CIS Controls11 min read
CIS Controls Compliance Checklist
Use this checklist to track your CIS Controls implementation progress. This guide provides a structured approach to evaluating and documenting your compliance with CIS Controls v8, focusing on Implementation Group 1 (IG1) safeguards that every organization should implement.
This checklist complements our CIS Controls implementation guide with a practical tracking format.
Key Takeaways
| Point | Summary |
|---|---|
| Focus | IG1 (56 safeguards) forms the essential baseline |
| Assessment approach | Rate each safeguard as Not Implemented, Partial, or Complete |
| Documentation | Record evidence for each implemented safeguard |
| Ongoing process | Reassess quarterly and after significant changes |
| Progression | Move to IG2/IG3 after completing IG1 |
Quick Answer: This checklist covers all 56 IG1 safeguards from CIS Controls v8. For each safeguard, assess your current implementation status, identify gaps, and document evidence. Use this checklist to create an implementation roadmap and track progress over time. Most organizations should target 100% IG1 completion before expanding to IG2.
How to Use This Checklist
Assessment Ratings
Rate each safeguard using this scale:
| Rating | Definition | Criteria |
|---|---|---|
| Not Implemented | Safeguard is not in place | No controls, no process, no documentation |
| Partial | Some elements exist | Controls partially deployed, process incomplete |
| Complete | Fully implemented | Controls deployed, process documented, evidence available |
| N/A | Not applicable | Safeguard doesn't apply to your environment |
Evidence Collection
For each "Complete" safeguard, document:
- What is implemented
- Where it's implemented (systems, applications)
- Evidence (screenshots, logs, policies)
- Owner responsible for maintenance
Control 1: Inventory and Control of Enterprise Assets
| # | Safeguard | Your Status | Evidence/Notes |
|---|---|---|---|
| 1.1 | Establish and Maintain Detailed Enterprise Asset Inventory | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 1.2 | Address Unauthorized Assets | ☐ Not Implemented ☐ Partial ☐ Complete |
Implementation Guidance
1.1 Asset Inventory:
- Maintain list of all hardware assets (servers, workstations, laptops, mobile devices)
- Include cloud instances and virtual machines
- Update within 7 days of changes
- Minimum attributes: asset ID, IP address, hardware type, owner
1.2 Unauthorized Assets:
- Process to detect new/unknown assets
- Procedure to investigate and classify
- Weekly or more frequent detection cycle
Control 2: Inventory and Control of Software Assets
| # | Safeguard | Your Status | Evidence/Notes |
|---|---|---|---|
| 2.1 | Establish and Maintain a Software Inventory | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 2.2 | Ensure Authorized Software is Currently Supported | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 2.3 | Address Unauthorized Software | ☐ Not Implemented ☐ Partial ☐ Complete |
Implementation Guidance
2.1 Software Inventory:
- List all installed software applications
- Include version numbers
- Track vendor and support status
- Update within 7 days of changes
2.2 Supported Software:
- Review software against vendor support timelines
- Plan for end-of-life transitions
- Document exceptions with risk acceptance
2.3 Unauthorized Software:
- Process to detect unauthorized software
- Procedure for removal or approval
- Monthly or more frequent review
Control 3: Data Protection
| # | Safeguard | Your Status | Evidence/Notes |
|---|---|---|---|
| 3.1 | Establish and Maintain a Data Management Process | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 3.2 | Establish and Maintain a Data Inventory | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 3.3 | Configure Data Access Control Lists | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 3.4 | Enforce Data Retention | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 3.5 | Securely Dispose of Data | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 3.6 | Encrypt Data on End-User Devices | ☐ Not Implemented ☐ Partial ☐ Complete |
Implementation Guidance
3.1 Data Management Process:
- Documented process for data handling
