Back to Frameworks
CIS Controls v8
International
vv8.1
18 domains
153 controls
Center for Internet Security Critical Security Controls - prioritized set of actions to protect organizations and data from known cyber attack vectors
Verified
Get the official standard — this page is an AI-assisted companion tool, not a replacement for the authoritative text.
Visit cisecurity.orgFramework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (18)
CIS Control 10: Malware Defenses
7 controls
| Code | Title |
|---|---|
| CIS-10.1 | Deploy and Maintain Anti-Malware Software |
| CIS-10.2 | Configure Automatic Anti-Malware Signature Updates |
| CIS-10.3 | Disable Autorun and Autoplay for Removable Media |
| CIS-10.4 | Configure Automatic Anti-Malware Scanning of Removable Media |
| CIS-10.5 | Enable Anti-Exploitation Features |
| CIS-10.6 | Centrally Manage Anti-Malware Software |
| CIS-10.7 | Use Behavior-Based Anti-Malware Software |
CIS Control 11: Data Recovery
5 controls
| Code | Title |
|---|---|
| CIS-11.1 | Establish and Maintain a Data Recovery Process |
| CIS-11.2 | Perform Automated Backups |
| CIS-11.3 | Protect Recovery Data |
| CIS-11.4 | Establish and Maintain an Isolated Instance of Recovery Data |
| CIS-11.5 | Test Data Recovery |
CIS Control 12: Network Infrastructure Management
8 controls
| Code | Title |
|---|---|
| CIS-12.1 | Ensure Network Infrastructure is Up-to-Date |
| CIS-12.2 | Establish and Maintain a Secure Network Architecture |
| CIS-12.3 | Securely Manage Network Infrastructure |
| CIS-12.4 | Establish and Maintain Architecture Diagram(s) |
| CIS-12.5 | Centralize Network Authentication, Authorization, and Auditing (AAA) |
| CIS-12.6 | Use of Secure Network Management and Communication Protocols |
| CIS-12.7 | Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure |
| CIS-12.8 | Establish and Maintain Dedicated Computing Resources for All Administrative Work |
CIS Control 13: Network Monitoring and Defense
11 controls
| Code | Title |
|---|---|
| CIS-13.1 | Centralize Security Event Alerting |
| CIS-13.10 | Perform Application Layer Filtering |
| CIS-13.11 | Tune Security Event Alerting Thresholds |
| CIS-13.2 | Deploy a Host-Based Intrusion Detection Solution |
| CIS-13.3 | Deploy a Network Intrusion Detection Solution |
| CIS-13.4 | Perform Traffic Filtering Between Network Segments |
| CIS-13.5 | Manage Access Control for Remote Assets |
| CIS-13.6 | Collect Network Traffic Flow Logs |
| CIS-13.7 | Deploy a Host-Based Intrusion Prevention Solution |
| CIS-13.8 | Deploy a Network Intrusion Prevention Solution |
| CIS-13.9 | Deploy Port-Level Access Control |
CIS Control 14: Security Awareness and Skills Training
9 controls
| Code | Title |
|---|---|
| CIS-14.1 | Establish and Maintain a Security Awareness Program |
| CIS-14.2 | Train Workforce Members to Recognize Social Engineering Attacks |
| CIS-14.3 | Train Workforce Members on Authentication Best Practices |
| CIS-14.4 | Train Workforce on Data Handling Best Practices |
| CIS-14.5 | Train Workforce Members on Causes of Unintentional Data Exposure |
| CIS-14.6 | Train Workforce Members on Recognizing and Reporting Security Incidents |
| CIS-14.7 | Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates |
| CIS-14.8 | Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks |
| CIS-14.9 | Conduct Role-Specific Security Awareness and Skills Training |
CIS Control 15: Service Provider Management
7 controls
| Code | Title |
|---|---|
| CIS-15.1 | Establish and Maintain an Inventory of Service Providers |
| CIS-15.2 | Establish and Maintain a Service Provider Management Policy |
| CIS-15.3 | Classify Service Providers |
| CIS-15.4 | Ensure Service Provider Contracts Include Security Requirements |
| CIS-15.5 | Assess Service Providers |
| CIS-15.6 | Monitor Service Providers |
| CIS-15.7 | Securely Decommission Service Providers |
CIS Control 16: Application Software Security
14 controls
| Code | Title |
|---|---|
| CIS-16.1 | Establish and Maintain a Secure Application Development Process |
| CIS-16.10 | Apply Secure Design Principles in Application Architectures |
| CIS-16.11 | Leverage Vetted Modules or Services for Application Security Components |
| CIS-16.12 | Implement Code-Level Security Checks |
