Introduction: The CIS Critical Security Controls
The CIS Critical Security Controls (commonly called the CIS Controls) are a prioritised, prescriptive and community-developed set of safeguards designed to mitigate the most prevalent and dangerous cyber-attacks affecting modern organisations. Maintained by the Center for Internet Security (CIS), a not-for-profit entity headquartered in East Greenbush, New York, the Controls translate the collective knowledge of thousands of security practitioners into a defensible, action-oriented programme. Unlike broad governance frameworks that describe what good security looks like in abstract terms, the CIS Controls tell you precisely what to do, in what order, to obtain the greatest defensive return for the least effort.
The current edition, CIS Controls Version 8 (released May 2021, with an incremental v8.1 update in 2024 that aligns the asset taxonomy with the NIST Cybersecurity Framework 2.0 functions and adds Governance as a security function), consolidates the historically dispersed twenty controls into eighteen top-level Controls comprising 153 individual Safeguards. The Controls are organised around activities rather than around the type of device that performs them, a deliberate shift reflecting the reality of cloud computing, mobility, virtualisation and outsourcing. This guide provides an auditor-grade walk-through of every Control, every Implementation Group, the assessment evidence you should expect to see, and a pragmatic route to adoption for organisations of any size.
What are the CIS Controls?
The CIS Controls are a defence-in-depth model of cyber hygiene expressed as a small number of high-value activities. They began life in 2008 as the 'Consensus Audit Guidelines', were later stewarded by the SANS Institute as the 'SANS Top 20', and since 2015 have been owned and maintained by CIS. Each successive version has been refined using real-world attack data, the MITRE ATT&CK knowledge base and the annual Verizon Data Breach Investigations Report, ensuring the safeguards remain empirically tied to how breaches actually occur.
Three structural concepts define Version 8 and are essential to any assessment:
- Controls: the eighteen top-level categories of defensive activity, numbered CIS Control 1 through CIS Control 18, each addressing a distinct risk area such as asset inventory, data protection, or incident response.
- Safeguards: the 153 discrete, testable actions (formerly called 'Sub-Controls') nested beneath the Controls. Each Safeguard is a single, atomic requirement written so it can be measured as implemented or not implemented.
- Implementation Groups (IG1, IG2, IG3): a tiering mechanism that assigns each Safeguard to a level of organisational maturity and risk exposure, so that a small business and a large enterprise can each adopt a defensible subset. IG1 defines essential cyber hygiene, IG2 builds on IG1 for organisations managing greater complexity, and IG3 addresses organisations with sensitive data and sophisticated adversaries.
Crucially, the CIS Controls are voluntary and framework-agnostic. They are not a law and confer no certification of their own, yet they are explicitly referenced by regulators and standards bodies, map cleanly to NIST CSF, NIST SP 800-53, ISO/IEC 27001, PCI DSS and DPDP-driven security expectations, and are frequently adopted as the technical implementation layer beneath a governance framework.
Who must comply with the CIS Controls?
No statute mandates the CIS Controls by name. However, they are strongly recommended, contractually required or effectively obligatory for a wide range of organisations because they are recognised as a reasonable standard of care and are cross-referenced by binding regimes. The table below summarises typical applicability.
| Organisation / context | Nature of obligation | Recommended Implementation Group |
|---|---|---|
| Small and medium businesses (SMBs) | Voluntary best practice; increasingly required by cyber-insurance underwriters and enterprise supply-chain questionnaires | IG1 (essential cyber hygiene) |
| Enterprises handling regulated or client data | Voluntary, but used to demonstrate due diligence and 'reasonable security' in litigation and regulatory review | IG2 |
| Critical infrastructure and high-value targets | Expected baseline; often written into sector regulatory guidance and government procurement | IG3 |
| US State, Local, Tribal and Territorial (SLTT) government | Frequently mandated via MS-ISAC membership and state policy; CIS is the operator of the MS-ISAC | IG1 to IG2 minimum |
| Defence and government contractors | Referenced indirectly via NIST SP 800-171 / CMMC mappings | IG2 to IG3 |
| Organisations subject to PCI DSS, HIPAA, ISO 27001 or DPDP | Not directly required, but CIS Safeguards operationalise many mandated controls and simplify audit evidence | IG2 |
| Cyber-insurance applicants | Increasingly a precondition of coverage; insurers request CIS Control attestation | IG1 minimum, IG2 preferred |
In practice, any organisation seeking a demonstrable, prioritised and cost-effective security programme is a candidate for CIS Controls adoption. The Implementation Group model means the framework scales from a two-person startup to a multinational bank without leaving smaller organisations paralysed by irrelevant requirements.
