We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / CIS Controls
Center for Internet Security · Global

CIS Controls

A prioritised set of 18 safeguards that stop the most common attacks.

Introduction: The CIS Critical Security Controls

The CIS Critical Security Controls (commonly called the CIS Controls) are a prioritised, prescriptive and community-developed set of safeguards designed to mitigate the most prevalent and dangerous cyber-attacks affecting modern organisations. Maintained by the Center for Internet Security (CIS), a not-for-profit entity headquartered in East Greenbush, New York, the Controls translate the collective knowledge of thousands of security practitioners into a defensible, action-oriented programme. Unlike broad governance frameworks that describe what good security looks like in abstract terms, the CIS Controls tell you precisely what to do, in what order, to obtain the greatest defensive return for the least effort.

The current edition, CIS Controls Version 8 (released May 2021, with an incremental v8.1 update in 2024 that aligns the asset taxonomy with the NIST Cybersecurity Framework 2.0 functions and adds Governance as a security function), consolidates the historically dispersed twenty controls into eighteen top-level Controls comprising 153 individual Safeguards. The Controls are organised around activities rather than around the type of device that performs them, a deliberate shift reflecting the reality of cloud computing, mobility, virtualisation and outsourcing. This guide provides an auditor-grade walk-through of every Control, every Implementation Group, the assessment evidence you should expect to see, and a pragmatic route to adoption for organisations of any size.

Copyright and licensing note
The CIS Controls, CIS Safeguards, CIS Benchmarks, the CIS Controls Self-Assessment Tool (CIS CSAT) and associated materials are the intellectual property of the Center for Internet Security, Inc. and are distributed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International licence (or successor terms). This CyberSigma guide is an original, independently authored commentary. It paraphrases and interprets publicly available concepts; it does not reproduce CIS copyrighted control text verbatim. Organisations should download the authoritative Controls and Safeguard wording directly from cisecurity.org and honour the applicable licence terms before operational use.

What are the CIS Controls?

The CIS Controls are a defence-in-depth model of cyber hygiene expressed as a small number of high-value activities. They began life in 2008 as the 'Consensus Audit Guidelines', were later stewarded by the SANS Institute as the 'SANS Top 20', and since 2015 have been owned and maintained by CIS. Each successive version has been refined using real-world attack data, the MITRE ATT&CK knowledge base and the annual Verizon Data Breach Investigations Report, ensuring the safeguards remain empirically tied to how breaches actually occur.

Three structural concepts define Version 8 and are essential to any assessment:

  • Controls: the eighteen top-level categories of defensive activity, numbered CIS Control 1 through CIS Control 18, each addressing a distinct risk area such as asset inventory, data protection, or incident response.
  • Safeguards: the 153 discrete, testable actions (formerly called 'Sub-Controls') nested beneath the Controls. Each Safeguard is a single, atomic requirement written so it can be measured as implemented or not implemented.
  • Implementation Groups (IG1, IG2, IG3): a tiering mechanism that assigns each Safeguard to a level of organisational maturity and risk exposure, so that a small business and a large enterprise can each adopt a defensible subset. IG1 defines essential cyber hygiene, IG2 builds on IG1 for organisations managing greater complexity, and IG3 addresses organisations with sensitive data and sophisticated adversaries.

Crucially, the CIS Controls are voluntary and framework-agnostic. They are not a law and confer no certification of their own, yet they are explicitly referenced by regulators and standards bodies, map cleanly to NIST CSF, NIST SP 800-53, ISO/IEC 27001, PCI DSS and DPDP-driven security expectations, and are frequently adopted as the technical implementation layer beneath a governance framework.

Who must comply with the CIS Controls?

No statute mandates the CIS Controls by name. However, they are strongly recommended, contractually required or effectively obligatory for a wide range of organisations because they are recognised as a reasonable standard of care and are cross-referenced by binding regimes. The table below summarises typical applicability.

Organisation / contextNature of obligationRecommended Implementation Group
Small and medium businesses (SMBs)Voluntary best practice; increasingly required by cyber-insurance underwriters and enterprise supply-chain questionnairesIG1 (essential cyber hygiene)
Enterprises handling regulated or client dataVoluntary, but used to demonstrate due diligence and 'reasonable security' in litigation and regulatory reviewIG2
Critical infrastructure and high-value targetsExpected baseline; often written into sector regulatory guidance and government procurementIG3
US State, Local, Tribal and Territorial (SLTT) governmentFrequently mandated via MS-ISAC membership and state policy; CIS is the operator of the MS-ISACIG1 to IG2 minimum
Defence and government contractorsReferenced indirectly via NIST SP 800-171 / CMMC mappingsIG2 to IG3
Organisations subject to PCI DSS, HIPAA, ISO 27001 or DPDPNot directly required, but CIS Safeguards operationalise many mandated controls and simplify audit evidenceIG2
Cyber-insurance applicantsIncreasingly a precondition of coverage; insurers request CIS Control attestationIG1 minimum, IG2 preferred

In practice, any organisation seeking a demonstrable, prioritised and cost-effective security programme is a candidate for CIS Controls adoption. The Implementation Group model means the framework scales from a two-person startup to a multinational bank without leaving smaller organisations paralysed by irrelevant requirements.

