CIS Controls

CIS Critical Security Controls v8.1

StandardInternational

The CIS Critical Security Controls v8.1, released June 2024, are a prioritised set of 18 controls and 153 safeguards for defending against the most common cyber attacks. Organised into three Implementation Groups (IG1-IG3), they provide a scalable approach from basic cyber hygiene to advanced security operations applicable to organisations of all sizes.

Also explore

GDPR DORA NIS2 SOC 2 HIPAA PCI DSS ISO 27001 CMMC IEC 62443 NERC CIP MITRE ATT&CK ICS CISA CPGs Saudi OTCC NIST CSF 2.0 NIST 800-53 NIST 800-171 CSA CCM CSA CAIQ

Controls

153

Safeguards

Implementation Groups

v8.1

Current (June 2024)

Who Needs to Comply

All Organisations

Small and medium enterprises starting with IG1 basic hygiene
Large enterprises implementing IG2 or IG3 safeguards
Healthcare, finance, manufacturing, education, and government
Organisations seeking a practical, prioritised security roadmap

Cross-Sector Applicability

Complements regulatory requirements (HIPAA, PCI DSS, NERC CIP)
Maps to NIST CSF 2.0 and NIST SP 800-53 Rev. 5
Includes ICS-specific guidance via CIS Controls ICS Guide
Used globally across industries for benchmarking cybersecurity maturity

Key Compliance Areas

Controls 1-6

Basic Cyber Hygiene

Inventory of enterprise and software assets, data protection, secure configuration of enterprise assets and software, account management, and access control management.

Controls 7-12

Foundational Controls

Continuous vulnerability management, audit log management, email and web browser protections, malware defences, data recovery, and network infrastructure management.

Controls 13-16

Advanced Controls

Network monitoring and defence, security awareness and skills training, service provider management, and application software security.

Controls 17-18

Organisational Controls

Incident response management and penetration testing for validating security programme effectiveness.

IG1/IG2/IG3

Implementation Groups

IG1: 56 safeguards for basic hygiene (all orgs). IG2: 130 total for orgs with IT staff. IG3: all 153 safeguards for mature security programmes.

How Orizon Helps

Implementation Group Selection

Determine IG1, IG2, or IG3 based on organisational risk profile, resources, and cybersecurity maturity.

Asset Inventory

Implement Controls 1-2 to establish comprehensive enterprise and software asset inventories.

IG1 Baseline Deployment

Implement all 56 IG1 safeguards to establish essential cyber hygiene across the organisation.

IG2 Enhancement

Add 74 additional safeguards for organisations with dedicated IT security staff and resources.

IG3 Advanced Controls

Implement remaining 23 safeguards for mature security operations with advanced capabilities.

Continuous Assessment

Use the CIS Controls Self Assessment Tool (CIS-CSAT) for ongoing benchmarking and progress tracking.

Official Sources

Assess Your Compliance

Expert guidance for your CIS Controls compliance journey.

Get Started

CIS Controls

CIS Critical Security Controls v8.1

StandardInternational

Who Needs to Comply

All Organisations

Small and medium enterprises starting with IG1 basic hygiene
Large enterprises implementing IG2 or IG3 safeguards
Healthcare, finance, manufacturing, education, and government
Organisations seeking a practical, prioritised security roadmap

Cross-Sector Applicability

Complements regulatory requirements (HIPAA, PCI DSS, NERC CIP)
Maps to NIST CSF 2.0 and NIST SP 800-53 Rev. 5
Includes ICS-specific guidance via CIS Controls ICS Guide
Used globally across industries for benchmarking cybersecurity maturity

Key Compliance Areas

Controls 1-6

Basic Cyber Hygiene

Inventory of enterprise and software assets, data protection, secure configuration of enterprise assets and software, account management, and access control management.

Controls 7-12

Foundational Controls

Continuous vulnerability management, audit log management, email and web browser protections, malware defences, data recovery, and network infrastructure management.

Controls 13-16

Advanced Controls

Network monitoring and defence, security awareness and skills training, service provider management, and application software security.

Controls 17-18

Organisational Controls

Incident response management and penetration testing for validating security programme effectiveness.

IG1/IG2/IG3

Implementation Groups

IG1: 56 safeguards for basic hygiene (all orgs). IG2: 130 total for orgs with IT staff. IG3: all 153 safeguards for mature security programmes.

How Orizon Helps

Implementation Group Selection

Determine IG1, IG2, or IG3 based on organisational risk profile, resources, and cybersecurity maturity.

Asset Inventory

Implement Controls 1-2 to establish comprehensive enterprise and software asset inventories.

IG1 Baseline Deployment

Implement all 56 IG1 safeguards to establish essential cyber hygiene across the organisation.

IG2 Enhancement

Add 74 additional safeguards for organisations with dedicated IT security staff and resources.

IG3 Advanced Controls

Implement remaining 23 safeguards for mature security operations with advanced capabilities.

Continuous Assessment

Use the CIS Controls Self Assessment Tool (CIS-CSAT) for ongoing benchmarking and progress tracking.