- Classification scheme (e.g., Public, Internal, Confidential)
- Handling requirements per classification
3.2 Data Inventory:
- List of sensitive data types
- Storage locations
- Processing systems
- Update annually at minimum
3.3 Access Control Lists:
- Access based on job function
- Documented access approvals
- Regular access reviews
3.4 Data Retention:
- Retention schedule by data type
- Automated deletion where possible
- Documentation of retention compliance
3.5 Secure Disposal:
- Secure deletion methods documented
- Destruction verification
- Media sanitization procedures
3.6 Endpoint Encryption:
- Full disk encryption on all laptops/desktops
- Mobile device encryption
- Encryption verification capability
Control 4: Secure Configuration of Enterprise Assets and Software
| # | Safeguard | Your Status | Evidence/Notes |
|---|---|---|---|
| 4.1 | Establish and Maintain a Secure Configuration Process | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 4.2 | Establish and Maintain a Secure Configuration Process for Network Infrastructure | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 4.3 | Configure Automatic Session Locking on Enterprise Assets | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 4.4 | Implement and Manage a Firewall on Servers | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 4.5 | Implement and Manage a Firewall on End-User Devices | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 4.6 | Securely Manage Enterprise Assets and Software | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 4.7 | Manage Default Accounts on Enterprise Assets and Software | ☐ Not Implemented ☐ Partial ☐ Complete |
Implementation Guidance
4.1 & 4.2 Configuration Process:
- Documented configuration standards
- Use CIS Benchmarks as baseline
- Configuration management process
4.3 Session Locking:
- Automatic lock after 15 minutes or less of inactivity
- Applied to all workstations and laptops
- GPO or MDM enforcement
4.4 & 4.5 Firewalls:
- Host-based firewall on all servers
- Host-based firewall on all endpoints
- Default-deny configuration
4.6 Secure Management:
- Encrypted management connections (SSH, HTTPS)
- Secure protocols for all management traffic
- Jump hosts or bastion hosts for access
4.7 Default Accounts:
- Default passwords changed
- Unused default accounts disabled
- Default admin accounts renamed
Control 5: Account Management
| # | Safeguard | Your Status | Evidence/Notes |
|---|---|---|---|
| 5.1 | Establish and Maintain an Inventory of Accounts | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 5.2 | Use Unique Passwords | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 5.3 | Disable Dormant Accounts | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 5.4 | Restrict Administrator Privileges to Dedicated Administrator Accounts | ☐ Not Implemented ☐ Partial ☐ Complete |
Implementation Guidance
5.1 Account Inventory:
- List of all user accounts
- List of all service accounts
- Account ownership documented
- Review quarterly
5.2 Unique Passwords:
- Password manager deployed
- Unique passwords required per system
- Password complexity enforced
5.3 Dormant Accounts:
- Define dormancy threshold (e.g., 45 days)
- Automated detection of dormant accounts
- Process for disabling dormant accounts
5.4 Dedicated Admin Accounts:
- Separate accounts for admin activities
- Standard accounts for daily work
- Admin accounts follow naming convention
Control 6: Access Control Management
| # | Safeguard | Your Status | Evidence/Notes |
|---|---|---|---|
| 6.1 | Establish an Access Granting Process | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 6.2 | Establish an Access Revoking Process | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 6.3 | Require MFA for Externally-Exposed Applications | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 6.4 | Require MFA for Remote Network Access | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 6.5 | Require MFA for Administrative Access | ☐ Not Implemented ☐ Partial ☐ Complete |
Implementation Guidance
6.1 Access Granting:
- Documented access request process
- Approval workflow
- Access provisioning procedure
6.2 Access Revoking:
- Offboarding checklist