Structure of the CIS Controls (Version 8)

Version 8 comprises eighteen Controls and 153 Safeguards. Each Control has a defined purpose, an ordered set of Safeguards, and an allocation of those Safeguards across the three Implementation Groups. The table enumerates all eighteen Controls, their Safeguard counts and the number of Safeguards applicable to each Implementation Group (IG1 counts are cumulative into IG2 and IG3).

Control #Control nameTotal safeguardsIG1IG2IG3
1Inventory and Control of Enterprise Assets5245
2Inventory and Control of Software Assets7367
3Data Protection1461214
4Secure Configuration of Enterprise Assets and Software1271112
5Account Management6466
6Access Control Management8578
7Continuous Vulnerability Management7477
8Audit Log Management1231112
9Email and Web Browser Protections7267
10Malware Defences7377
11Data Recovery5455
12Network Infrastructure Management8178
13Network Monitoring and Defence110611
14Security Awareness and Skills Training9899
15Service Provider Management7147
16Application Software Security1401114
17Incident Response Management9389
18Penetration Testing5035

The Controls are deliberately ordered so that the earliest Controls (asset and software inventory, data protection, secure configuration) deliver the highest marginal risk reduction. An organisation that cannot see its assets cannot protect them, which is why Control 1 sits at the top. The following master assessment section examines every Control and its Safeguards in turn.

Master assessment checklist: every Control and Safeguard

This is the operational heart of the guide. For each of the eighteen Controls, we describe the assessment intent, then provide a verification table listing what an auditor should confirm and the typical evidence that substantiates it. Coverage is complete: no Control or Safeguard family is omitted.

Control 1 — Inventory and Control of Enterprise Assets

Establish and maintain an accurate, detailed and up-to-date inventory of all enterprise assets (end-user devices, network devices, IoT, servers) whether on-premises, virtual, remote or cloud-hosted, so that only authorised devices are granted access.

What to verifyTypical evidence
A documented enterprise asset inventory exists and is reviewed at least bi-annually (Safeguard 1.1)Asset register / CMDB export with review timestamps and owner sign-off
Unauthorised assets are addressed by removal, quarantine or update (Safeguard 1.2)Remediation tickets, network access control logs, exception register
An active discovery tool identifies connected assets (Safeguard 1.3, IG2+)Discovery tool configuration and scan schedule, sample scan output
DHCP logging is used to update the asset inventory (Safeguard 1.4, IG2+)DHCP server logs and the integration pipeline into the CMDB
A passive asset discovery tool supplements active scanning (Safeguard 1.5, IG3)Passive sensor deployment map and reconciliation reports

Control 2 — Inventory and Control of Software Assets

Actively manage all software (operating systems and applications) so that only authorised software is installed and can execute, and unauthorised or unmanaged software is found and prevented from running.

What to verifyTypical evidence
A software inventory is maintained and reviewed bi-annually (Safeguard 2.1)Software inventory report with version, publisher and business purpose
Only currently supported software is authorised; unsupported software is documented (Safeguard 2.2)End-of-life register, vendor support statements, exception approvals
Unauthorised software is removed or granted a documented exception (Safeguard 2.3)Removal tickets, exception log with expiry dates
Automated software inventory tooling is deployed (Safeguard 2.4, IG2+)SAM / EDR software inventory dashboards
An allowlist of authorised software is enforced (Safeguard 2.5, IG2+)Application allowlisting policy and enforcement tool config
Allowlisting extends to authorised libraries and scripts (Safeguards 2.6-2.7, IG2/IG3)Library and script allowlist rulesets, blocked-execution logs

Control 3 — Data Protection

Develop processes and technical controls to identify, classify, securely handle, retain and dispose of data across its entire lifecycle.

