CIS Controls v8: eighteen controls in a learning-oriented IG1 → IG2 → IG3 progression
CIS maps safeguards to IG1 (essential cyber hygiene), IG2 (foundational for organizations with multiple departments or regulations), and IG3 (organizational maturity and advanced threats). This page groups the 18 Controls into three tracks for study; see the official CIS publication for exact safeguard-to-IG mapping.
Visual progression: IG1 → IG2 → IG3 (cumulative maturity model).
Interactive: show one implementation group at a time or all.
Know what hardware is on your network: laptops, servers, VMs, and IoT.
Safeguards (examples): Active and passive discovery; DHCP logging; block unknown devices on critical VLANs.
Implementation guidance: CMDB plus cloud asset APIs; reconcile weekly; assign owners.
Authorize only supported software; remove unauthorized installs.
Safeguards (examples): Application allow lists; SBOM for critical applications.
Implementation guidance: Integrate MDM, package repositories, and container registries into one inventory.
Classify and protect data by sensitivity using encryption, DLP, and access boundaries.
Safeguards (examples): Encrypt laptops; segment databases; label documents.
Implementation guidance: Data flow diagrams and KMS-backed keys; least-privilege database roles.
Harden operating systems, middleware, and cloud services; track drift from baseline.
Safeguards (examples): CIS Benchmarks; golden images; configuration management.
Implementation guidance: Automate scans with CSPM or OSConfig; block non-compliant builds in CI.
Lifecycle human and non-human accounts; disable dormant accounts; shared-account hygiene.
Safeguards (examples): Joiner, mover, leaver automation; access reviews; monitored break-glass accounts.
Implementation guidance: Prefer SSO; no long-lived admin keys in source code.
Grant minimum necessary access; separate administrative duties; monitor privileged use.
Safeguards (examples): RBAC or ABAC; PAM for elevated sessions; just-in-time admin.
Implementation guidance: Map roles to job functions; alert on privilege grants and unusual elevation.
Scan, prioritize, and remediate CVEs on assets and dependencies.
Safeguards (examples): Authenticated scans on a schedule; SLAs by CVSS; container scan on push.
Implementation guidance: Tie findings to CMDB owners; patch non-production first.
Collect, protect, and review logs that support detection and forensics.
Safeguards (examples): Central SIEM; reliable time sync; protect integrity of admin logs.
Implementation guidance: Standard event schema; retention policy; test detection rules quarterly.
Reduce phishing and drive-by downloads as common initial-access vectors.
Safeguards (examples): DMARC; sandbox attachments; browser isolation where appropriate.
Implementation guidance: User reporting workflow; strip risky attachment types at the gateway.
Layer antivirus or EDR, execution policy, and application control.
Safeguards (examples): Block unsigned scripts; macro policies; EDR in detect then enforce modes.
Implementation guidance: Tune false positives before full enforcement; maintain offline recovery media.
Backups that are encrypted, tested, and resilient to ransomware.
Safeguards (examples): Immutable backup tier; annual restore drills; separate admin for backup systems.
Implementation guidance: Follow 3-2-1 guidance; use application-consistent snapshots for databases.
Secure routers, switches, firewalls, and Wi-Fi; document topology.
Safeguards (examples): Disable unused ports; network access control; separate management plane.
Implementation guidance: Infrastructure-as-code for network devices with reviewed golden configs.
IDS and IPS, NetFlow, and behavioral analytics on internal traffic.
Safeguards (examples): Segment sensitive VLANs; detect beaconing; decrypt per policy and law.
Implementation guidance: Purple-team exercises; tune alerts to mean-time-to-respond goals.
Role-based training, phishing simulations, and secure coding for developers.
Safeguards (examples): Annual baseline plus micro-learning; measure improvement in reporting.
Implementation guidance: Align curriculum with internal incident themes (appropriately redacted).
Assess vendors that process data or provide critical services.
Safeguards (examples): SOC2 or ISO reports; right-to-audit; fourth-party mapping.
Implementation guidance: Tier vendors by risk; reassess on ownership or breach news.
Secure development lifecycle: requirements, design, testing, and maintenance.
Safeguards (examples): SAST and DAST in CI; threat modeling for major features; dependency updates.
Implementation guidance: Use OWASP ASVS as a checklist; security champions in each team.
Playbooks, communications, forensic readiness, and post-incident review.
Safeguards (examples): Internal or retainer CSIRT; tabletops; legal and privacy coordination.
Implementation guidance: Integrate runbooks with ticketing; preserve chain of custody for evidence.
Controlled offensive tests to validate detective and preventive controls.
Safeguards (examples): Scope covers external, internal, and cloud; validation retest after fixes.
Implementation guidance: Align tests to the threat model; separate rules of engagement for prod.
Download the current CIS Controls guide from CIS for authoritative safeguard numbering, IG mapping, and assessment tools. This page is a study companion, not a replacement for the full publication.