4. Secure configuration for hardware and software
5. Account management
6. Controlled access of administrative privileges
7. Continuous vulnerability management
8. Maintenance, monitoring, and analysis of audit logs
9. Email and web browser protections
10. Malware defenses
11. Data recovery capability
12. Network infrastructure management
13. Network monitoring and defense
14. Security awareness and skill training
15. Service provider management
16. Application software security
17. Incident response management
18. Penetration testing  

What are the CIS Implementation Groups?

CIS recognize that security teams cannot implement everything all at once and may need to implement controls in stages.

CIS Security has provided recommended guidance for users to prioritize the controls they need to implement by assigning the 153 controls to three Implementation Groups (IGs) to suit enterprises of different sizes. Each IG contains a set of safeguards needed to be implemented. (Safeguards used to be referred to as CIS Sub-controls.) The CIS controls provide a great roadmap and framework towards your security. Having said that, it’s important to keep in mind that they are guidelines, and an organization should always look at their individual needs, and undergo a comprehensive risk assessment to identify any additional points of weakness or risk and build upon the framework.


The first group IG1 is considered “essential cyber hygiene” and should be implemented by everyone. It provides a minimum standard of security, a basic foundational line of cyber defense to protect you from the most common attacks. It is a great starting place for all organizations and will ensure you are considering the most important security areas, in general.


IG2 builds upon IG1. It is made up of 74 additional Safeguards and should be implemented on top of the 56 Safeguards identified in IG1. The 74 Safeguards selected for IG2 are suited to help security teams who are dealing with more complex operational environments. CIS warn that some Safeguards will depend on enterprise-grade technology and specialized expertise to properly install and configure.

An IG2 enterprise generally appoints individuals to be responsible for managing and protecting IT infrastructure. IG2 level enterprises are usually made up of multiple departments that have various risk profiles, depending on each one’s job function and mission. According to CIS, IG2 enterprises often store and process sensitive client or enterprise information and can withstand short interruptions of service. Some departments may be trying to achieve regulatory compliance. A loss of public confidence is a major concern should a breach occur and is a driving factor in implementing these further controls.


IG3 comprises the full range of controls – all 153 safeguards. Built upon both IG1 and IG2, it is an additional 23 safeguards that complete the full CIS Controls v8. Enterprises implementing IG3 will have the most complex operational environments and infrastructures, with potential for the greatest impact should an attack succeed.

CIS expect the average IG3 enterprise to employ security experts, each specializing in one of the multiple areas of cybersecurity like risk management, penetration testing, web security, or app security. Assets and data of IG3 enterprises commonly contain sensitive information or functions that are highly regulated and need compliance oversight. Availability of services, Confidentiality and Integrity of data are all critical concerns of an IG3 enterprise and the worry of an attack could be potentially significant harm to public welfare. According to CIS, safeguards selected for IG3 must ‘abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks’.

Why should you comply with CIS?

The CIS Critical Security Controls are a great starting point for organizations seeking to strengthen their overall security and harden their defensive capabilities against the most widely known attacks. They reduce your exposure risk and mitigate the severity of the majority of attack types.

The CIS Critical Security Controls are also cross-compatible with and/or directly map to a variety of other security and compliance standards, which are often specific to the industry—including NIST 800-53, PCI DSS, FISMA, and HIPAA. This means that organizations that must abide by these rules can rely on CIS controls to assist them in doing so. Furthermore, the NIST CSF (Cybersecurity Framework), another powerful tool for improving the efficiency and strength of an organization’s security posture, uses the CIS CSC as a starting point for several of their recommended guiding principles.

How to achieve compliance?

Downloading the benchmarking documents and manually carrying out the recommendations is possible and completely free to get started. However, it is frequently extremely labor-intensive, and it is difficult to ensure ongoing compliance — especially as configurations are updated and new assets are added. An automated solution makes implementing and maintaining compliance with the CIS benchmarks easier and faster.

The Centraleyes platform includes an integrated CIS questionnaire and allows you to collect, analyze, and identify gaps automatically. Once the gaps have been identified, the platform will generate automated actionable remediation tasks using its AI risk engine, guiding the team on what they need to do.

You can implement the different CIS Security IGs with ease from the Centraleyes platform. Choosing from IG1, IG2 or the full CIS questionnaire (IG3), you can assess, remediate and conquer CIS Security swiftly and efficiently via Centraleyes powers of automation and cutting edge technology.

The Centraleyes platform provides organizations with complete visibility into their cyber risk levels and CIS compliance, resulting in time and money savings as well as more accurate data.

Read more:

Start implementing CIS Controls in your organization for free

Related Content

AI Governance

What is the Centraleyes AI Governance Framework? The AI Governance assessment, created by the Analyst Team…

ISO 42001

What is ISO 42001 (AI)? Artificial intelligence (AI) has emerged as a transformative technology, imbuing machines…


What is NIST AI RMF? As artificial intelligence gains traction and becomes increasingly more popular, it…
Skip to content