Structure of the CIS Controls (Version 8)
Version 8 comprises eighteen Controls and 153 Safeguards. Each Control has a defined purpose, an ordered set of Safeguards, and an allocation of those Safeguards across the three Implementation Groups. The table enumerates all eighteen Controls, their Safeguard counts and the number of Safeguards applicable to each Implementation Group (IG1 counts are cumulative into IG2 and IG3).
| Control # | Control name | Total safeguards | IG1 | IG2 | IG3 |
|---|---|---|---|---|---|
| 1 | Inventory and Control of Enterprise Assets | 5 | 2 | 4 | 5 |
| 2 | Inventory and Control of Software Assets | 7 | 3 | 6 | 7 |
| 3 | Data Protection | 14 | 6 | 12 | 14 |
| 4 | Secure Configuration of Enterprise Assets and Software | 12 | 7 | 11 | 12 |
| 5 | Account Management | 6 | 4 | 6 | 6 |
| 6 | Access Control Management | 8 | 5 | 7 | 8 |
| 7 | Continuous Vulnerability Management | 7 | 4 | 7 | 7 |
| 8 | Audit Log Management | 12 | 3 | 11 | 12 |
| 9 | Email and Web Browser Protections | 7 | 2 | 6 | 7 |
| 10 | Malware Defences | 7 | 3 | 7 | 7 |
| 11 | Data Recovery | 5 | 4 | 5 | 5 |
| 12 | Network Infrastructure Management | 8 | 1 | 7 | 8 |
| 13 | Network Monitoring and Defence | 11 | 0 | 6 | 11 |
| 14 | Security Awareness and Skills Training | 9 | 8 | 9 | 9 |
| 15 | Service Provider Management | 7 | 1 | 4 | 7 |
| 16 | Application Software Security | 14 | 0 | 11 | 14 |
| 17 | Incident Response Management | 9 | 3 | 8 | 9 |
| 18 | Penetration Testing | 5 | 0 | 3 | 5 |
The Controls are deliberately ordered so that the earliest Controls (asset and software inventory, data protection, secure configuration) deliver the highest marginal risk reduction. An organisation that cannot see its assets cannot protect them, which is why Control 1 sits at the top. The following master assessment section examines every Control and its Safeguards in turn.
Master assessment checklist: every Control and Safeguard
This is the operational heart of the guide. For each of the eighteen Controls, we describe the assessment intent, then provide a verification table listing what an auditor should confirm and the typical evidence that substantiates it. Coverage is complete: no Control or Safeguard family is omitted.
Control 1 — Inventory and Control of Enterprise Assets
Establish and maintain an accurate, detailed and up-to-date inventory of all enterprise assets (end-user devices, network devices, IoT, servers) whether on-premises, virtual, remote or cloud-hosted, so that only authorised devices are granted access.
| What to verify | Typical evidence |
|---|---|
| A documented enterprise asset inventory exists and is reviewed at least bi-annually (Safeguard 1.1) | Asset register / CMDB export with review timestamps and owner sign-off |
| Unauthorised assets are addressed by removal, quarantine or update (Safeguard 1.2) | Remediation tickets, network access control logs, exception register |
| An active discovery tool identifies connected assets (Safeguard 1.3, IG2+) | Discovery tool configuration and scan schedule, sample scan output |
| DHCP logging is used to update the asset inventory (Safeguard 1.4, IG2+) | DHCP server logs and the integration pipeline into the CMDB |
| A passive asset discovery tool supplements active scanning (Safeguard 1.5, IG3) | Passive sensor deployment map and reconciliation reports |
Control 2 — Inventory and Control of Software Assets
Actively manage all software (operating systems and applications) so that only authorised software is installed and can execute, and unauthorised or unmanaged software is found and prevented from running.
| What to verify | Typical evidence |
|---|---|
| A software inventory is maintained and reviewed bi-annually (Safeguard 2.1) | Software inventory report with version, publisher and business purpose |
| Only currently supported software is authorised; unsupported software is documented (Safeguard 2.2) | End-of-life register, vendor support statements, exception approvals |
| Unauthorised software is removed or granted a documented exception (Safeguard 2.3) | Removal tickets, exception log with expiry dates |
| Automated software inventory tooling is deployed (Safeguard 2.4, IG2+) | SAM / EDR software inventory dashboards |
| An allowlist of authorised software is enforced (Safeguard 2.5, IG2+) | Application allowlisting policy and enforcement tool config |
| Allowlisting extends to authorised libraries and scripts (Safeguards 2.6-2.7, IG2/IG3) | Library and script allowlist rulesets, blocked-execution logs |
Control 3 — Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain and dispose of data across its entire lifecycle.
