Skip to main content

CIS Critical Security Controls v8

CIS Controls v8 distill security advice into 18 prioritized controls with implementation groups that scale to any organization. They give teams a ranked, actionable to-do list mapped to other major frameworks.

Best Practice: CIS Critical Security Controls v8

The CIS Critical Security Controls (CIS Controls) v8 are a prioritized set of 18 controls and their underlying safeguards that defend against the most common cyber attacks. They are ordered so that the earliest controls, such as inventory of assets and software, deliver the greatest risk reduction first. Version 8 also defines three Implementation Groups (IG1, IG2, IG3) that scale the safeguards to an organization's size and maturity. They matter because they translate the overwhelming universe of security advice into a concrete, ranked to-do list that small teams can actually follow. For a small team it is the rare security guidance that says what to do first; for leadership it is a defensible, evidence-based prioritization. The Implementation Groups make it scalable: IG1 is basic cyber hygiene every organization should reach, while IG2 and IG3 add depth for higher-risk environments. A defining feature of v8 is that it is task-based rather than device-based, which fits cloud and remote work where the network perimeter has dissolved. Each safeguard is written as a discrete action a team can assign and verify, and the community publishes mappings so work done here counts toward other frameworks too.

Step-by-Step Implementation Guidance

  1. Pick an Implementation Group (IG1, IG2, or IG3) that matches your size and risk.
  2. Build an accurate inventory of enterprise assets and software (Controls 1 and 2).
  3. Establish secure configurations and continuous vulnerability management.
  4. Enforce account and access control management safeguards.
  5. Add data protection, logging, and malware defenses in priority order.
  6. Implement the remaining safeguards for your chosen group.
  7. Measure safeguard coverage and improve toward the next group when ready.

Common Mistakes Teams Make When Ignoring This Practice

  • Trying to do everything at once instead of following the prioritized order.
  • Skipping asset and software inventory, the foundation everything else depends on.
  • Choosing an Implementation Group beyond the team's capacity to sustain.
  • Treating the controls as a checklist without continuous measurement.
  • Failing to use the mappings to other frameworks, duplicating effort.
  • Jumping to advanced safeguards while the basic IG1 hygiene that blocks most attacks remains incomplete.

Tools and Techniques That Support This Practice

  • The CIS Controls Self Assessment Tool (CIS CSAT) for tracking progress.
  • CIS Benchmarks for secure configuration of operating systems and platforms.
  • Asset discovery and vulnerability scanners for Controls 1 to 7.
  • SIEM and log management for audit log safeguards.
  • Framework mappings to CSF 2.0, NIST 800-53, and ISO 27001.
  • CIS Hardened Images and benchmark scanners to enforce secure baselines on cloud and on-prem systems.

How This Practice Applies to Different Migration Types

  • Cloud Migration: Re-run inventory and secure-configuration safeguards against new cloud assets.
  • Database Migration: Apply data protection and access control safeguards to the migrated store.
  • SaaS Migration: Map vendor controls to the relevant CIS safeguards during onboarding.
  • Codebase Migration: Apply secure configuration and account management safeguards to new pipelines and environments.

Checklist

  • Selected an Implementation Group appropriate to the organization
  • Built an accurate asset and software inventory
  • Established secure configurations
  • Implemented continuous vulnerability management
  • Enforced account and access control safeguards
  • Added data protection and logging safeguards
  • Measured safeguard coverage and planned next steps