CIS Controls v8: Complete List of Controls and Safeguards
This guide provides a comprehensive reference to all 18 CIS Controls and their 153 safeguards. Use this as a reference when building your security program or mapping CIS Controls to other frameworks like SOC 2 or ISO 27001.
CIS Controls v8, released in May 2021, represents a significant update to the framework. The controls were reorganized, consolidated from 20 to 18, and updated to address modern environments including cloud, mobile, and remote work scenarios.
Key Takeaways
| Point | Summary |
|---|---|
| Total controls | 18 controls organized by priority |
| Total safeguards | 153 specific safeguards across all controls |
| IG1 safeguards | 56 essential safeguards for all organizations |
| IG2 safeguards | 74 additional safeguards (130 total) |
| IG3 safeguards | 23 additional safeguards (153 total) |
| Key changes in v8 | Cloud-first approach, reorganized for modern environments |
Quick Answer: CIS Controls v8 contains 18 controls with 153 total safeguards. Organizations should start with Implementation Group 1 (IG1), which includes 56 essential safeguards that provide foundational cyber hygiene. Each safeguard is tagged with its Implementation Group, helping you prioritize what to implement first.
Version 8 Changes from Version 7
CIS Controls v8 introduced several significant changes:
| Change | Description |
|---|---|
| Reduced from 20 to 18 controls | Consolidation and elimination of redundancy |
| Cloud-centric | Controls now address cloud environments natively |
| Work-from-anywhere | Updated for remote and hybrid work models |
| Removed perimeter focus | Less emphasis on traditional network boundaries |
| New Implementation Groups | IG1 expanded for better essential coverage |
The 18 CIS Controls v8
Control 1: Inventory and Control of Enterprise Assets
Actively manage all enterprise assets connected to the infrastructure, including hardware devices, virtual machines, and cloud instances.
| # | Safeguard | IG |
|---|---|---|
| 1.1 | Establish and Maintain Detailed Enterprise Asset Inventory | IG1 |
| 1.2 | Address Unauthorized Assets | IG1 |
| 1.3 | Utilize an Active Discovery Tool | IG2 |
| 1.4 | Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory | IG2 |
| 1.5 | Use a Passive Asset Discovery Tool | IG3 |
Why it matters: You cannot protect assets you don't know exist. Asset inventory is the foundation of all other security controls.
Control 2: Inventory and Control of Software Assets
Actively manage all software on the network to ensure only authorized software is installed and can execute.
| # | Safeguard | IG |
|---|---|---|
| 2.1 | Establish and Maintain a Software Inventory | IG1 |
| 2.2 | Ensure Authorized Software is Currently Supported | IG1 |
| 2.3 | Address Unauthorized Software | IG1 |
| 2.4 | Utilize Automated Software Inventory Tools | IG2 |
| 2.5 | Allowlist Authorized Software | IG2 |
| 2.6 | Allowlist Authorized Libraries | IG2 |
| 2.7 | Allowlist Authorized Scripts | IG3 |
Why it matters: Unknown or unauthorized software introduces vulnerabilities and can be a vector for malware.
Control 3: Data Protection
Develop processes and technical controls to identify, classify, handle, retain, and dispose of data securely.
| # | Safeguard | IG |
|---|---|---|
| 3.1 | Establish and Maintain a Data Management Process | IG1 |
| 3.2 | Establish and Maintain a Data Inventory | IG1 |
| 3.3 | Configure Data Access Control Lists | IG1 |
| 3.4 | Enforce Data Retention | IG1 |
| 3.5 | Securely Dispose of Data | IG1 |
| 3.6 | Encrypt Data on End-User Devices | IG1 |
| 3.7 | Establish and Maintain a Data Classification Scheme | IG2 |
| 3.8 | Document Data Flows | IG2 |
| 3.9 | Encrypt Data on Removable Media | IG2 |
| 3.10 | Encrypt Sensitive Data in Transit | IG2 |
| 3.11 | Encrypt Sensitive Data at Rest | IG2 |
| 3.12 | Segment Data Processing and Storage Based on Sensitivity | IG2 |
| 3.13 | Deploy a Data Loss Prevention Solution | IG3 |
| 3.14 | Log Sensitive Data Access | IG3 |
Why it matters: Data is often what attackers are after. Proper data protection limits the impact of breaches.
