CIS Critical Security Controls Version 8
The CIS Critical Security Controls (CIS Controls) are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks. CIS Controls v8 has been enhanced to keep up with modern systems and software. Movement to cloud-based computing, virtualization, mobility, outsourcing, Work-from-Home, and changing attacker tactics prompted the update and supports an enterprise’s security as they move to both fully cloud and hybrid environments.
Learn about CIS Controls v8
Start by downloading the CIS Controls
The CIS Controls are a prioritized set of actions developed by a global IT community. This set of best practices is trusted by security leaders in both the private and public sector.
Download CIS Controls v8 (read FAQs)
Interested in seeing how others implement the CIS Controls?
Industry professionals and organizations all around the world utilize the CIS Controls to enhance their organization’s cybersecurity posture. Check out recent case studies to learn more.
Read CIS Controls Case Studies
Interested in learning more about CIS Controls Version 8?
Consider taking our no-cost essential cyber hygiene introductory course on Salesforce’s Trailhead application.
Access course
State Legislation Leveraging the CIS Controls
See how the CIS Controls are being leveraged from state to state.
Learn more
Tools and Resources
CIS CSAT Ransomware Business Impact Analysis Tool
Organizations can evaluate their likelihood of experiencing a ransomware attack and its potential impacts by using the CIS CSAT Ransomware Business Impact Analysis (BIA) tool. This utility has been created by CIS in partnership with Foresight Resilience Strategies (4RS). The BIA tool applies scores for ransomware-related Safeguards to estimate an enterprise’s likelihood of being affected by a ransomware attack; those who have already started an assessment using CIS-Hosted CSAT can import the scores from that assessment. Get started assessing your ransomware risks today!
Access BIA Tool
Assess your Implementation of the CIS Controls
The CIS Controls Self-Assessment Tool, or CIS CSAT, is a free web application that enables security leaders to track and prioritize their implementation of the CIS Controls.
Learn More About CIS CSAT
CIS Controls Poster
Learn about the implementation groups and essential cyber hygiene with this downloadable poster.
Download poster
What’s Changed?
Cybersecurity is an evolving industry with an endless list of threat actors. The tools we use to stay safe and secure must be updated to match the current threat landscape. Find out how CIS Controls v8 was updated from v7.1.
Download CIS Controls v8 Change Log
CIS Controls v8 Implementation Groups
Implementation Groups (IGs) provide a simple and accessible way to help organizations of different classes focus their scarce security resources, and still leverage the value of the CIS Controls program, community, and complementary tools and working aids.
Download the Implementation Groups Handout
Assess your risk with CIS RAM
CIS Risk Assessment Method is a free information security risk assessment method that helps organizations implement and assess their security posture against the CIS Controls cybersecurity best practices. CIS RAM provides instructions, examples, templates, and exercises for conducting a cyber risk assessment.
Download CIS RAM
Download the CIS RAM v2.1 brochure
Interested in learning more about CIS RAM?
Consider taking our no-cost introductory course on Salesforce’s Trailhead application.
CIS Controls v8 Multimedia Resources
Listen to the CIS Cybersecurity Where You Are Podcast or watch one of our webinars on-demand related to the CIS Controls v8 release.
Podcasts
- Cybersecurity Where You Are Podcast Episode 7: CIS Controls v8…It’s Not About the List
- Cybersecurity Where You Are Podcast Episode 8: CIS Controls v8…First Impressions
- The CyberCast
Webinars
- CIS RAM v2.1: A Way to Demonstrate Reasonable Security
- CIS Risk Assessment Method (RAM) v2.1 for Implementation Group 3 (IG3) Workshop
- CIS Risk Assessment Method (RAM) v2.1 for Implementation Group 2 (IG2) Workshop
- CIS Risk Assessment Method (RAM) v2.0 Webinar
- Connecticut’s New Approach to Improving Cybersecurity
- Leveraging the Verizon 2023 DBIR: Key Insights and Actionable Takeaways
- Securing Your Cloud Infrastructure with CIS Controls v8: Hosted by CIS, Cloud Security Alliance, and SAFECode
- SMB Thought Leader Series Webinar – From CIS Controls to SMB Governance
- Welcome to CIS Controls v8: Hosted by CIS
Policy Templates
Acceptable Use Policy Template for the CIS Controls
This template can assist an enterprise in developing acceptable use for the CIS Controls.
Download the template
Enterprise Asset Management Policy Template for CIS Control 1
This template can assist an enterprise in developing an enterprise asset management policy.
Download the template
Software Asset Management Policy Template for CIS Control 2
This template can assist an enterprise in developing a software asset management policy.
Download the template
Data Management Policy Template for CIS Control 3
This template can assist an enterprise in developing a data management policy.
Download the template
Secure Configuration Management Policy Template for CIS Control 4, 9, and 12
This template can assist an enterprise in developing a secure configuration management policy.
Download the template
Account and Credential Management Policy Template for CIS Controls 5 and 6
This template can assist an enterprise in developing an account and credential management policy.
Download the template
Vulnerability Management Policy Template for CIS Control 7
This template can assist an enterprise in developing a data management policy.
Download the template
Audit Log Management Policy Template for CIS Control 8
This template can assist an enterprise in developing an audit log management policy.
Download the template
Malware Defense Policy Template for CIS Control 10
This template can assist an enterprise in developing a malware defense policy.
Download the template
Data Recovery Policy Template for CIS Control 11
This template can assist an enterprise in developing a data recovery policy.
Download template
Security Awareness Skills Training Policy Template for CIS Control 14
This template can assist an enterprise in developing a security awareness skills training policy.
