CIS Critical Security Controls Version 8

ENTITY

Overview of the CIS Critical Security Controls v8 framework. Updating to serve as the central hub linking to all 18 individual deep-dive pages for the specific controls.

Updated 4/12/2026cis, safeguards, enterprise-security, v8

The CIS Critical Security Controls Version 8 (often referred to as CIS Controls v8) is a comprehensive, globally recognized framework of prioritized cybersecurity best practices. Developed collaboratively by a community of security experts under the Center for Internet Security (CIS), the framework provides actionable defensive measures designed to mitigate the most common and pervasive cyber attacks.

Version 8 represents a significant evolution of the framework, updated to accommodate the modern computing landscape. It addresses shifts toward cloud environments, virtualization, mobility, outsourcing, and remote work, moving away from a traditional network perimeter-focused approach to one centered on safeguarding specific assets and data regardless of their physical location.

Framework Structure

The CIS v8 framework is not just a checklist, but an ecosystem organized into a clear hierarchy to facilitate practical implementation:

  • Controls: The 18 top-level categories that define the primary domains of enterprise security.
  • Safeguards: Specific, measurable actions (formerly known as sub-controls) nested under each Control.
  • Implementation Groups (IGs): To help organizations adopt these practices based on their size, resources, and risk exposure, safeguards are categorized into three groups. Implementation Group 1 (IG1) represents essential foundational cyber hygiene that every enterprise should apply. Implementation Group 2 (IG2) builds on IG1 for organizations managing sensitive data or facing higher risk. Implementation Group 3 (IG3) encompasses all safeguards, geared toward mature organizations facing highly sophisticated adversaries.

Furthermore, each safeguard is mapped to specific Asset Types (e.g., Devices, Data, Applications) and Security Functions (Identify, Protect, Detect, Respond, Recover) to align directly with operational goals.

The 18 Critical Security Controls

This page serves as the central hub for the CIS Controls v8 framework. Detailed deep-dives into the requirements, procedures, and tools for each specific domain are available below:

  1. CIS Control 1: Inventory and Control of Enterprise Assets
  2. CIS Control 2: Inventory and Control of Software Assets
  3. CIS Control 3: Data Protection
  4. CIS Control 4: Secure Configuration of Enterprise Assets and Software
  5. CIS Control 5: Account Management
  6. CIS Control 6: Access Control Management
  7. CIS Control 7: Continuous Vulnerability Management
  8. CIS Control 8: Audit Log Management
  9. CIS Control 9: Email and Web Browser Protections
  10. CIS Control 10: Malware Defenses
  11. CIS Control 11: Data Recovery
  12. CIS Control 12: Network Infrastructure Management
  13. CIS Control 13: Network Monitoring and Defense
  14. CIS Control 14: Security Awareness and Skills Training
  15. CIS Control 15: Service Provider Management
  16. CIS Control 16: Application Software Security
  17. CIS Control 17: Incident Response Management
  18. CIS Control 18: Penetration Testing

Integration with Other Frameworks

The CIS Controls are designed to complement, rather than replace, existing compliance and regulatory standards. Because safeguards map directly to core security functions, organizations frequently use the CIS Controls as a tactical roadmap to achieve compliance with broader, more complex frameworks such as the NIST Cybersecurity Framework (CSF), OWASP methodologies, and the PCI DSS standard. By implementing IG1 foundational safeguards, organizations can satisfy the baseline requirements of multiple major cybersecurity frameworks simultaneously.