What to verifyTypical evidence
A data management process exists (Safeguard 3.1)Data governance policy, data lifecycle procedures
A data inventory is maintained (Safeguard 3.2)Data inventory / data map covering sensitive data locations
Data access control lists enforce least privilege (Safeguard 3.3)ACL configurations, access review records
Data retention is enforced (Safeguard 3.4)Retention schedule and automated purge evidence
Data is securely disposed of (Safeguard 3.5)Media sanitisation certificates, disposal logs
Data on end-user devices is encrypted (Safeguard 3.6)BitLocker / FileVault / MDM encryption reports
A data classification scheme is established and applied (Safeguard 3.7, IG2+)Classification policy, labelled sample data sets
Data flows are documented (Safeguard 3.8, IG2+)Data flow diagrams and inter-system transfer maps
Data on removable media is encrypted (Safeguard 3.9, IG2+)USB encryption / DLP policy enforcement logs
Sensitive data in transit and DLP monitoring are in place (Safeguards 3.10-3.13, IG2/IG3)TLS configuration, DLP alerts, access logging, encryption-at-rest evidence
Sensitive data access is logged (Safeguard 3.14, IG3)Audit logs of sensitive data reads/writes

Control 4 — Secure Configuration of Enterprise Assets and Software

Establish and maintain secure baseline configurations for assets and software, and manage them through change control to reduce the attack surface.

What to verifyTypical evidence
A secure configuration process exists for assets and software (Safeguards 4.1-4.2)Hardening standards referencing CIS Benchmarks, baseline documents
A host-based firewall or port-filtering is enabled (Safeguard 4.4)Firewall policy export, endpoint firewall status report
Sessions lock automatically after inactivity (Safeguard 4.3)GPO / MDM lock-screen configuration
Secure configuration is enforced on servers and network devices (Safeguards 4.5-4.6)Configuration management tool baselines and drift reports
Default accounts are managed or disabled (Safeguard 4.7)Account audit showing renamed/disabled defaults
Unnecessary services are uninstalled or disabled (Safeguard 4.8, IG2+)Service inventory and disablement records
Trusted DNS servers are configured (Safeguard 4.9, IG2+)DNS configuration, filtering resolver evidence
Automatic device lockout and remote wipe are enforced on portable devices (Safeguards 4.10-4.11, IG2+)MDM policy showing lockout thresholds and wipe capability
Separate enterprise workspaces are enforced on mobile devices (Safeguard 4.12, IG3)MDM containerisation configuration

Control 5 — Account Management

Manage the lifecycle and privileges of all accounts (user, administrator and service) to prevent unauthorised access.

What to verifyTypical evidence
An inventory of all accounts is maintained (Safeguard 5.1)Account inventory export, joiner-mover-leaver records
Unique passwords are used and complexity is enforced (Safeguard 5.2)Password policy configuration
Dormant accounts are disabled (Safeguard 5.3)Stale-account review and disablement logs
Administrator privileges are restricted to dedicated accounts (Safeguard 5.4)Privileged account register showing separation from daily-use accounts
An inventory of service accounts is maintained (Safeguard 5.5, IG2+)Service account register with owner and purpose
Account management is centralised (Safeguard 5.6, IG2+)Directory service / IdP integration evidence

Control 6 — Access Control Management

Create, assign, manage and revoke access credentials and privileges for all accounts, applying least privilege and strong authentication.

What to verifyTypical evidence
An access granting and revoking process is defined (Safeguards 6.1-6.2)Provisioning/deprovisioning workflow, offboarding tickets
MFA is required for externally exposed and remote access (Safeguards 6.3-6.5)MFA policy, IdP enforcement logs, VPN MFA config
An access control inventory / authorisation matrix exists (Safeguard 6.6, IG2+)Role-to-permission matrix, entitlement catalogue
Access grants are reviewed periodically (Safeguard 6.7, IG2+)Access recertification campaign records
Role-based access control is defined and enforced (Safeguard 6.8, IG3)RBAC role definitions and enforcement evidence

Control 7 — Continuous Vulnerability Management

Continuously identify, prioritise and remediate vulnerabilities to minimise the window of exposure.

What to verifyTypical evidence
A vulnerability management process and remediation cadence are defined (Safeguards 7.1-7.2)Vulnerability management policy with SLAs
Automated OS and application patch management is in place (Safeguards 7.3-7.4)Patch tool dashboards, compliance percentage reports
Automated internal and external vulnerability scanning runs on a schedule (Safeguards 7.5-7.6, IG2+)Scan schedules and sample scan reports
Detected vulnerabilities are remediated within SLA and re-scanned (Safeguard 7.7, IG2+)Remediation tracking with closure evidence and verification scans

Control 8 — Audit Log Management

Collect, alert on, review and retain audit logs to detect, understand and recover from attacks.

