What are the CIS Critical Security Controls?

The CIS Critical Security Controls are a prioritized set of 18 cybersecurity best practices developed by the Center for Internet Security. They are designed to defend against the most common cyber attacks and are organized into three Implementation Groups (IG1, IG2, IG3) for organizations of all sizes and maturity levels.

What are the CIS Implementation Groups?

Implementation Group 1 (IG1) covers basic cyber hygiene — essential controls every organization should have. IG2 adds foundational controls for organizations with moderate risk and dedicated IT staff. IG3 includes organizational controls for mature security programs protecting sensitive data against advanced threats.

How do CIS Controls relate to NIST CSF?

CIS Controls map directly to the NIST Cybersecurity Framework. CIS provides the specific, actionable controls while NIST CSF provides the overarching framework structure. Many organizations use CIS Controls as the implementation guide for achieving NIST CSF outcomes.

Are CIS Controls mandatory?

CIS Controls are voluntary best practices, but they are referenced by many regulatory frameworks, cyber insurance underwriters, and audit standards. Many organizations adopt them because they represent the consensus of the global security community on what actually works to prevent breaches.

Version 8.1 — Updated June 2024

CIS Controls: 18 things that actually stop breaches

The CIS Critical Security Controls are the global consensus on what works. 18 prioritized controls, organized into three Implementation Groups so you can start where you are and grow. Used by organizations of every size, referenced by cyber insurers, and mapped to every major framework. BlackSheep tracks your progress across all 18.

Start Free Trial See all 18 controls

$249/month · All frameworks included · No credit card to start

Critical Controls

Implementation Groups

153

Safeguards

v8.1

Latest version (June 2024)

Start where you are. Grow from there.

CIS organizes controls into three Implementation Groups. You don't need all 18 on day one.

IG1

Basic Cyber Hygiene

Controls 1–6 · 56 safeguards

Essential controls every organization should implement regardless of size or resources. This is your minimum viable cybersecurity program. If you do nothing else, do IG1.

Best for

Small organizations, limited IT staff, basic risk profile

IG2Most common target

Foundational

Controls 7–13 · 74 safeguards

Deeper security capabilities for organizations with moderate risk. Adds vulnerability management, logging, email/web protection, malware defense, backup, network management, and monitoring.

Best for

Mid-size organizations, dedicated IT, sensitive data

IG3

Organizational

Controls 14–18 · 23 safeguards

Advanced practices for mature programs. Security training, vendor management, application security, incident response, and penetration testing at an organizational level.

Best for

Mature programs, sensitive data, advanced threat landscape

The 18 controls

Each control addresses a specific area of cybersecurity defense. Together, they cover the full attack surface.

CIS-01IG1

Inventory and Control of Enterprise Assets

Know what's on your network. Maintain an accurate inventory of all hardware devices and ensure only authorized assets can connect.

CIS-02IG1

Inventory and Control of Software Assets

Know what software is running. Maintain a complete inventory and ensure only authorized software can execute.

CIS-03IG1

Data Protection

Classify, encrypt, and control access to sensitive data at rest, in transit, and in use. Prevent unauthorized data transfers.

CIS-04IG1

Secure Configuration of Assets and Software

Harden everything. Establish and enforce secure configuration baselines for all systems, applications, and network devices.

CIS-05IG1

Account Management

Manage the lifecycle of every account — provisioning, review, and deprovisioning. No shared accounts. Disable inactive accounts.

CIS-06IG1

Access Control Management

Enforce least privilege. Control who can access what based on role and business need. Require MFA for all remote and privileged access.

CIS-07IG2

Continuous Vulnerability Management

Scan continuously, prioritize by risk, and remediate within defined SLAs. Track your discovery-to-fix timelines.

CIS-08IG2

Audit Log Management

Collect, centralize, and retain security-relevant logs. Configure alerts for anomalous behavior. Protect log integrity.

CIS-09IG2

Email and Web Browser Protections

Defend the two most common attack vectors. Filter email, block malicious URLs, restrict browser extensions, and enforce DNS filtering.