| CIS-16.13 | Conduct Application Penetration Testing |
| CIS-16.14 | Conduct Threat Modeling |
| CIS-16.2 | Establish and Maintain a Process to Accept and Address Software Vulnerabilities |
| CIS-16.3 | Perform Root Cause Analysis on Security Vulnerabilities |
| CIS-16.4 | Establish and Manage an Inventory of Third-Party Software Components |
| CIS-16.5 | Use Up-to-Date and Trusted Third-Party Software Components |
| CIS-16.6 | Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities |
| CIS-16.7 | Use Standard Hardening Configuration Templates for Application Infrastructure |
| CIS-16.8 | Separate Production and Non-Production Systems |
| CIS-16.9 | Train Developers in Application Security Concepts and Secure Coding |
CIS Control 17: Incident Response Management
9 controls
| Code | Title |
|---|---|
| CIS-17.1 | Designate Personnel to Manage Incident Handling |
| CIS-17.2 | Establish and Maintain Contact Information for Reporting Security Incidents |
| CIS-17.3 | Establish and Maintain an Enterprise Process for Reporting Incidents |
| CIS-17.4 | Establish and Maintain an Incident Response Process |
| CIS-17.5 | Assign Key Roles and Responsibilities |
| CIS-17.6 | Define Mechanisms for Communicating During Incident Response |
| CIS-17.7 | Conduct Routine Incident Response Exercises |
| CIS-17.8 | Conduct Post-Incident Reviews |
| CIS-17.9 | Establish and Maintain Security Incident Thresholds |
CIS Control 18: Penetration Testing
5 controls
| Code | Title |
|---|---|
| CIS-18.1 | Establish and Maintain a Penetration Testing Program |
| CIS-18.2 | Perform Periodic External Penetration Tests |
| CIS-18.3 | Remediate Penetration Test Findings |
| CIS-18.4 | Validate Security Measures |
| CIS-18.5 | Perform Periodic Internal Penetration Tests |
CIS Control 1: Inventory and Control of Enterprise Assets
5 controls
| Code | Title |
|---|---|
| CIS-1.1 | Establish and Maintain Detailed Enterprise Asset Inventory |
| CIS-1.2 | Address Unauthorized Assets |
| CIS-1.3 | Utilize an Active Discovery Tool |
| CIS-1.4 | Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory |
| CIS-1.5 | Use a Passive Asset Discovery Tool |
CIS Control 2: Inventory and Control of Software Assets
7 controls
| Code | Title |
|---|---|
| CIS-2.1 | Establish and Maintain a Software Inventory |
| CIS-2.2 | Ensure Authorized Software is Currently Supported |
| CIS-2.3 | Address Unauthorized Software |
| CIS-2.4 | Utilize Automated Software Inventory Tools |
| CIS-2.5 | Allowlist Authorized Software |
| CIS-2.6 | Allowlist Authorized Libraries |
| CIS-2.7 | Allowlist Authorized Scripts |
CIS Control 3: Data Protection
14 controls
| Code | Title |
|---|---|
| CIS-3.1 | Establish and Maintain a Data Management Process |
| CIS-3.10 | Encrypt Sensitive Data in Transit |
| CIS-3.11 | Encrypt Sensitive Data at Rest |
| CIS-3.12 | Segment Data Processing and Storage Based on Sensitivity |
| CIS-3.13 | Deploy a Data Loss Prevention Solution |
| CIS-3.14 | Log Sensitive Data Access |
| CIS-3.2 | Establish and Maintain a Data Inventory |
| CIS-3.3 | Configure Data Access Control Lists |
| CIS-3.4 | Enforce Data Retention |
| CIS-3.5 | Securely Dispose of Data |
| CIS-3.6 | Encrypt Data on End-User Devices |
| CIS-3.7 | Establish and Maintain a Data Classification Scheme |
| CIS-3.8 | Document Data Flows |
| CIS-3.9 | Encrypt Data on Removable Media |
CIS Control 4: Secure Configuration of Enterprise Assets and Software
12 controls
| Code | Title |
|---|---|
| CIS-4.1 | Establish and Maintain a Secure Configuration Process |
| CIS-4.10 | Enforce Automatic Device Lockout on Portable End-User Devices |
| CIS-4.11 | Enforce Remote Wipe Capability on Portable End-User Devices |
| CIS-4.12 | Separate Enterprise Workspaces on Mobile End-User Devices |
| CIS-4.2 | Establish and Maintain a Secure Configuration Process for Network Infrastructure |
| CIS-4.3 | Configure Automatic Session Locking on Enterprise Assets |
| CIS-4.4 | Implement and Manage a Firewall on Servers |
| CIS-4.5 | Implement and Manage a Firewall on End-User Devices |
| CIS-4.6 | Securely Manage Enterprise Assets and Software |
| CIS-4.7 | Manage Default Accounts on Enterprise Assets and Software |
| CIS-4.8 | Uninstall or Disable Unnecessary Services on Enterprise Assets and Software |