What to verifyTypical evidence
An audit log management process is established (Safeguard 8.1)Logging policy defining what is logged and retained
Audit logs are enabled across assets (Safeguard 8.2)Log source inventory, enablement configuration
Adequate log storage is provisioned (Safeguard 8.3)Storage sizing calculation, retention configuration
Time synchronisation and detailed logging are configured (Safeguards 8.4-8.5, IG2+)NTP configuration, log verbosity settings
DNS, URL, command-line and other detailed logs are collected (Safeguards 8.6-8.8, IG2+)SIEM source list and sample events
Logs are centralised and retained at least 90 days (Safeguards 8.9-8.10, IG2+)SIEM ingestion config and retention proof
Logs are reviewed and service provider logs are collected (Safeguards 8.11-8.12, IG2/IG3)Log review records, cloud/provider log integration

Control 9 — Email and Web Browser Protections

Reduce the attack surface presented by email and web browsers, the two most common vectors of initial compromise.

What to verifyTypical evidence
Only fully supported browsers and email clients are used (Safeguard 9.1)Software inventory of client applications
DNS filtering services are enforced (Safeguard 9.2)DNS filter configuration and block reports
Network-based URL filters are maintained (Safeguard 9.3, IG2+)Web proxy / secure web gateway policy
Unnecessary browser and email extensions are restricted (Safeguard 9.4, IG2+)Extension allowlist policy
DMARC, DKIM and SPF are implemented (Safeguard 9.5, IG2+)DNS records and DMARC aggregate reports
Attachment filtering and anti-malware email scanning are in place (Safeguards 9.6-9.7, IG2/IG3)Email gateway configuration and quarantine logs

Control 10 — Malware Defences

Prevent or control the installation, spread and execution of malicious applications, code and scripts.

What to verifyTypical evidence
Anti-malware software is deployed and centrally managed (Safeguards 10.1-10.2)EDR/AV console showing coverage and update status
Automatic signature/definition updates are enabled (Safeguard 10.2)Definition currency report
Autorun/autoplay for removable media is disabled (Safeguard 10.3)GPO / MDM configuration
Automated scanning of removable media occurs (Safeguard 10.4, IG2+)Removable-media scan logs
Anti-exploitation features are enabled (Safeguard 10.5, IG2+)DEP/ASLR/attack-surface-reduction settings
Anti-malware is centrally managed with behaviour-based detection (Safeguards 10.6-10.7, IG2/IG3)EDR behavioural policy and detection alerts

Control 11 — Data Recovery

Establish and maintain practices to restore in-scope assets to a trusted, pre-incident state.

What to verifyTypical evidence
A data recovery process is established (Safeguard 11.1)Backup and recovery policy with RPO/RTO
Automated backups are performed (Safeguard 11.2)Backup schedules and success reports
Backup data is protected (Safeguard 11.3)Encryption and access controls on backup repositories
At least one recovery copy is isolated / offline / immutable (Safeguard 11.4, IG2+)Offsite/immutable backup configuration
Recovery is tested periodically (Safeguard 11.5, IG2+)Restore test reports and outcomes

Control 12 — Network Infrastructure Management

Establish, implement and actively manage network devices to prevent attackers from exploiting vulnerable services and access points.

What to verifyTypical evidence
Network infrastructure is kept up to date (Safeguard 12.1)Firmware/patch status of routers, switches, firewalls
A secure network architecture is maintained (Safeguard 12.2, IG2+)Network segmentation diagrams and design documents
Network infrastructure is managed securely (Safeguard 12.3, IG2+)Configuration management and change control records
Network architecture diagrams are maintained (Safeguard 12.4, IG2+)Current, dated network diagrams
Management traffic is centralised and secured (Safeguards 12.5-12.7, IG2+)Out-of-band or secured management network, encrypted admin protocols
Dedicated computing resources for administrative work are enforced (Safeguard 12.8, IG3)Privileged access workstation configuration

Control 13 — Network Monitoring and Defence

Operate processes and tooling to establish and maintain comprehensive network monitoring and defence against threats across the enterprise infrastructure and user base.

What to verifyTypical evidence
Centralised security event alerting is deployed (Safeguard 13.1, IG2+)SIEM alerting rules and dashboards
Host-based and network intrusion detection is deployed (Safeguards 13.2-13.3, IG2/IG3)HIDS/NIDS deployment and alert samples
Traffic is filtered between network segments (Safeguard 13.4, IG2+)Inter-segment firewall rules
Remote assets are managed and traffic is centrally collected (Safeguards 13.5-13.6, IG2/IG3)VPN/ZTNA posture checks, network flow collection
Intrusion prevention, port-level controls and application-layer filtering are deployed (Safeguards 13.7-13.10, IG3)IPS configuration, 802.1X/NAC, application firewall rules
Alerting thresholds are tuned (Safeguard 13.11, IG3)Tuning documentation and false-positive review

Control 14 — Security Awareness and Skills Training

Establish and maintain a security awareness programme to influence behaviour among the workforce so they are security-conscious and appropriately skilled.