| What to verify | Typical evidence |
|---|---|
| A data management process exists (Safeguard 3.1) | Data governance policy, data lifecycle procedures |
| A data inventory is maintained (Safeguard 3.2) | Data inventory / data map covering sensitive data locations |
| Data access control lists enforce least privilege (Safeguard 3.3) | ACL configurations, access review records |
| Data retention is enforced (Safeguard 3.4) | Retention schedule and automated purge evidence |
| Data is securely disposed of (Safeguard 3.5) | Media sanitisation certificates, disposal logs |
| Data on end-user devices is encrypted (Safeguard 3.6) | BitLocker / FileVault / MDM encryption reports |
| A data classification scheme is established and applied (Safeguard 3.7, IG2+) | Classification policy, labelled sample data sets |
| Data flows are documented (Safeguard 3.8, IG2+) | Data flow diagrams and inter-system transfer maps |
| Data on removable media is encrypted (Safeguard 3.9, IG2+) | USB encryption / DLP policy enforcement logs |
| Sensitive data in transit and DLP monitoring are in place (Safeguards 3.10-3.13, IG2/IG3) | TLS configuration, DLP alerts, access logging, encryption-at-rest evidence |
| Sensitive data access is logged (Safeguard 3.14, IG3) | Audit logs of sensitive data reads/writes |
Control 4 — Secure Configuration of Enterprise Assets and Software
Establish and maintain secure baseline configurations for assets and software, and manage them through change control to reduce the attack surface.
| What to verify | Typical evidence |
|---|---|
| A secure configuration process exists for assets and software (Safeguards 4.1-4.2) | Hardening standards referencing CIS Benchmarks, baseline documents |
| A host-based firewall or port-filtering is enabled (Safeguard 4.4) | Firewall policy export, endpoint firewall status report |
| Sessions lock automatically after inactivity (Safeguard 4.3) | GPO / MDM lock-screen configuration |
| Secure configuration is enforced on servers and network devices (Safeguards 4.5-4.6) | Configuration management tool baselines and drift reports |
| Default accounts are managed or disabled (Safeguard 4.7) | Account audit showing renamed/disabled defaults |
| Unnecessary services are uninstalled or disabled (Safeguard 4.8, IG2+) | Service inventory and disablement records |
| Trusted DNS servers are configured (Safeguard 4.9, IG2+) | DNS configuration, filtering resolver evidence |
| Automatic device lockout and remote wipe are enforced on portable devices (Safeguards 4.10-4.11, IG2+) | MDM policy showing lockout thresholds and wipe capability |
| Separate enterprise workspaces are enforced on mobile devices (Safeguard 4.12, IG3) | MDM containerisation configuration |
Control 5 — Account Management
Manage the lifecycle and privileges of all accounts (user, administrator and service) to prevent unauthorised access.
| What to verify | Typical evidence |
|---|---|
| An inventory of all accounts is maintained (Safeguard 5.1) | Account inventory export, joiner-mover-leaver records |
| Unique passwords are used and complexity is enforced (Safeguard 5.2) | Password policy configuration |
| Dormant accounts are disabled (Safeguard 5.3) | Stale-account review and disablement logs |
| Administrator privileges are restricted to dedicated accounts (Safeguard 5.4) | Privileged account register showing separation from daily-use accounts |
| An inventory of service accounts is maintained (Safeguard 5.5, IG2+) | Service account register with owner and purpose |
| Account management is centralised (Safeguard 5.6, IG2+) | Directory service / IdP integration evidence |
Control 6 — Access Control Management
Create, assign, manage and revoke access credentials and privileges for all accounts, applying least privilege and strong authentication.
| What to verify | Typical evidence |
|---|---|
| An access granting and revoking process is defined (Safeguards 6.1-6.2) | Provisioning/deprovisioning workflow, offboarding tickets |
| MFA is required for externally exposed and remote access (Safeguards 6.3-6.5) | MFA policy, IdP enforcement logs, VPN MFA config |
| An access control inventory / authorisation matrix exists (Safeguard 6.6, IG2+) | Role-to-permission matrix, entitlement catalogue |
| Access grants are reviewed periodically (Safeguard 6.7, IG2+) | Access recertification campaign records |
| Role-based access control is defined and enforced (Safeguard 6.8, IG3) | RBAC role definitions and enforcement evidence |
Control 7 — Continuous Vulnerability Management
Continuously identify, prioritise and remediate vulnerabilities to minimise the window of exposure.
| What to verify | Typical evidence |
|---|---|
| A vulnerability management process and remediation cadence are defined (Safeguards 7.1-7.2) | Vulnerability management policy with SLAs |
| Automated OS and application patch management is in place (Safeguards 7.3-7.4) | Patch tool dashboards, compliance percentage reports |
| Automated internal and external vulnerability scanning runs on a schedule (Safeguards 7.5-7.6, IG2+) | Scan schedules and sample scan reports |
| Detected vulnerabilities are remediated within SLA and re-scanned (Safeguard 7.7, IG2+) | Remediation tracking with closure evidence and verification scans |
Control 8 — Audit Log Management
Collect, alert on, review and retain audit logs to detect, understand and recover from attacks.
