CIS Controls v8.1
CIS Controls v8.1 Audit Tool
Comprehensive reference and audit checklist for cybersecurity controls
18
Controls
153
Safeguards
3
Implementation Groups
100+
Benchmarks
About CIS Controls v8.1
The CIS Controls are a prioritized set of actions that collectively form a defense-in-depth set of best practices to mitigate common cyber attacks. Released in June 2024, version 8.1 provides a comprehensive framework for cybersecurity.
Key Features:
- Prioritized cybersecurity best practices
- Organized into 18 comprehensive controls
- 153 actionable safeguards
- Three implementation groups for scalability
- Mapped to multiple compliance frameworks
Implementation Groups
Essential cyber hygiene for SMBs
Mid-sized organizations
Large enterprises, sensitive data
Quick Actions
Controls Explorer
Browse and filter all 18 CIS Controls v8.1
Audit Checklist
Track your implementation progress across all 153 safeguards
Implementation Groups
Understand the three tiers of CIS Controls implementation
Implementation Group 1
Essential cyber hygiene
Target Audience:
Small to medium enterprises with limited IT and cybersecurity expertise. Organizations seeking basic cyber hygiene.
Key Characteristics:
- Limited resources and staff
- Basic security infrastructure
- Essential protection focus
- Lower maturity level
Implementation Group 2
IG1 + 74 additional
Target Audience:
Mid-sized organizations with multiple departments and moderate IT resources. Organizations managing more complex environments.
Key Characteristics:
- Multiple departments/sites
- Dedicated IT team
- More sensitive data
- Moderate maturity level
Implementation Group 3
All safeguards (IG1+IG2 + 23 additional)
Target Audience:
Large enterprises and organizations handling highly sensitive data. Critical infrastructure and those with dedicated security teams.
Key Characteristics:
- Dedicated security team
- Highly sensitive data
- Complex IT environments
- High maturity level
Choosing Your Implementation Group
| Criteria | IG1 | IG2 | IG3 |
|---|---|---|---|
| Organization Size | Small to Medium | Medium to Large | Large Enterprise |
| IT Resources | Limited | Moderate | Extensive |
| Security Team | None or minimal | Dedicated IT security staff | Full security operations team |
| Data Sensitivity | Standard business data | Moderate sensitive data | Highly sensitive/regulated |
| Compliance | Basic requirements | Industry standards | Strict regulatory compliance |
CIS Benchmarks
100+ technology-specific security configuration guidelines
About CIS Benchmarks
CIS Benchmarks are consensus-based, best-practice security configuration guides developed by cybersecurity professionals worldwide. They provide prescriptive guidance for establishing secure baselines across various technologies.
Operating Systems (25+)
- Windows Server 2019/2022
- Ubuntu Linux 20.04/22.04
- Red Hat Enterprise Linux 8/9
- macOS 13/14
- Oracle Linux
- Debian Linux
Cloud Platforms (15+)
- Amazon Web Services (AWS)
- Microsoft Azure
- Google Cloud Platform
- Oracle Cloud Infrastructure
- IBM Cloud
- Alibaba Cloud
Server Software (20+)
- Apache HTTP Server
- NGINX
- Microsoft IIS
- Docker
- Kubernetes
- Tomcat
Desktop Software (12+)
- Microsoft 365
- Google Workspace
- Google Chrome
- Mozilla Firefox
- Zoom
- Microsoft Edge
Mobile Devices (8+)
- Apple iOS 16/17
- Android 13/14
- Mobile Device Management
- Microsoft Intune
Network Devices (18+)
- Cisco IOS
- Palo Alto Networks
- Fortinet FortiOS
- Juniper Networks
- F5 BIG-IP
- Check Point
Databases (10+)
- Microsoft SQL Server
- Oracle Database
- PostgreSQL
- MySQL
- MongoDB
- MariaDB
Accessing CIS Benchmarks
CIS Benchmarks are available for free from the Center for Internet Security. Visit the official CIS website to:
- Download benchmarks in PDF and automated formats
- Access the CIS-CAT Pro assessment tool
- Join the CIS community and contribute to benchmark development
- Stay updated on the latest benchmark releases
Resources & Implementation Guide
Best practices, framework mappings, and useful tools
Quick Reference
Security Functions:
- Identify: Understanding business context, resources, and risks
- Protect: Safeguarding critical infrastructure and information
- Detect: Implementing activities to discover cybersecurity events
- Respond: Taking action regarding detected incidents
- Recover: Restoring capabilities impaired by incidents
- Governance: Managing and directing cybersecurity programs
Asset Types
- Devices: Enterprise assets, end-user devices, servers, IoT, network devices
- Software: Operating systems, applications, services, libraries, APIs
- Data: Sensitive data, log data, physical data
- Users: User accounts, administrator accounts, service accounts
- Network: Network infrastructure and architecture
Implementation Best Practices
- Start with IG1: Build a strong foundation with essential controls
- Conduct Gap Analysis: Assess your current security posture
- Prioritize by Risk: Focus on highest-risk areas first
- Use Automation: Leverage tools for continuous monitoring
- Document Everything: Maintain records of implementation
- Regular Reviews: Continuously assess and improve
- Train Your Team: Ensure staff understand their roles
- Measure Progress: Track metrics and KPIs
Framework Mappings
CIS Controls map to multiple compliance frameworks:
NIST Cybersecurity Framework:
- Direct mapping to all five functions (Identify, Protect, Detect, Respond, Recover)
- Provides actionable implementation of NIST CSF
ISO 27001/27002:
- Aligns with ISO information security controls
- Supports ISO 27001 certification efforts
PCI-DSS:
- Covers many Payment Card Industry requirements
- Supports PCI compliance objectives
Recommended Tools
Assessment Tools:
- CIS-CAT Pro: Automated configuration assessment
- CIS RAM: Risk Assessment Method
- CIS CSAT: Controls Self-Assessment Tool
Implementation Tools:
- Asset management systems
- Vulnerability scanners
- Security information and event management (SIEM)
- Configuration management databases (CMDB)
- Endpoint detection and response (EDR)