Control 4: Secure Configuration of Enterprise Assets and Software
Establish and maintain secure configuration processes for enterprise assets and software.
| # | Safeguard | IG |
|---|---|---|
| 4.1 | Establish and Maintain a Secure Configuration Process | IG1 |
| 4.2 | Establish and Maintain a Secure Configuration Process for Network Infrastructure | IG1 |
| 4.3 | Configure Automatic Session Locking on Enterprise Assets | IG1 |
| 4.4 | Implement and Manage a Firewall on Servers | IG1 |
| 4.5 | Implement and Manage a Firewall on End-User Devices | IG1 |
| 4.6 | Securely Manage Enterprise Assets and Software | IG1 |
| 4.7 | Manage Default Accounts on Enterprise Assets and Software | IG1 |
| 4.8 | Uninstall or Disable Unnecessary Services on Enterprise Assets and Software | IG2 |
| 4.9 | Configure Trusted DNS Servers on Enterprise Assets | IG2 |
| 4.10 | Enforce Automatic Device Lockout on Portable End-User Devices | IG2 |
| 4.11 | Enforce Remote Wipe Capability on Portable End-User Devices | IG2 |
| 4.12 | Separate Enterprise Workspaces on Mobile End-User Devices | IG3 |
Why it matters: Default configurations often prioritize usability over security. Hardening reduces attack surface.
Control 5: Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts.
| # | Safeguard | IG |
|---|---|---|
| 5.1 | Establish and Maintain an Inventory of Accounts | IG1 |
| 5.2 | Use Unique Passwords | IG1 |
| 5.3 | Disable Dormant Accounts | IG1 |
| 5.4 | Restrict Administrator Privileges to Dedicated Administrator Accounts | IG1 |
| 5.5 | Establish and Maintain an Inventory of Service Accounts | IG2 |
| 5.6 | Centralize Account Management | IG2 |
Why it matters: Compromised accounts are the entry point for most breaches. Strong account management limits attacker access.
Control 6: Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges.
| # | Safeguard | IG |
|---|---|---|
| 6.1 | Establish an Access Granting Process | IG1 |
| 6.2 | Establish an Access Revoking Process | IG1 |
| 6.3 | Require MFA for Externally-Exposed Applications | IG1 |
| 6.4 | Require MFA for Remote Network Access | IG1 |
| 6.5 | Require MFA for Administrative Access | IG1 |
| 6.6 | Establish and Maintain an Inventory of Authentication and Authorization Systems | IG2 |
| 6.7 | Centralize Access Control | IG2 |
| 6.8 | Define and Maintain Role-Based Access Control | IG3 |
Why it matters: Access control ensures users have only the permissions they need, limiting the blast radius of compromised accounts.
Control 7: Continuous Vulnerability Management
Develop a plan to continuously assess and track vulnerabilities across enterprise assets.
| # | Safeguard | IG |
|---|---|---|
| 7.1 | Establish and Maintain a Vulnerability Management Process | IG1 |
| 7.2 | Establish and Maintain a Remediation Process | IG1 |
| 7.3 | Perform Automated Operating System Patch Management | IG1 |
| 7.4 | Perform Automated Application Patch Management | IG1 |
| 7.5 | Perform Automated Vulnerability Scans of Internal Enterprise Assets | IG2 |
| 7.6 | Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets | IG2 |
| 7.7 | Remediate Detected Vulnerabilities | IG2 |
Why it matters: Unpatched vulnerabilities are among the most common attack vectors. Continuous management reduces exposure.
Control 8: Audit Log Management
Collect, alert, review, and retain audit logs of events to help detect, understand, and recover from attacks.
| # | Safeguard | IG |
|---|---|---|
| 8.1 | Establish and Maintain an Audit Log Management Process | IG1 |
| 8.2 | Collect Audit Logs | IG1 |
| 8.3 | Ensure Adequate Audit Log Storage | IG1 |
| 8.4 | Standardize Time Synchronization | IG2 |
| 8.5 | Collect Detailed Audit Logs | IG2 |
| 8.6 | Collect DNS Query Audit Logs | IG2 |
| 8.7 | Collect URL Request Audit Logs | IG2 |
| 8.8 | Collect Command-Line Audit Logs | IG2 |
| 8.9 | Centralize Audit Logs | IG2 |
| 8.10 | Retain Audit Logs | IG2 |
| 8.11 | Conduct Audit Log Reviews | IG2 |
| 8.12 | Collect Service Provider Logs | IG3 |
Why it matters: Logs are essential for detecting attacks and investigating incidents. Without logs, you're blind to threats.
Control 9: Email and Web Browser Protections
Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior.
| # | Safeguard | IG |
|---|---|---|
| 9.1 | Ensure Use of Only Fully Supported Browsers and Email Clients | IG1 |
| 9.2 | Use DNS Filtering Services | IG1 |
| 9.3 | Maintain and Enforce Network-Based URL Filters | IG2 |
| 9.4 | Restrict Unnecessary or Unauthorized Browser and Email Client Extensions | IG2 |
| 9.5 | Implement DMARC | IG2 |
| 9.6 | Block Unnecessary File Types | IG2 |
| 9.7 | Deploy and Maintain Email Server Anti-Malware Protections | IG2 |
Why it matters: Email and web browsers are the primary vectors for phishing, malware delivery, and social engineering attacks.