| What to verify | Typical evidence |
|---|---|
| An audit log management process is established (Safeguard 8.1) | Logging policy defining what is logged and retained |
| Audit logs are enabled across assets (Safeguard 8.2) | Log source inventory, enablement configuration |
| Adequate log storage is provisioned (Safeguard 8.3) | Storage sizing calculation, retention configuration |
| Time synchronisation and detailed logging are configured (Safeguards 8.4-8.5, IG2+) | NTP configuration, log verbosity settings |
| DNS, URL, command-line and other detailed logs are collected (Safeguards 8.6-8.8, IG2+) | SIEM source list and sample events |
| Logs are centralised and retained at least 90 days (Safeguards 8.9-8.10, IG2+) | SIEM ingestion config and retention proof |
| Logs are reviewed and service provider logs are collected (Safeguards 8.11-8.12, IG2/IG3) | Log review records, cloud/provider log integration |
Control 9 — Email and Web Browser Protections
Reduce the attack surface presented by email and web browsers, the two most common vectors of initial compromise.
| What to verify | Typical evidence |
|---|---|
| Only fully supported browsers and email clients are used (Safeguard 9.1) | Software inventory of client applications |
| DNS filtering services are enforced (Safeguard 9.2) | DNS filter configuration and block reports |
| Network-based URL filters are maintained (Safeguard 9.3, IG2+) | Web proxy / secure web gateway policy |
| Unnecessary browser and email extensions are restricted (Safeguard 9.4, IG2+) | Extension allowlist policy |
| DMARC, DKIM and SPF are implemented (Safeguard 9.5, IG2+) | DNS records and DMARC aggregate reports |
| Attachment filtering and anti-malware email scanning are in place (Safeguards 9.6-9.7, IG2/IG3) | Email gateway configuration and quarantine logs |
Control 10 — Malware Defences
Prevent or control the installation, spread and execution of malicious applications, code and scripts.
| What to verify | Typical evidence |
|---|---|
| Anti-malware software is deployed and centrally managed (Safeguards 10.1-10.2) | EDR/AV console showing coverage and update status |
| Automatic signature/definition updates are enabled (Safeguard 10.2) | Definition currency report |
| Autorun/autoplay for removable media is disabled (Safeguard 10.3) | GPO / MDM configuration |
| Automated scanning of removable media occurs (Safeguard 10.4, IG2+) | Removable-media scan logs |
| Anti-exploitation features are enabled (Safeguard 10.5, IG2+) | DEP/ASLR/attack-surface-reduction settings |
| Anti-malware is centrally managed with behaviour-based detection (Safeguards 10.6-10.7, IG2/IG3) | EDR behavioural policy and detection alerts |
Control 11 — Data Recovery
Establish and maintain practices to restore in-scope assets to a trusted, pre-incident state.
| What to verify | Typical evidence |
|---|---|
| A data recovery process is established (Safeguard 11.1) | Backup and recovery policy with RPO/RTO |
| Automated backups are performed (Safeguard 11.2) | Backup schedules and success reports |
| Backup data is protected (Safeguard 11.3) | Encryption and access controls on backup repositories |
| At least one recovery copy is isolated / offline / immutable (Safeguard 11.4, IG2+) | Offsite/immutable backup configuration |
| Recovery is tested periodically (Safeguard 11.5, IG2+) | Restore test reports and outcomes |
Control 12 — Network Infrastructure Management
Establish, implement and actively manage network devices to prevent attackers from exploiting vulnerable services and access points.
| What to verify | Typical evidence |
|---|---|
| Network infrastructure is kept up to date (Safeguard 12.1) | Firmware/patch status of routers, switches, firewalls |
| A secure network architecture is maintained (Safeguard 12.2, IG2+) | Network segmentation diagrams and design documents |
| Network infrastructure is managed securely (Safeguard 12.3, IG2+) | Configuration management and change control records |
| Network architecture diagrams are maintained (Safeguard 12.4, IG2+) | Current, dated network diagrams |
| Management traffic is centralised and secured (Safeguards 12.5-12.7, IG2+) | Out-of-band or secured management network, encrypted admin protocols |
| Dedicated computing resources for administrative work are enforced (Safeguard 12.8, IG3) | Privileged access workstation configuration |
Control 13 — Network Monitoring and Defence
Operate processes and tooling to establish and maintain comprehensive network monitoring and defence against threats across the enterprise infrastructure and user base.