What to verifyTypical evidence
A security awareness programme exists (Safeguard 14.1)Programme charter and annual plan
Training covers social engineering, authentication, data handling and incident recognition (Safeguards 14.2-14.6)Training content, completion records
Training covers causes of unintentional data exposure and network/system dangers (Safeguards 14.4-14.7)Curriculum mapping and attendance logs
Training addresses secure practices for remote and mobile working (Safeguard 14.8)Remote-work security module records
Role-specific security training is delivered (Safeguard 14.9, IG2+)Role-based training assignments and completion

Control 15 — Service Provider Management

Develop a process to evaluate service providers who hold sensitive data or are responsible for critical IT platforms, to ensure they protect those assets appropriately.

What to verifyTypical evidence
An inventory of service providers is maintained (Safeguard 15.1)Third-party register with data and criticality classification
A service provider management policy exists (Safeguard 15.2, IG2+)Vendor risk management policy
Service providers are classified by risk (Safeguard 15.3, IG2+)Provider risk-tiering methodology and results
Security requirements are included in contracts (Safeguard 15.4, IG2+)Contract clauses / DPAs with security terms
Providers are assessed and monitored (Safeguards 15.5-15.6, IG3)Assessment questionnaires, SOC 2 reports, monitoring records
Providers are securely decommissioned (Safeguard 15.7, IG3)Offboarding checklist and data return/destruction evidence

Control 16 — Application Software Security

Manage the security lifecycle of in-house developed, hosted or acquired software to prevent, detect and remediate weaknesses before they can be exploited.

What to verifyTypical evidence
A secure application development process exists (Safeguard 16.1, IG2+)Secure SDLC policy
Software vulnerabilities are tracked and remediated (Safeguards 16.2-16.3, IG2+)Defect tracking, SLA adherence
Third-party components and their provenance are managed (Safeguards 16.4-16.5, IG2/IG3)Software bill of materials, SCA scan results
Secure design, coding standards and code review are enforced (Safeguards 16.6-16.9, IG2/IG3)Coding standards, peer-review records, training
Application security testing (SAST/DAST) is performed (Safeguards 16.11-16.13, IG2/IG3)SAST/DAST reports and pipeline integration
Separate environments and threat modelling are used (Safeguards 16.7, 16.10, 16.14, IG3)Environment separation evidence, threat model artefacts, root-cause analysis

Control 17 — Incident Response Management

Establish a programme to develop and maintain incident response capability to prepare, detect and quickly respond to attacks.

What to verifyTypical evidence
Incident-handling personnel and contact information are designated (Safeguards 17.1-17.2)Named responders and escalation contact list
A process to report incidents is defined and communicated (Safeguard 17.3)Reporting procedure and awareness evidence
An incident response process and reporting thresholds are established (Safeguards 17.4-17.5, IG2+)IR plan, severity/thresholds definitions
Roles, communication mechanisms and third-party coordination are defined (Safeguards 17.6-17.7, IG2+)RACI, secure comms plan, external contact register
Post-incident reviews and exercises are conducted (Safeguards 17.8-17.9, IG2/IG3)Lessons-learned reports, tabletop exercise records

Control 18 — Penetration Testing

Test the effectiveness and resilience of enterprise assets by identifying and exploiting weaknesses in controls, simulating the actions of an attacker.

What to verifyTypical evidence
A penetration testing programme is established (Safeguard 18.1, IG2+)Pen-test policy, scope and frequency definition
Periodic external penetration tests are performed (Safeguard 18.2, IG2+)External pen-test reports
Findings are remediated and validated (Safeguard 18.3, IG2+)Remediation tracker and retest evidence
Internal penetration tests are performed and a validation programme runs (Safeguards 18.4-18.5, IG3)Internal test reports, purple-team / continuous validation records

Scoping the CIS Controls assessment

Sound scoping ensures the assessment is neither superficially narrow nor unmanageably broad. Because the CIS Controls are activity-based, scope is defined by enterprise assets and data rather than by physical location alone.