CIS-10IG2

Malware Defenses

Deploy and maintain anti-malware on all endpoints. Use EDR for detection and response. Block execution of unauthorized software.

CIS-11IG2

Data Recovery

Back up everything critical. Test restores regularly. Maintain immutable, offsite copies that survive ransomware.

CIS-12IG2

Network Infrastructure Management

Secure your network architecture. Segment networks, harden devices, manage configurations, and decommission unused infrastructure.

CIS-13IG2

Network Monitoring and Defense

Monitor network traffic for threats. Deploy IDS/IPS, analyze flows, and detect lateral movement.

CIS-14IG3

Security Awareness and Skills Training

Train everyone, test everyone. Role-specific training, phishing simulations, and measurable improvement.

CIS-15IG3

Service Provider Management

Assess your vendors. Require security standards in contracts. Monitor their access and hold them accountable.

CIS-16IG3

Application Software Security

Secure the software you build and buy. Vulnerability testing, secure development practices, and patch management for applications.

CIS-17IG3

Incident Response Management

Plan, test, and execute. Documented IR procedures, defined roles, tabletop exercises, and post-incident reviews.

CIS-18IG3

Penetration Testing

Test your defenses. Regular pen tests validate that your controls actually work against real-world attack techniques.

Why organizations choose CIS Controls

Prioritized

Controls are ordered by effectiveness. IG1 stops the majority of common attacks. You get the biggest security improvement from the first six controls.

Scalable

Three Implementation Groups let you start small and grow. A 5-person firm and a 5,000-person enterprise use the same framework at different depths.

Measurable

Each control has specific safeguards with clear implementation criteria. You can objectively measure where you stand and track improvement over time.

Cross-mapped

CIS Controls map to NIST CSF, ISO 27001, PCI DSS, HIPAA, SOC 2, and most regulatory frameworks. Implement once, satisfy many.

Common questions about CIS Controls

Do we need to implement all 18 controls?

No. Start with IG1 (Controls 1–6). These are the essential cyber hygiene controls that every organization should have. Most small and mid-size organizations should target IG1 fully implemented, then work toward IG2. IG3 is for mature programs with dedicated security staff.

How do CIS Controls compare to NIST CSF?

They complement each other. NIST CSF is a framework for organizing your security program (Govern, Identify, Protect, Detect, Respond, Recover). CIS Controls are the specific, actionable items you implement within that framework. Many organizations use NIST CSF as the structure and CIS Controls as the implementation checklist.

Does my cyber insurance require CIS Controls?

Increasingly, yes. Cyber insurance underwriters use CIS Controls — especially IG1 — as a baseline for evaluating your security posture. MFA, endpoint protection, backup, and patch management (all IG1/IG2 controls) are now standard requirements on most cyber insurance applications.

What changed in v8.1?

Version 8.1 (June 2024) refined safeguard descriptions, added implementation examples, improved mapping to other frameworks, and clarified Implementation Group assignments. The 18 control areas remain the same as v8, but the guidance is more actionable.

How long does it take to implement IG1?

For a small organization with basic IT infrastructure, IG1 can be substantially implemented in 30–90 days with focused effort. The key is to document what you already have — many organizations are partially compliant without knowing it. BlackSheep helps you see exactly where you stand from day one.

Related frameworks

NIST CSF 2.0

The overarching framework. CIS Controls map directly to NIST CSF outcomes.

SEC Reg S-P

CIS Controls satisfy many Safeguards Rule technical requirements.

NYDFS 23 NYCRR 500

Prescriptive controls that align closely with CIS IG2 and IG3.

FINRA Cybersecurity

CIS Controls provide the technical foundation for FINRA expectations.

18 controls. Three levels. One platform.

BlackSheep tracks your progress across all 18 CIS Controls with scoring by Implementation Group. See your gaps, prioritize by risk, and document your security posture for auditors and insurers.

$249/month. Every framework included. Works for any industry.

Start Free Trial

30-day money-back guarantee. If it doesn't save you time in the first month, you pay nothing.