Download template
Service Provider Management Policy Template for CIS Control 15
This template can assist an enterprise in developing a service provider management policy.
Download the template
Incident Response Policy Template for CIS Control 17
This template can assist an enterprise in developing an incident response policy.
Download template
Companion Guides
The Cost of Cyber Defense (IG1 Costing Paper)
Every enterprise wants a reasonable starting point at a reasonable cost for cybersecurity. The CIS Critical Security Controls® (CIS Controls®) are a prioritized set of actions that can be implemented to form an effective cyber defense program.
Download the Cost of Cyber Defense guide
A Blueprint for Ransomware Defense Using the CIS Controls
Whether your enterprise is big or small, you can't afford to take a passive approach to ransomware. The Blueprint provides a set of 40 Foundational and Actionable Safeguards from IG1 that will assist with ransomware defense while considering those SMEs that have limited cybersecurity expertise.
Download the Handout
Living off the Land: PowerShell
PowerShell is a robust tool that helps IT professionals automate a range of tedious and time-consuming administrative tasks.
Download the PowerShell Handout
Living off the Land: Scheduled Tasks
Scheduled tasks is a tool used by administrators for the automation of processes.
Download the Scheduled Tasks guide
CIS Controls Cloud Companion Guide
The CIS Critical Security Controls (CIS Controls) team has created guide to help organizations create secure cloud environments.
Download the Cloud Companion Guide for CIS Controls v8
CIS Controls Commonly Exploited Protocols Windows Management Instrumentation (WMI)
This guide will focus on a commonly exploited protocol, Windows Management Instrumentation (WMI) Remote Protocol, and the Safeguards an enterprise can implement, in part or whole, to reduce their attack surface or detect anomalies associated with the exploitation of WMI. The goal is to deliver a set of best practices from the CIS Controls, CIS Benchmarks™, or additional guidance, that all enterprises can use to protect against WMI facilitated attacks.
Download the WMI Guide
CIS Controls v8 Exploited Protocols Server Message Block (SMB)
The purpose of this guide is to focus on direct mitigations for SMB, as well as which best practices an enterprise can put in place to reduce the risk of an SMB-related attack.
Download the SMB Guide
CIS Controls v8 Privacy Companion Guide
The Privacy Guide supports the objectives of the CIS Controls by aligning privacy principles and highlighting potential privacy concerns that may arise through the usage of the CIS Controls.
Download the Privacy Companion Guide
Download the Portuguese version
Download the LGPD Annex to the Privacy Guide - Portuguese translation
Community Defense Model v2.0
The Center for Internet Security (CIS) Community Defense Model (CDM) v2.0 can be used to design, prioritize, implement, and improve an enterprise’s cybersecurity program. Enterprises naturally want to know how effective the CIS Critical Security Controls (CIS Controls) are against the most prevalent types of attacks. The CDM was created to help answer that and other questions about the value of the Controls based on currently available threat data from industry reports.
Download the Community Defense Model v2.0 Guide
Establishing Essential Cyber Hygiene
When tasked to implement a cybersecurity program, many enterprises ask “How do we get started?” In response, the CIS Controls Community sorted the Safeguards in the Controls into three Implementation Groups (IGs) based on their difficulty and cost to implement.
Download the Establishing Essential Cyber Hygiene
Guide to Enterprise Assets and Software
CIS simplified the language in v8 to provide enterprises guidance on how enterprise assets and software are organized in the CIS Controls and to help explain what we mean when we say things like “Establish and Maintain Detailed Enterprise Asset Inventory.
Download Guide to Enterprise Assets and Software
Implementation Guide for Small- and Medium- Sized Enterprises
This guide seeks to empower small- and medium-sized enterprise (SME) owners to help them protect their enterprises with a limited number of high-priority actions based on the Center for Internet Security’s Critical Security Controls (CIS Controls).
Download SME Guide
Internet of Things (IoT)
In this document, we provide guidance on how to apply the security best practices found in CIS Controls v8 to IoT environments.
Download Internet of Things Companion Guide
Mobile Guide
In this document, we provide guidance on how to apply the security best practices found in CIS Controls v8 to mobile environments. Organizations will be able to break down and map the applicable CIS Controls and their implementation in mobile environments.
Download Mobile Companion Guide
CIS Controls v8 Mappings
Download individual mappings below or visit our CIS Controls Navigator for all mappings to CIS Controls v8.
- AICPA Trust Services Criteria (SOC2)
- ASD's Essential Eight
- Azure Security Benchmark
- CISA's Cross-Sector CPGs
- CMMC Cybersecurity Maturity Model Certification v2.0
- CRI Profile v1.2
- Criminal Justice Information Services
- CSA CCM Cloud Security Alliance Cloud Control Matrix
- Cyber Essentials v2.2
- FFEIC-CAT
- GSMA FS.31 Baseline Security Controls
- HIPAA Health Insurance Portability and Accountability Act of 1996
- ISACA COBIT 19
- ISO/IEC 27001:2022
- ISO/IEC 27002:2022
- MITRE Enterprise ATT&CK v8.2
- NCSC Cyber Assessment Framework v3.1
- NERC-CIP
- New Zealand Information Security Manual (NZISM) v3.5
- NIST CSF
- NIST Special Publication 800-53 Rev.5 (Moderate and Low Baselines)
- NIST Special Publication 800-171 Rev.2
- NYDFS Part 500
- PCI Payment Card Industry v4.0
- TSA Security Directive Pipeline 2021-02
CIS Controls v8 Translations
The CIS Controls v8 have been translated into the following languages:
- Italian
- Japanese
- Persian
- Portuguese
- Spanish