  • Define the enterprise: identify all business units, subsidiaries and legal entities whose assets and data fall within the programme.
  • Establish the target Implementation Group: select IG1, IG2 or IG3 based on data sensitivity, threat exposure, regulatory obligations and resourcing. The chosen IG determines which Safeguards are in scope.
  • Enumerate in-scope asset classes: end-user devices, servers, network devices, cloud workloads, mobile devices, IoT/OT and applications, whether on-premises, remote or hosted.
  • Include cloud and outsourced services: SaaS, IaaS, PaaS and managed service providers are in scope; Control 15 governs how their obligations are apportioned.
  • Document exclusions with justification: any asset, business unit or Safeguard excluded should carry a documented, risk-based rationale and an owner.
  • Confirm the assessment boundary in writing and obtain sign-off from the accountable executive before fieldwork begins.
Scoping tip
Start by scoping to the target Implementation Group, not to all 153 Safeguards. An IG1 assessment (56 Safeguards in v8) is achievable for most SMBs within a single quarter and provides a defensible baseline before advancing to IG2. Over-scoping is the most common reason CIS programmes stall.

Implementation approach

A phased implementation converts the assessment findings into a durable programme. The following four phases move an organisation from visibility to continuous improvement.

Phase 1 — Discover and establish foundational hygiene (IG1)

Activities: build the enterprise asset and software inventories (Controls 1-2); implement secure configuration baselines using CIS Benchmarks (Control 4); enforce account and access hygiene including MFA (Controls 5-6); deploy anti-malware and basic backups (Controls 10-11); launch awareness training (Control 14).

Deliverables: authoritative asset and software registers, hardened baseline standards, MFA enforcement report, backup and recovery policy, initial training completion records, and an IG1 gap assessment.

Phase 2 — Strengthen detection and management (IG2)

Activities: implement continuous vulnerability management (Control 7); centralise audit logging into a SIEM (Control 8); deploy email/web protections and DMARC (Control 9); establish network monitoring and segmentation (Controls 12-13); formalise service provider management (Control 15) and incident response (Control 17).

Deliverables: vulnerability management SLAs and scan reports, centralised log platform with 90-day retention, DMARC enforcement, network architecture diagrams, vendor risk register, and a tested incident response plan.

Phase 3 — Mature and validate (IG3)

Activities: implement application security across the SDLC (Control 16); introduce data-loss prevention and sensitive-data access logging (Control 3); deploy advanced network defences including IPS and NAC (Control 13); stand up a penetration testing and validation programme (Control 18).

Deliverables: secure SDLC evidence and SAST/DAST integration, DLP alerting, IPS/NAC deployment, penetration test reports with validated remediation, and privileged access workstations.

Phase 4 — Operate, measure and improve

Activities: institutionalise metrics and reporting; conduct periodic reassessments using CIS CSAT; run tabletop exercises and purple-team validation; feed lessons learned back into baselines; track Safeguard implementation trend over time.

Deliverables: a live KPI dashboard, quarterly management reports, updated risk register, exercise reports, and a rolling improvement backlog.

Implementation Group model (scoring/maturity)

Rather than a five-level maturity ladder, CIS Version 8 uses three Implementation Groups to express how much of the framework applies to a given organisation. Assessment maturity itself is commonly expressed using the CIS CSAT scoring scale (Not Implemented, Partially Implemented, Implemented, and validated states), which can be overlaid on the Implementation Groups. The table summarises both dimensions.

Implementation GroupTarget organisation profileApprox. safeguards (v8)Assessment maturity states applied
IG1 — Essential Cyber HygieneSmall/medium enterprise with limited IT/security expertise; commodity threat exposure; primary concern is keeping the business operational56Policy defined; Control implemented; Control automated; Control reported
IG2 — EnhancedEnterprise managing more sensitive data and greater operational complexity; dedicated IT/security staff; regulatory obligations74 additional (130 cumulative)Adds automation and centralised management maturity
IG3 — AdvancedOrganisation with sensitive data, sophisticated adversaries and mature security function; may face targeted, well-resourced attacks23 additional (153 total)Full validation, testing and continuous assurance
CSAT scoring stateMeaningAuditor interpretation
Not ImplementedNo policy or activity exists for the SafeguardGap; requires remediation plan
Partially ImplementedSome elements exist but coverage is incomplete or inconsistentFinding; scope or consistency gap
ImplementedThe Safeguard is fully in place across scopeSatisfied at baseline
Policy Defined / Control Automated / Control ReportedProgressive maturity: documented, technically enforced, and metrics reportedHigher assurance; suitable for IG2/IG3 attestation

Assessment and audit approach

A repeatable, evidence-driven methodology produces defensible conclusions. The following ordered steps describe a typical CyberSigma CIS Controls assessment engagement.