Control 10: Malware Defenses
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts.
| # | Safeguard | IG |
|---|---|---|
| 10.1 | Deploy and Maintain Anti-Malware Software | IG1 |
| 10.2 | Configure Automatic Anti-Malware Signature Updates | IG1 |
| 10.3 | Disable Autorun and Autoplay for Removable Media | IG1 |
| 10.4 | Configure Automatic Anti-Malware Scanning of Removable Media | IG2 |
| 10.5 | Enable Anti-Exploitation Features | IG2 |
| 10.6 | Centrally Manage Anti-Malware Software | IG2 |
| 10.7 | Use Behavior-Based Anti-Malware Software | IG2 |
Why it matters: Malware is a primary tool for attackers. Defense-in-depth against malware reduces successful infections.
Control 11: Data Recovery
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
| # | Safeguard | IG |
|---|---|---|
| 11.1 | Establish and Maintain a Data Recovery Process | IG1 |
| 11.2 | Perform Automated Backups | IG1 |
| 11.3 | Protect Recovery Data | IG1 |
| 11.4 | Establish and Maintain an Isolated Instance of Recovery Data | IG1 |
| 11.5 | Test Data Recovery | IG2 |
Why it matters: Ransomware and other destructive attacks make data recovery critical. Tested backups enable recovery without paying ransoms.
Control 12: Network Infrastructure Management
Establish and maintain the secure management of network infrastructure.
| # | Safeguard | IG |
|---|---|---|
| 12.1 | Ensure Network Infrastructure is Up-to-Date | IG1 |
| 12.2 | Establish and Maintain a Secure Network Architecture | IG2 |
| 12.3 | Securely Manage Network Infrastructure | IG2 |
| 12.4 | Establish and Maintain Architecture Diagram(s) | IG2 |
| 12.5 | Centralize Network Authentication, Authorization, and Auditing (AAA) | IG2 |
| 12.6 | Use of Secure Network Management and Communication Protocols | IG2 |
| 12.7 | Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure | IG2 |
| 12.8 | Establish and Maintain Dedicated Computing Resources for All Administrative Work | IG3 |
Why it matters: Network infrastructure provides the foundation for communication. Compromised network devices enable widespread access.
Control 13: Network Monitoring and Defense
Operate processes and tooling to establish and maintain comprehensive network monitoring and defense.
| # | Safeguard | IG |
|---|---|---|
| 13.1 | Centralize Security Event Alerting | IG2 |
| 13.2 | Deploy a Host-Based Intrusion Detection Solution | IG2 |
| 13.3 | Deploy a Network Intrusion Detection Solution | IG2 |
| 13.4 | Perform Traffic Filtering Between Network Segments | IG2 |
| 13.5 | Manage Access Control for Remote Assets | IG2 |
| 13.6 | Collect Network Traffic Flow Logs | IG2 |
| 13.7 | Deploy a Host-Based Intrusion Prevention Solution | IG3 |
| 13.8 | Deploy a Network Intrusion Prevention Solution | IG3 |
| 13.9 | Deploy Port-Level Access Control | IG3 |
| 13.10 | Perform Application Layer Filtering | IG3 |
| 13.11 | Tune Security Event Alerting Thresholds | IG3 |
Why it matters: Network monitoring enables detection of active attacks and anomalous behavior that indicates compromise.
Control 14: Security Awareness and Skills Training
Establish and maintain a security awareness program to influence behavior among the workforce.
| # | Safeguard | IG |
|---|---|---|
| 14.1 | Establish and Maintain a Security Awareness Program | IG1 |
| 14.2 | Train Workforce Members to Recognize Social Engineering Attacks | IG1 |
| 14.3 | Train Workforce Members on Authentication Best Practices | IG1 |
| 14.4 | Train Workforce Members on Data Handling Best Practices | IG1 |
| 14.5 | Train Workforce Members on Causes of Unintentional Data Exposure | IG1 |
| 14.6 | Train Workforce Members on Recognizing and Reporting Security Incidents | IG1 |
| 14.7 | Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates | IG2 |
| 14.8 | Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks | IG2 |
| 14.9 | Conduct Role-Specific Security Awareness and Skills Training | IG3 |
Why it matters: People are often the weakest link. Security awareness reduces the success rate of social engineering attacks.