- Access revocation within 24 hours of termination
- Access review for role changes
6.3-6.5 MFA:
- MFA on all external applications
- MFA on VPN and remote access
- MFA on all admin consoles
- Avoid SMS-only MFA if possible
Control 7: Continuous Vulnerability Management
| # | Safeguard | Your Status | Evidence/Notes |
|---|---|---|---|
| 7.1 | Establish and Maintain a Vulnerability Management Process | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 7.2 | Establish and Maintain a Remediation Process | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 7.3 | Perform Automated Operating System Patch Management | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 7.4 | Perform Automated Application Patch Management | ☐ Not Implemented ☐ Partial ☐ Complete |
Implementation Guidance
7.1 Vulnerability Management:
- Process to identify vulnerabilities
- Severity classification
- Risk assessment procedure
7.2 Remediation Process:
- Remediation SLAs by severity
- Tracking and reporting
- Exception process
7.3 & 7.4 Automated Patching:
- Automatic updates enabled where possible
- Patch testing process
- Patch compliance reporting
Control 8: Audit Log Management
| # | Safeguard | Your Status | Evidence/Notes |
|---|---|---|---|
| 8.1 | Establish and Maintain an Audit Log Management Process | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 8.2 | Collect Audit Logs | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 8.3 | Ensure Adequate Audit Log Storage | ☐ Not Implemented ☐ Partial ☐ Complete |
Implementation Guidance
8.1 Log Management Process:
- Documented logging requirements
- Log retention policy
- Log review procedures
8.2 Log Collection:
- Authentication events logged
- Authorization events logged
- Administrative actions logged
8.3 Log Storage:
- Minimum 90 days retention
- Sufficient storage capacity
- Protected from tampering
Control 9: Email and Web Browser Protections
| # | Safeguard | Your Status | Evidence/Notes |
|---|---|---|---|
| 9.1 | Ensure Use of Only Fully Supported Browsers and Email Clients | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 9.2 | Use DNS Filtering Services | ☐ Not Implemented ☐ Partial ☐ Complete |
Implementation Guidance
9.1 Supported Software:
- Current versions of browsers
- Current versions of email clients
- Automatic updates enabled
9.2 DNS Filtering:
- DNS filtering service implemented
- Block known malicious domains
- Category blocking as appropriate
Control 10: Malware Defenses
| # | Safeguard | Your Status | Evidence/Notes |
|---|---|---|---|
| 10.1 | Deploy and Maintain Anti-Malware Software | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 10.2 | Configure Automatic Anti-Malware Signature Updates | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 10.3 | Disable Autorun and Autoplay for Removable Media | ☐ Not Implemented ☐ Partial ☐ Complete |
Implementation Guidance
10.1 Anti-Malware:
- Anti-malware on all endpoints
- Anti-malware on servers
- Real-time protection enabled
10.2 Signature Updates:
- Automatic updates enabled
- Update frequency: daily minimum
- Verification of update status
10.3 Autorun/Autoplay:
- Disabled via GPO or MDM
- Applied to all endpoints
- Verified configuration
Control 11: Data Recovery
| # | Safeguard | Your Status | Evidence/Notes |
|---|---|---|---|
| 11.1 | Establish and Maintain a Data Recovery Process | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 11.2 | Perform Automated Backups | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 11.3 | Protect Recovery Data | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 11.4 | Establish and Maintain an Isolated Instance of Recovery Data | ☐ Not Implemented ☐ Partial ☐ Complete |
Implementation Guidance
11.1 Recovery Process:
- Documented recovery procedures
- RPO and RTO defined
- Recovery responsibilities assigned
11.2 Automated Backups:
- Scheduled backups for all critical data
- Backup success monitoring
- Backup verification
11.3 Protected Recovery Data:
- Backup encryption
- Access controls on backups
- Secure backup storage
11.4 Isolated Recovery Data:
- Offline or immutable backup copy
- Separate from production environment
- Protected from ransomware
Control 12: Network Infrastructure Management