  1. Kick-off and scoping: agree the enterprise boundary, target Implementation Group, in-scope asset classes and timeline; obtain executive sponsorship.
  2. Documentation review: examine policies, standards, inventories, architecture diagrams and prior assessment reports against the in-scope Safeguards.
  3. Tooling and data collection: gather configuration exports, scan results, SIEM samples, MFA and patch reports, and CIS CSAT self-assessment inputs.
  4. Interviews and walkthroughs: interview asset owners, administrators and process owners to corroborate documented controls and observe them operating.
  5. Technical verification: sample-test configurations against CIS Benchmarks, validate MFA enforcement, review log coverage and retention, and inspect backup restorability.
  6. Scoring: rate each in-scope Safeguard against the CSAT maturity states, recording evidence references for every rating.
  7. Gap analysis and risk rating: identify gaps, assess residual risk using likelihood and impact, and prioritise by risk reduction per Safeguard.
  8. Reporting: produce an executive summary, detailed Safeguard-level findings, a prioritised remediation roadmap aligned to the Implementation Groups, and framework mappings.
  9. Remediation support and re-test: assist with prioritised fixes, then re-assess remediated Safeguards to confirm closure and update the maturity baseline.

Evidence request list

The following categorised list captures the artefacts typically requested during a CIS Controls assessment. Providing these in advance accelerates fieldwork.

  • Governance and policy: information security policy, acceptable use policy, data classification and retention policy, vendor risk policy, incident response plan, secure development policy.
  • Asset and software: enterprise asset inventory/CMDB export, software inventory, end-of-life register, allowlisting configuration.
  • Configuration and hardening: CIS Benchmark-aligned baseline standards, configuration management tool exports, drift/compliance reports, host firewall status.
  • Identity and access: account inventory, privileged account register, MFA enforcement reports, access recertification records, RBAC role definitions.
  • Vulnerability and patch: vulnerability scan reports, patch compliance dashboards, remediation SLA tracking.
  • Logging and monitoring: logging policy, SIEM source list and retention configuration, sample alerts, log review records.
  • Data protection: data inventory/map, encryption reports (at rest, in transit, removable media), DLP alerts, disposal certificates.
  • Resilience: backup schedules and success reports, restore test results, offline/immutable backup evidence.
  • Network: architecture diagrams, segmentation firewall rules, network device patch status, IDS/IPS configuration.
  • Third party: service provider inventory, risk tiering, contracts/DPAs, SOC 2 reports, monitoring records.
  • Application security: secure SDLC evidence, SAST/DAST reports, software bill of materials, code review records.
  • People: awareness training content and completion records, phishing simulation results, role-based training assignments.
  • Testing and IR: penetration test reports, remediation/retest evidence, incident records, tabletop exercise reports, post-incident reviews.

Roles and responsibilities

Clear ownership is essential to sustain a CIS Controls programme. The following RACI-style table maps typical roles to programme responsibilities.

RolePrimary responsibilitiesAccountable for
Executive sponsor (CISO / CIO)Approves scope and budget, champions the programme, accepts residual riskOverall security posture and risk acceptance
Security programme managerCoordinates assessment, tracks remediation, maintains the roadmapProgramme delivery and reporting
IT operations / infrastructureMaintains asset/software inventories, applies hardening and patchesControls 1, 2, 4, 7, 12
Identity and access teamManages accounts, privileges and MFAControls 5, 6
Security operations (SOC)Operates SIEM, monitoring, malware defence and incident responseControls 8, 10, 13, 17
Data protection / privacy officerOwns data classification, retention and DLPControl 3
Application development / DevSecOpsImplements secure SDLC and application testingControl 16
Vendor / procurement managementManages service provider risk and contractsControl 15
Human resources / L&DDelivers awareness and role-based trainingControl 14
Internal audit / assuranceIndependently validates control effectivenessAssessment integrity

KPIs to track

Metrics turn the CIS Controls from a point-in-time assessment into a managed programme. Track a balanced set of coverage, timeliness and outcome measures.

  • Percentage of enterprise assets and software in the authoritative inventory (coverage and accuracy).
  • Percentage of in-scope Safeguards rated Implemented or higher, trended over time.
  • MFA coverage across externally exposed and privileged accounts.
  • Mean time to patch critical and high vulnerabilities against SLA.
  • Vulnerability remediation SLA adherence rate and open critical-vulnerability count.
  • Percentage of assets conforming to CIS Benchmark baselines (configuration drift).
  • Log source coverage and percentage of assets forwarding to the SIEM.
  • Backup success rate and successful restore test rate.
  • Security awareness training completion rate and phishing simulation click/report rates.
  • Mean time to detect and mean time to respond to security incidents.
  • Percentage of service providers risk-assessed and under contract with security terms.
  • Penetration test findings remediated within target timeframe.

Readiness checklist

Use this checklist to gauge whether the organisation is prepared for a formal CIS Controls assessment or attestation.