| What to verify | Typical evidence |
|---|---|
| Centralised security event alerting is deployed (Safeguard 13.1, IG2+) | SIEM alerting rules and dashboards |
| Host-based and network intrusion detection is deployed (Safeguards 13.2-13.3, IG2/IG3) | HIDS/NIDS deployment and alert samples |
| Traffic is filtered between network segments (Safeguard 13.4, IG2+) | Inter-segment firewall rules |
| Remote assets are managed and traffic is centrally collected (Safeguards 13.5-13.6, IG2/IG3) | VPN/ZTNA posture checks, network flow collection |
| Intrusion prevention, port-level controls and application-layer filtering are deployed (Safeguards 13.7-13.10, IG3) | IPS configuration, 802.1X/NAC, application firewall rules |
| Alerting thresholds are tuned (Safeguard 13.11, IG3) | Tuning documentation and false-positive review |
Control 14 — Security Awareness and Skills Training
Establish and maintain a security awareness programme to influence behaviour among the workforce so they are security-conscious and appropriately skilled.
| What to verify | Typical evidence |
|---|---|
| A security awareness programme exists (Safeguard 14.1) | Programme charter and annual plan |
| Training covers social engineering, authentication, data handling and incident recognition (Safeguards 14.2-14.6) | Training content, completion records |
| Training covers causes of unintentional data exposure and network/system dangers (Safeguards 14.4-14.7) | Curriculum mapping and attendance logs |
| Training addresses secure practices for remote and mobile working (Safeguard 14.8) | Remote-work security module records |
| Role-specific security training is delivered (Safeguard 14.9, IG2+) | Role-based training assignments and completion |
Control 15 — Service Provider Management
Develop a process to evaluate service providers who hold sensitive data or are responsible for critical IT platforms, to ensure they protect those assets appropriately.
| What to verify | Typical evidence |
|---|---|
| An inventory of service providers is maintained (Safeguard 15.1) | Third-party register with data and criticality classification |
| A service provider management policy exists (Safeguard 15.2, IG2+) | Vendor risk management policy |
| Service providers are classified by risk (Safeguard 15.3, IG2+) | Provider risk-tiering methodology and results |
| Security requirements are included in contracts (Safeguard 15.4, IG2+) | Contract clauses / DPAs with security terms |
| Providers are assessed and monitored (Safeguards 15.5-15.6, IG3) | Assessment questionnaires, SOC 2 reports, monitoring records |
| Providers are securely decommissioned (Safeguard 15.7, IG3) | Offboarding checklist and data return/destruction evidence |
Control 16 — Application Software Security
Manage the security lifecycle of in-house developed, hosted or acquired software to prevent, detect and remediate weaknesses before they can be exploited.
| What to verify | Typical evidence |
|---|---|
| A secure application development process exists (Safeguard 16.1, IG2+) | Secure SDLC policy |
| Software vulnerabilities are tracked and remediated (Safeguards 16.2-16.3, IG2+) | Defect tracking, SLA adherence |
| Third-party components and their provenance are managed (Safeguards 16.4-16.5, IG2/IG3) | Software bill of materials, SCA scan results |
| Secure design, coding standards and code review are enforced (Safeguards 16.6-16.9, IG2/IG3) | Coding standards, peer-review records, training |
| Application security testing (SAST/DAST) is performed (Safeguards 16.11-16.13, IG2/IG3) | SAST/DAST reports and pipeline integration |
| Separate environments and threat modelling are used (Safeguards 16.7, 16.10, 16.14, IG3) | Environment separation evidence, threat model artefacts, root-cause analysis |
Control 17 — Incident Response Management
Establish a programme to develop and maintain incident response capability to prepare, detect and quickly respond to attacks.
| What to verify | Typical evidence |
|---|---|
| Incident-handling personnel and contact information are designated (Safeguards 17.1-17.2) | Named responders and escalation contact list |
| A process to report incidents is defined and communicated (Safeguard 17.3) | Reporting procedure and awareness evidence |
| An incident response process and reporting thresholds are established (Safeguards 17.4-17.5, IG2+) | IR plan, severity/thresholds definitions |
| Roles, communication mechanisms and third-party coordination are defined (Safeguards 17.6-17.7, IG2+) | RACI, secure comms plan, external contact register |
| Post-incident reviews and exercises are conducted (Safeguards 17.8-17.9, IG2/IG3) | Lessons-learned reports, tabletop exercise records |
Control 18 — Penetration Testing
Test the effectiveness and resilience of enterprise assets by identifying and exploiting weaknesses in controls, simulating the actions of an attacker.
| What to verify | Typical evidence |
|---|---|
| A penetration testing programme is established (Safeguard 18.1, IG2+) | Pen-test policy, scope and frequency definition |
| Periodic external penetration tests are performed (Safeguard 18.2, IG2+) | External pen-test reports |
| Findings are remediated and validated (Safeguard 18.3, IG2+) | Remediation tracker and retest evidence |
| Internal penetration tests are performed and a validation programme runs (Safeguards 18.4-18.5, IG3) | Internal test reports, purple-team / continuous validation records |
Scoping the CIS Controls assessment
Sound scoping ensures the assessment is neither superficially narrow nor unmanageably broad. Because the CIS Controls are activity-based, scope is defined by enterprise assets and data rather than by physical location alone.
