CIS Critical Security Controls v8.0
Knowledge Reference
Quick Links
All 18 Controls
Browse controls with safeguard breakdowns
35 Policy Templates
Complete policy language with customization points
CIS RAM v2.1
Risk assessment methodology reference
Evidence Guide
Per-control evidence requirements
Operational Calendar
12-month recurring activity schedule
Search
Find any safeguard, control, or policy
Controls at a Glance
| # | Control Name | Total | IG1 | IG2 | IG3 |
|---|---|---|---|---|---|
| 1 | Inventory and Control of Enterprise Assets | 5 | 2 | 4 | 5 |
| 2 | Inventory and Control of Software Assets | 7 | 3 | 6 | 7 |
| 3 | Data Protection | 14 | 6 | 12 | 14 |
| 4 | Secure Configuration of Enterprise Assets and Software | 12 | 7 | 11 | 12 |
| 5 | Account Management | 6 | 4 | 6 | 6 |
| 6 | Access Control Management | 8 | 5 | 7 | 8 |
| 7 | Continuous Vulnerability Management | 7 | 4 | 7 | 7 |
| 8 | Audit Log Management | 12 | 3 | 11 | 12 |
| 9 | Email and Web Browser Protections | 7 | 2 | 6 | 7 |
| 10 | Malware Defenses | 7 | 3 | 7 | 7 |
| 11 | Data Recovery | 5 | 4 | 5 | 5 |
| 12 | Network Infrastructure Management | 8 | 1 | 7 | 8 |
| 13 | Network Monitoring and Defense | 11 | 0 | 6 | 11 |
| 14 | Security Awareness and Skills Training | 9 | 8 | 9 | 9 |
| 15 | Service Provider Management | 7 | 1 | 4 | 7 |
| 16 | Application Software Security | 14 | 0 | 11 | 14 |
| 17 | Incident Response Management | 9 | 3 | 8 | 9 |
| 18 | Penetration Testing | 5 | 0 | 3 | 5 |
| Totals | 153 | 56 | 130 | 153 | |
Implementation Groups
IG1: Essential Cyber Hygiene
56 safeguardsThe minimum standard of information security for all enterprises. IG1 represents the on-ramp to the CIS Controls and consists of a foundational set of cyber defense safeguards that every enterprise should apply to guard against the most common attacks.
Suitable for: Small to medium organizations with limited IT and cybersecurity expertise. Data sensitivity is low. Primary concern is keeping the business operational.
IG2: Risk-Managed Enterprise
130 safeguardsFor enterprises managing IT infrastructure of varying complexity. These enterprises store and process sensitive client or enterprise information and need to withstand threats from more sophisticated actors. Includes all IG1 safeguards plus additional protections.
Suitable for: Enterprises with dedicated IT staff, multiple departments, regulatory compliance requirements (HIPAA, PCI, state privacy laws), and moderate risk tolerance.
IG3: Comprehensive Security
153 safeguardsFor enterprises that manage data or systems with regulatory and compliance oversight. Must address availability of services and the confidentiality and integrity of sensitive data. Attacks can cause significant harm to public welfare. Includes all IG1 and IG2 safeguards.
Suitable for: Enterprises with dedicated security teams, SOC capabilities, advanced threat detection, handling data subject to regulatory oversight, and critical infrastructure operators.