  • Target Implementation Group (IG1/IG2/IG3) selected and justified by risk.
  • Enterprise boundary and in-scope asset classes documented and signed off.
  • Authoritative asset and software inventories exist and are current.
  • Secure configuration baselines aligned to CIS Benchmarks are defined and enforced.
  • MFA is enforced for remote, external and privileged access.
  • Vulnerability scanning and patch management operate on a defined cadence.
  • Audit logs are centralised with at least 90 days retention (IG2+).
  • Backups are automated, protected and periodically restore-tested.
  • Data classification and protection controls are in place for sensitive data.
  • Incident response plan is documented, assigned and exercised.
  • Service providers are inventoried and risk-assessed.
  • Security awareness training is delivered and completion is tracked.
  • A CIS CSAT self-assessment has been completed and gaps recorded.
  • Evidence artefacts are collated and owners are identified for each Control.

Common gaps and pitfalls

Across CIS Controls assessments, the same weaknesses recur. Anticipating them accelerates readiness.

  • Incomplete or stale asset and software inventories, undermining every downstream Control.
  • Attempting all 153 Safeguards at once instead of scoping to the appropriate Implementation Group.
  • MFA deployed for email but not for VPN, administrative consoles or cloud management planes.
  • Configuration baselines documented but not enforced or monitored for drift.
  • Logs collected locally but not centralised, correlated, retained for 90 days or reviewed.
  • Backups that are never restore-tested, or that lack an offline/immutable copy vulnerable to ransomware.
  • Vulnerability scans run but findings not remediated within defined SLAs or re-validated.
  • Service provider risk unmanaged, with sensitive data held by vendors under no security obligations.
  • Awareness training treated as an annual tick-box with no role-based depth or phishing simulation.
  • Incident response plan that exists on paper but has never been exercised.
  • Treating the CIS Controls as a one-time project rather than a continuously operated programme.
  • No named owner for individual Controls, so accountability diffuses and gaps persist.

CIS Controls mapped to other frameworks

CIS publishes authoritative mappings that make the Controls an efficient implementation layer beneath governance frameworks. The illustrative table below shows how selected Controls relate to widely used standards; consult the official CIS mapping documents for the full, current cross-references.

CIS ControlNIST CSF 2.0NIST SP 800-53ISO/IEC 27001:2022PCI DSS v4.0
1-2 Asset & Software InventoryIdentify (ID.AM)CM-8, PM-55.9, 5.10, 8.12.4, 12.5
3 Data ProtectionProtect (PR.DS)SC-28, MP-65.12, 8.10, 8.123.x, 4.x
4 Secure ConfigurationProtect (PR.PS)CM-2, CM-68.92.2
5-6 Account & Access ControlProtect (PR.AA)AC-2, AC-6, IA-25.15, 5.18, 8.27.x, 8.x
7 Vulnerability ManagementIdentify/Protect (ID.RA, PR.PS)RA-5, SI-28.86.3, 11.3
8 Audit Log ManagementDetect (DE.CM)AU-2, AU-68.1510.x
10 Malware DefencesProtect (PR.PS)SI-38.75.x
11 Data RecoveryRecover (RC.RP)CP-9, CP-108.1312.10
13 Network Monitoring & DefenceDetect (DE.CM)SI-48.1611.5
16 Application Software SecurityProtect (PR.PS)SA-11, SA-158.25, 8.286.2
17 Incident ResponseRespond (RS)IR-4, IR-85.24, 5.2612.10
18 Penetration TestingIdentify (ID.RA)CA-88.811.4

How CyberSigma helps

Partner with CyberSigma for your CIS Controls programme
CyberSigma provides end-to-end CIS Controls services: Implementation Group selection and scoping, CIS CSAT-based gap assessment, CIS Benchmark hardening, prioritised remediation roadmaps, and control implementation across identity, logging, vulnerability management, data protection and incident response. Our CERT-In empanelled and PCI QSA-qualified assessors deliver auditor-grade, evidence-backed reports, then help you operationalise the Controls into a continuously measured programme mapped to NIST CSF, ISO 27001, PCI DSS and DPDP obligations, so a single body of work satisfies multiple stakeholders. Contact CyberSigma to move from a static assessment to durable, defensible cyber hygiene.
Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Frequently asked questions

What are CIS Implementation Groups?
IG1–IG3 are tiers of safeguards. IG1 is the minimum "essential cyber hygiene" every organisation should meet; IG2 and IG3 add safeguards for higher-risk enterprises.
Are CIS Controls free?
Yes, the CIS Controls and many supporting resources (like CIS Benchmarks) are freely available from the Center for Internet Security.

Need help with CIS Controls?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.