- Define the enterprise: identify all business units, subsidiaries and legal entities whose assets and data fall within the programme.
- Establish the target Implementation Group: select IG1, IG2 or IG3 based on data sensitivity, threat exposure, regulatory obligations and resourcing. The chosen IG determines which Safeguards are in scope.
- Enumerate in-scope asset classes: end-user devices, servers, network devices, cloud workloads, mobile devices, IoT/OT and applications, whether on-premises, remote or hosted.
- Include cloud and outsourced services: SaaS, IaaS, PaaS and managed service providers are in scope; Control 15 governs how their obligations are apportioned.
- Document exclusions with justification: any asset, business unit or Safeguard excluded should carry a documented, risk-based rationale and an owner.
- Confirm the assessment boundary in writing and obtain sign-off from the accountable executive before fieldwork begins.
Implementation approach
A phased implementation converts the assessment findings into a durable programme. The following four phases move an organisation from visibility to continuous improvement.
Phase 1 — Discover and establish foundational hygiene (IG1)
Activities: build the enterprise asset and software inventories (Controls 1-2); implement secure configuration baselines using CIS Benchmarks (Control 4); enforce account and access hygiene including MFA (Controls 5-6); deploy anti-malware and basic backups (Controls 10-11); launch awareness training (Control 14).
Deliverables: authoritative asset and software registers, hardened baseline standards, MFA enforcement report, backup and recovery policy, initial training completion records, and an IG1 gap assessment.
Phase 2 — Strengthen detection and management (IG2)
Activities: implement continuous vulnerability management (Control 7); centralise audit logging into a SIEM (Control 8); deploy email/web protections and DMARC (Control 9); establish network monitoring and segmentation (Controls 12-13); formalise service provider management (Control 15) and incident response (Control 17).
Deliverables: vulnerability management SLAs and scan reports, centralised log platform with 90-day retention, DMARC enforcement, network architecture diagrams, vendor risk register, and a tested incident response plan.
Phase 3 — Mature and validate (IG3)
Activities: implement application security across the SDLC (Control 16); introduce data-loss prevention and sensitive-data access logging (Control 3); deploy advanced network defences including IPS and NAC (Control 13); stand up a penetration testing and validation programme (Control 18).
Deliverables: secure SDLC evidence and SAST/DAST integration, DLP alerting, IPS/NAC deployment, penetration test reports with validated remediation, and privileged access workstations.
Phase 4 — Operate, measure and improve
Activities: institutionalise metrics and reporting; conduct periodic reassessments using CIS CSAT; run tabletop exercises and purple-team validation; feed lessons learned back into baselines; track Safeguard implementation trend over time.
Deliverables: a live KPI dashboard, quarterly management reports, updated risk register, exercise reports, and a rolling improvement backlog.
Implementation Group model (scoring/maturity)
Rather than a five-level maturity ladder, CIS Version 8 uses three Implementation Groups to express how much of the framework applies to a given organisation. Assessment maturity itself is commonly expressed using the CIS CSAT scoring scale (Not Implemented, Partially Implemented, Implemented, and validated states), which can be overlaid on the Implementation Groups. The table summarises both dimensions.
| Implementation Group | Target organisation profile | Approx. safeguards (v8) | Assessment maturity states applied |
|---|---|---|---|
| IG1 — Essential Cyber Hygiene | Small/medium enterprise with limited IT/security expertise; commodity threat exposure; primary concern is keeping the business operational | 56 | Policy defined; Control implemented; Control automated; Control reported |
| IG2 — Enhanced | Enterprise managing more sensitive data and greater operational complexity; dedicated IT/security staff; regulatory obligations | 74 additional (130 cumulative) | Adds automation and centralised management maturity |
| IG3 — Advanced | Organisation with sensitive data, sophisticated adversaries and mature security function; may face targeted, well-resourced attacks | 23 additional (153 total) | Full validation, testing and continuous assurance |
| CSAT scoring state | Meaning | Auditor interpretation |
|---|---|---|
| Not Implemented | No policy or activity exists for the Safeguard | Gap; requires remediation plan |
| Partially Implemented | Some elements exist but coverage is incomplete or inconsistent | Finding; scope or consistency gap |
| Implemented | The Safeguard is fully in place across scope | Satisfied at baseline |
| Policy Defined / Control Automated / Control Reported | Progressive maturity: documented, technically enforced, and metrics reported | Higher assurance; suitable for IG2/IG3 attestation |
Assessment and audit approach
A repeatable, evidence-driven methodology produces defensible conclusions. The following ordered steps describe a typical CyberSigma CIS Controls assessment engagement.