| CIS-4.9 | Configure Trusted DNS Servers on Enterprise Assets |
CIS Control 5: Account Management
6 controls
| Code | Title |
|---|---|
| CIS-5.1 | Establish and Maintain an Inventory of Accounts |
| CIS-5.2 | Use Unique Passwords |
| CIS-5.3 | Disable Dormant Accounts |
| CIS-5.4 | Restrict Administrator Privileges to Dedicated Administrator Accounts |
| CIS-5.5 | Establish and Maintain an Inventory of Service Accounts |
| CIS-5.6 | Centralize Account Management |
CIS Control 6: Access Control Management
8 controls
| Code | Title |
|---|---|
| CIS-6.1 | Establish an Access Granting Process |
| CIS-6.2 | Establish an Access Revoking Process |
| CIS-6.3 | Require MFA for Externally-Exposed Applications |
| CIS-6.4 | Require MFA for Remote Network Access |
| CIS-6.5 | Require MFA for Administrative Access |
| CIS-6.6 | Establish and Maintain an Inventory of Authentication and Authorization Systems |
| CIS-6.7 | Centralize Access Control |
| CIS-6.8 | Define and Maintain Role-Based Access Control |
CIS Control 7: Continuous Vulnerability Management
7 controls
| Code | Title |
|---|---|
| CIS-7.1 | Establish and Maintain a Vulnerability Management Process |
| CIS-7.2 | Establish and Maintain a Remediation Process |
| CIS-7.3 | Perform Automated Operating System Patch Management |
| CIS-7.4 | Perform Automated Application Patch Management |
| CIS-7.5 | Perform Automated Vulnerability Scans of Internal Enterprise Assets |
| CIS-7.6 | Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets |
| CIS-7.7 | Remediate Detected Vulnerabilities |
CIS Control 8: Audit Log Management
12 controls
| Code | Title |
|---|---|
| CIS-8.1 | Establish and Maintain an Audit Log Management Process |
| CIS-8.10 | Retain Audit Logs |
| CIS-8.11 | Conduct Audit Log Reviews |
| CIS-8.12 | Collect Service Provider Logs |
| CIS-8.2 | Collect Audit Logs |
| CIS-8.3 | Ensure Adequate Audit Log Storage |
| CIS-8.4 | Standardize Time Synchronization |
| CIS-8.5 | Collect Detailed Audit Logs |
| CIS-8.6 | Collect DNS Query Audit Logs |
| CIS-8.7 | Collect URL Request Audit Logs |
| CIS-8.8 | Collect Command-Line Audit Logs |
| CIS-8.9 | Centralize Audit Logs |
CIS Control 9: Email and Web Browser Protections
7 controls
| Code | Title |
|---|---|
| CIS-9.1 | Ensure Use of Only Fully Supported Browsers and Email Clients |
| CIS-9.2 | Use DNS Filtering Services |
| CIS-9.3 | Maintain and Enforce Network-Based URL Filters |
| CIS-9.4 | Restrict Unnecessary or Unauthorized Browser and Email Client Extensions |
| CIS-9.5 | Implement DMARC |
| CIS-9.6 | Block Unnecessary File Types |
| CIS-9.7 | Deploy and Maintain Email Server Anti-Malware Protections |
Maps to 2 other frameworks
153 total controls
ASD Strategies to Mitigate Cyber Security Incidents
10 source controls mapped|10 target controls covered
7%
DISA Security Technical Implementation Guides (STIGs)
1 source controls mapped|1 target controls covered
1%
Frequently Asked Questions
What is CIS Controls v8?
CIS Controls v8 is a compliance framework from International with 18 domains and 153 controls. Center for Internet Security Critical Security Controls - prioritized set of actions to protect organizations and data from known cyber attack vectors It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does CIS Controls v8 have?
CIS Controls v8 has 153 controls organised across 18 domains. The largest domains are CIS Control 16: Application Software Security (14 controls), CIS Control 3: Data Protection (14 controls), CIS Control 4: Secure Configuration of Enterprise Assets and Software (12 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does CIS Controls v8 map to?
CIS Controls v8 maps to 2 other compliance frameworks. The top mapping partners are ASD Strategies to Mitigate Cyber Security Incidents (7% coverage), DISA Security Technical Implementation Guides (STIGs) (1% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with CIS Controls v8 compliance?
Start your CIS Controls v8 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about CIS Controls v8 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 153 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.
Get Started Free →Free forever — no credit card required