CIS Controls
Follow our prioritized set of actions to protect your organization and data from cyber-attack vectors.
By implementing the CIS Controls, you create an on-ramp to comply with the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and other industry regulations. View our many mappings to see how your Controls program can work together with other frameworks.
CIS Controls Navigator
Want to see how the CIS Controls fit into your broader security program? You can use our CIS Controls Navigator to see how they map to other security standards and frameworks.
Mapping and Compliance
By implementing the CIS Controls, you create an on-ramp to comply with PCI DSS, HIPAA, GDPR, and other industry regulations. View our Mapping and Compliance page for more information.
CIS Controls Mappings v8.1
Download individual mappings below or visit our CIS Controls Navigator for all mappings to CIS Controls v8.1.
- AICPA SOC2
- Australian Signals Directorate’s (ASD) Essential Eight
- CAN/CIOSC 104 2021 Baseline Cyber Security Controls for Small and Medium Organizations
- CISA Cybersecurity Performance Goals (CPGs) v1.0.1
- Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) v4
- Criminal Justice Information Services (CJS) Security Policy v6
- Cybersecurity Maturity Model Certification (CMMC) v2.0
- Cyber Risk Institute Profile v.20
- GSMA FS 3.1 Baseline Security Controls v4.0
- Federal Financial Institutions Examination Council Cyber Security Assessment Tool (FFIEC-CAT) Cybersecurity Maturity Baseline
- Healthcare and Public Health Sector-Specific Cybersecurity Performance Goals (HPH CPGs)
- Health Insurance Portability and Accountability Act (HIPAA)
- Information Systems Audit and Control Association (ISACA) Control Objectives for Information and Related Technologies (COBIT) 19
- International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001:2022
- Microsoft Cloud Security Benchmark v1 (formerly Azure Security Benchmark v3)
- National Cyber Security Centre (NCSC) Cyber Essentials v3.1
- National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF) v3.2
- Network and Information Security 2 (NIS2) Directive 2022/2555
- New York State Department of Financial Services (NYDFS) Part 500
- New Zealand Information Security Manual (NZISM) v3.8
- NIST Cybersecurity Framework (CSF) 2.0
- NIST SP 800-171 Rev.2
- NIST SP 800-171 Rev 3
- NIST SP 800-53 Rev. 5 (Moderate and Low Baselines)
- North American Electric Reliability Corporation-Critical Infrastructure Protection (NERC-CIP) Standards
- Payment Card Industry Data Security Standard (PCI DSS) v4.0
- The Digital Operational Resilience Act (DORA) Regulation (EU) 2022/2554
- Transportation Security Administration (TSA) Security Directive Pipeline 2021-02
CIS Controls Mappings v8
Download individual mappings below or visit our CIS Controls Navigator for all mappings to CIS Controls v8.
- AICPA SOC 2
- Australian Signals Directorate's (ASD) Essential Eight
- Azure Security Benchmark v3
- CISA Cybersecurity Performance Goals (CPGs) v1.0.1
- Cloud Security Alliance Cloud Control Matrix (CSA CCM)
- Criminal Justice Information Services (CJIS) v5.9
- Cybersecurity Maturity Model Certification (CMMC) v2.0
- Cyber Risk Institute (CRI) Profile v1.2
- Federal Financial Institutions Examination Council Cybersecurity Assessment Tool (FFIEC-CAT)
- GSMA FS.31 Baseline Security Controls v2.0
- Health Insurance Portability and Accountability Act (HIPAA)
- International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001:2022
- ISACA COBIT 19
- MITRE Enterprise ATT&CK v8.2
- New York State Department of Financial Services (NYDFS) 23 NYCRR Part 500
- New Zealand Information Security Manual (NZISM) v3.5
- NIST Cybersecurity Framework (CSF) 1.1
- NIST Cybersecurity Framework (CSF) 2.0
- NIST SP 800-53 Rev. 5 (Moderate and Low Baselines)
- NIST SP 800-171 Rev. 2
- North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP Standards)
- Payment Card Industry Data Security Standard (PCI DSS) v4.0
- Transportation Security Administration (TSA) Security Directive Pipeline 2021-02
- UK NCSC Cyber Essentials v2.2
- UK NCSC Cyber Assessment Framework v3.1
CIS Controls Mappings v7.1
Download individual mappings below or visit our CIS Controls Navigator for all mappings to CIS Controls v7.1.
- Cybersecurity Maturity Model Certification (CMMC) v1.0
- International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001:2013
- NIST Cybersecurity Framework (CSF) 1.1
- NIST SP 800-53 Rev. 4 Low Baseline
- NIST SP 800-171 Rev. 2
- Payment Card Industry Data Security Standard (PCI DSS) v3.2.1
- CIS Controls v7.1 Mapping to NIST OLIR Submission V1