Control 15: Service Provider Management
Develop a process to evaluate service providers who hold sensitive data or are responsible for critical IT platforms.
| # | Safeguard | IG |
|---|---|---|
| 15.1 | Establish and Maintain an Inventory of Service Providers | IG1 |
| 15.2 | Establish and Maintain a Service Provider Management Policy | IG2 |
| 15.3 | Classify Service Providers | IG2 |
| 15.4 | Ensure Service Provider Contracts Include Security Requirements | IG2 |
| 15.5 | Assess Service Providers | IG2 |
| 15.6 | Monitor Service Providers | IG3 |
| 15.7 | Securely Decommission Service Providers | IG3 |
Why it matters: Third-party providers often have access to your data and systems. Their security is your security.
Control 16: Application Software Security
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses.
| # | Safeguard | IG |
|---|---|---|
| 16.1 | Establish and Maintain a Secure Application Development Process | IG2 |
| 16.2 | Establish and Maintain a Process to Accept and Address Software Vulnerabilities | IG2 |
| 16.3 | Perform Root Cause Analysis on Security Vulnerabilities | IG2 |
| 16.4 | Establish and Manage an Inventory of Third-Party Software Components | IG2 |
| 16.5 | Use Up-to-Date and Trusted Third-Party Software Components | IG2 |
| 16.6 | Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities | IG2 |
| 16.7 | Use Standard Hardening Configuration Templates for Application Infrastructure | IG2 |
| 16.8 | Separate Production and Non-Production Systems | IG2 |
| 16.9 | Train Developers in Application Security Concepts and Secure Coding | IG2 |
| 16.10 | Apply Secure Design Principles in Application Architectures | IG2 |
| 16.11 | Leverage Vetted Modules or Services for Application Security Components | IG2 |
| 16.12 | Implement Code-Level Security Checks | IG3 |
| 16.13 | Conduct Application Penetration Testing | IG3 |
| 16.14 | Conduct Threat Modeling | IG3 |
Why it matters: Application vulnerabilities are primary targets for attackers. Secure development reduces vulnerabilities in your software.
Control 17: Incident Response Management
Establish a program to develop and maintain an incident response capability to prepare, detect, and quickly respond to an attack.
| # | Safeguard | IG |
|---|---|---|
| 17.1 | Designate Personnel to Manage Incident Handling | IG1 |
| 17.2 | Establish and Maintain Contact Information for Reporting Security Incidents | IG1 |
| 17.3 | Establish and Maintain an Enterprise Process for Reporting Incidents | IG1 |
| 17.4 | Establish and Maintain an Incident Response Process | IG2 |
| 17.5 | Assign Key Roles and Responsibilities | IG2 |
| 17.6 | Define Mechanisms for Communicating During Incident Response | IG2 |
| 17.7 | Conduct Routine Incident Response Exercises | IG2 |
| 17.8 | Conduct Post-Incident Reviews | IG2 |
| 17.9 | Establish and Maintain Security Incident Thresholds | IG3 |
Why it matters: Incidents will happen. Prepared organizations detect faster, respond more effectively, and recover more quickly.
Control 18: Penetration Testing
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls.
| # | Safeguard | IG |
|---|---|---|
| 18.1 | Establish and Maintain a Penetration Testing Program | IG2 |
| 18.2 | Perform Periodic External Penetration Tests | IG2 |
| 18.3 | Remediate Penetration Test Findings | IG2 |
| 18.4 | Validate Security Measures | IG3 |
| 18.5 | Perform Periodic Internal Penetration Tests | IG3 |
Why it matters: Penetration testing validates that your controls work against real-world attack techniques.
Implementation Group Summary
| Implementation Group | Safeguards | Target | Focus |
|---|---|---|---|
| IG1 | 56 | Small organizations, limited IT | Essential cyber hygiene |
| IG2 | 130 (IG1 + 74) | Organizations with IT staff | Enterprise protection |
| IG3 | 153 (IG2 + 23) | High-risk environments | Advanced defenses |
For detailed guidance on selecting the right Implementation Group, see our Implementation Groups guide.
Using This List
For Implementation
When implementing CIS Controls:
- Start with IG1 safeguards (marked "IG1" in the tables above)
- Use the safeguard numbers (e.g., 1.1, 6.5) to track implementation
- Progress to IG2 and IG3 based on your risk profile
For Compliance Mapping
When mapping to compliance frameworks:
- Use our CIS Controls SOC 2 Mapping for SOC 2 alignment
- See CIS Controls vs ISO 27001 for ISO 27001 mapping
- See CIS Controls vs NIST CSF for NIST alignment
For Assessment
Use CIS's official tools for assessment:
Ready to implement CIS Controls? See our CIS Controls Implementation Guide or talk to our team for help.
Sources
- CIS Controls v8 - Official CIS Controls v8 documentation
- CIS Controls v8 Release Notes - Changes from v7 to v8
- CIS Controls v8 PDF - Downloadable reference document