- Kick-off and scoping: agree the enterprise boundary, target Implementation Group, in-scope asset classes and timeline; obtain executive sponsorship.
- Documentation review: examine policies, standards, inventories, architecture diagrams and prior assessment reports against the in-scope Safeguards.
- Tooling and data collection: gather configuration exports, scan results, SIEM samples, MFA and patch reports, and CIS CSAT self-assessment inputs.
- Interviews and walkthroughs: interview asset owners, administrators and process owners to corroborate documented controls and observe them operating.
- Technical verification: sample-test configurations against CIS Benchmarks, validate MFA enforcement, review log coverage and retention, and inspect backup restorability.
- Scoring: rate each in-scope Safeguard against the CSAT maturity states, recording evidence references for every rating.
- Gap analysis and risk rating: identify gaps, assess residual risk using likelihood and impact, and prioritise by risk reduction per Safeguard.
- Reporting: produce an executive summary, detailed Safeguard-level findings, a prioritised remediation roadmap aligned to the Implementation Groups, and framework mappings.
- Remediation support and re-test: assist with prioritised fixes, then re-assess remediated Safeguards to confirm closure and update the maturity baseline.
Evidence request list
The following categorised list captures the artefacts typically requested during a CIS Controls assessment. Providing these in advance accelerates fieldwork.
- Governance and policy: information security policy, acceptable use policy, data classification and retention policy, vendor risk policy, incident response plan, secure development policy.
- Asset and software: enterprise asset inventory/CMDB export, software inventory, end-of-life register, allowlisting configuration.
- Configuration and hardening: CIS Benchmark-aligned baseline standards, configuration management tool exports, drift/compliance reports, host firewall status.
- Identity and access: account inventory, privileged account register, MFA enforcement reports, access recertification records, RBAC role definitions.
- Vulnerability and patch: vulnerability scan reports, patch compliance dashboards, remediation SLA tracking.
- Logging and monitoring: logging policy, SIEM source list and retention configuration, sample alerts, log review records.
- Data protection: data inventory/map, encryption reports (at rest, in transit, removable media), DLP alerts, disposal certificates.
- Resilience: backup schedules and success reports, restore test results, offline/immutable backup evidence.
- Network: architecture diagrams, segmentation firewall rules, network device patch status, IDS/IPS configuration.
- Third party: service provider inventory, risk tiering, contracts/DPAs, SOC 2 reports, monitoring records.
- Application security: secure SDLC evidence, SAST/DAST reports, software bill of materials, code review records.
- People: awareness training content and completion records, phishing simulation results, role-based training assignments.
- Testing and IR: penetration test reports, remediation/retest evidence, incident records, tabletop exercise reports, post-incident reviews.
Roles and responsibilities
Clear ownership is essential to sustain a CIS Controls programme. The following RACI-style table maps typical roles to programme responsibilities.
| Role | Primary responsibilities | Accountable for |
|---|---|---|
| Executive sponsor (CISO / CIO) | Approves scope and budget, champions the programme, accepts residual risk | Overall security posture and risk acceptance |
| Security programme manager | Coordinates assessment, tracks remediation, maintains the roadmap | Programme delivery and reporting |
| IT operations / infrastructure | Maintains asset/software inventories, applies hardening and patches | Controls 1, 2, 4, 7, 12 |
| Identity and access team | Manages accounts, privileges and MFA | Controls 5, 6 |
| Security operations (SOC) | Operates SIEM, monitoring, malware defence and incident response | Controls 8, 10, 13, 17 |
| Data protection / privacy officer | Owns data classification, retention and DLP | Control 3 |
| Application development / DevSecOps | Implements secure SDLC and application testing | Control 16 |
| Vendor / procurement management | Manages service provider risk and contracts | Control 15 |
| Human resources / L&D | Delivers awareness and role-based training | Control 14 |
| Internal audit / assurance | Independently validates control effectiveness | Assessment integrity |
KPIs to track
Metrics turn the CIS Controls from a point-in-time assessment into a managed programme. Track a balanced set of coverage, timeliness and outcome measures.
- Percentage of enterprise assets and software in the authoritative inventory (coverage and accuracy).
- Percentage of in-scope Safeguards rated Implemented or higher, trended over time.