| # | Safeguard | Your Status | Evidence/Notes |
|---|---|---|---|
| 12.1 | Ensure Network Infrastructure is Up-to-Date | ☐ Not Implemented ☐ Partial ☐ Complete |
Implementation Guidance
12.1 Up-to-Date Infrastructure:
- Current firmware on network devices
- Supported software versions
- Patch management for network infrastructure
Control 14: Security Awareness and Skills Training
| # | Safeguard | Your Status | Evidence/Notes |
|---|---|---|---|
| 14.1 | Establish and Maintain a Security Awareness Program | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 14.2 | Train Workforce Members to Recognize Social Engineering Attacks | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 14.3 | Train Workforce Members on Authentication Best Practices | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 14.4 | Train Workforce Members on Data Handling Best Practices | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 14.5 | Train Workforce Members on Causes of Unintentional Data Exposure | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 14.6 | Train Workforce Members on Recognizing and Reporting Security Incidents | ☐ Not Implemented ☐ Partial ☐ Complete |
Implementation Guidance
14.1-14.6 Training Program:
- Annual security awareness training for all employees
- New hire training within 30 days
- Training completion tracking
- Phishing simulation exercises
Control 15: Service Provider Management
| # | Safeguard | Your Status | Evidence/Notes |
|---|---|---|---|
| 15.1 | Establish and Maintain an Inventory of Service Providers | ☐ Not Implemented ☐ Partial ☐ Complete |
Implementation Guidance
15.1 Service Provider Inventory:
- List of all service providers
- Data/access provided to each
- Security requirements documented
- Annual review
Control 17: Incident Response Management
| # | Safeguard | Your Status | Evidence/Notes |
|---|---|---|---|
| 17.1 | Designate Personnel to Manage Incident Handling | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 17.2 | Establish and Maintain Contact Information for Reporting Security Incidents | ☐ Not Implemented ☐ Partial ☐ Complete | |
| 17.3 | Establish and Maintain an Enterprise Process for Reporting Incidents | ☐ Not Implemented ☐ Partial ☐ Complete |
Implementation Guidance
17.1 Incident Personnel:
- Primary incident handler designated
- Backup personnel identified
- Contact information available
17.2 Contact Information:
- Internal contacts documented
- External contacts (legal, PR, law enforcement)
- Updated quarterly
17.3 Reporting Process:
- Documented incident reporting procedure
- Multiple reporting channels available
- Clear escalation path
Summary Scorecard
IG1 Implementation Status
| Control | Total Safeguards | Not Implemented | Partial | Complete |
|---|---|---|---|---|
| 1. Enterprise Assets | 2 | |||
| 2. Software Assets | 3 | |||
| 3. Data Protection | 6 | |||
| 4. Secure Configuration | 7 | |||
| 5. Account Management | 4 | |||
| 6. Access Control | 5 | |||
| 7. Vulnerability Management | 4 | |||
| 8. Audit Log Management | 3 | |||
| 9. Email and Web Browser | 2 | |||
| 10. Malware Defenses | 3 | |||
| 11. Data Recovery | 4 | |||
| 12. Network Infrastructure | 1 | |||
| 14. Security Training | 6 | |||
| 15. Service Provider | 1 | |||
| 17. Incident Response | 3 | |||
| Total IG1 | 56 |
Compliance Percentage
| Status | Count | Percentage |
|---|---|---|
| Complete | ||
| Partial | ||
| Not Implemented | ||
| N/A |
Target: 100% Complete or N/A for IG1 safeguards
Next Steps
Addressing Gaps
- Prioritize "Not Implemented" safeguards by risk
- Create implementation timeline
- Assign owners for each gap
- Track progress monthly
Moving to IG2
Once IG1 is complete, evaluate readiness for IG2:
- Do you have dedicated IT staff?
- Are customer requirements driving additional controls?
- Is your risk profile increasing?
See our Implementation Groups guide for IG2 safeguards.
Connecting to Compliance
Map your CIS Controls implementation to compliance frameworks:
Need help completing your CIS Controls implementation? Talk to our team
Sources
- CIS Controls v8 - Official safeguard definitions
- CIS Controls Self Assessment Tool - Official assessment tool
- CIS Implementation Groups - IG guidance