- MFA coverage across externally exposed and privileged accounts.
- Mean time to patch critical and high vulnerabilities against SLA.
- Vulnerability remediation SLA adherence rate and open critical-vulnerability count.
- Percentage of assets conforming to CIS Benchmark baselines (configuration drift).
- Log source coverage and percentage of assets forwarding to the SIEM.
- Backup success rate and successful restore test rate.
- Security awareness training completion rate and phishing simulation click/report rates.
- Mean time to detect and mean time to respond to security incidents.
- Percentage of service providers risk-assessed and under contract with security terms.
- Penetration test findings remediated within target timeframe.
Readiness checklist
Use this checklist to gauge whether the organisation is prepared for a formal CIS Controls assessment or attestation.
- Target Implementation Group (IG1/IG2/IG3) selected and justified by risk.
- Enterprise boundary and in-scope asset classes documented and signed off.
- Authoritative asset and software inventories exist and are current.
- Secure configuration baselines aligned to CIS Benchmarks are defined and enforced.
- MFA is enforced for remote, external and privileged access.
- Vulnerability scanning and patch management operate on a defined cadence.
- Audit logs are centralised with at least 90 days retention (IG2+).
- Backups are automated, protected and periodically restore-tested.
- Data classification and protection controls are in place for sensitive data.
- Incident response plan is documented, assigned and exercised.
- Service providers are inventoried and risk-assessed.
- Security awareness training is delivered and completion is tracked.
- A CIS CSAT self-assessment has been completed and gaps recorded.
- Evidence artefacts are collated and owners are identified for each Control.
Common gaps and pitfalls
Across CIS Controls assessments, the same weaknesses recur. Anticipating them accelerates readiness.
- Incomplete or stale asset and software inventories, undermining every downstream Control.
- Attempting all 153 Safeguards at once instead of scoping to the appropriate Implementation Group.
- MFA deployed for email but not for VPN, administrative consoles or cloud management planes.
- Configuration baselines documented but not enforced or monitored for drift.
- Logs collected locally but not centralised, correlated, retained for 90 days or reviewed.
- Backups that are never restore-tested, or that lack an offline/immutable copy vulnerable to ransomware.
- Vulnerability scans run but findings not remediated within defined SLAs or re-validated.
- Service provider risk unmanaged, with sensitive data held by vendors under no security obligations.
- Awareness training treated as an annual tick-box with no role-based depth or phishing simulation.
- Incident response plan that exists on paper but has never been exercised.
- Treating the CIS Controls as a one-time project rather than a continuously operated programme.
- No named owner for individual Controls, so accountability diffuses and gaps persist.
CIS Controls mapped to other frameworks
CIS publishes authoritative mappings that make the Controls an efficient implementation layer beneath governance frameworks. The illustrative table below shows how selected Controls relate to widely used standards; consult the official CIS mapping documents for the full, current cross-references.
| CIS Control | NIST CSF 2.0 | NIST SP 800-53 | ISO/IEC 27001:2022 | PCI DSS v4.0 |
|---|---|---|---|---|
| 1-2 Asset & Software Inventory | Identify (ID.AM) | CM-8, PM-5 | 5.9, 5.10, 8.1 | 2.4, 12.5 |
| 3 Data Protection | Protect (PR.DS) | SC-28, MP-6 | 5.12, 8.10, 8.12 | 3.x, 4.x |
| 4 Secure Configuration | Protect (PR.PS) | CM-2, CM-6 | 8.9 | 2.2 |
| 5-6 Account & Access Control | Protect (PR.AA) | AC-2, AC-6, IA-2 | 5.15, 5.18, 8.2 | 7.x, 8.x |
| 7 Vulnerability Management | Identify/Protect (ID.RA, PR.PS) | RA-5, SI-2 | 8.8 | 6.3, 11.3 |
| 8 Audit Log Management | Detect (DE.CM) | AU-2, AU-6 | 8.15 | 10.x |
| 10 Malware Defences | Protect (PR.PS) | SI-3 | 8.7 | 5.x |
| 11 Data Recovery | Recover (RC.RP) | CP-9, CP-10 | 8.13 | 12.10 |
| 13 Network Monitoring & Defence | Detect (DE.CM) | SI-4 | 8.16 | 11.5 |
| 16 Application Software Security | Protect (PR.PS) | SA-11, SA-15 | 8.25, 8.28 | 6.2 |
| 17 Incident Response | Respond (RS) | IR-4, IR-8 | 5.24, 5.26 | 12.10 |
| 18 Penetration Testing | Identify (ID.RA) | CA-8 | 8.8 | 11.4 |
How CyberSigma helps
Frequently asked questions
Need help with CIS Controls?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
