CIS Controls: 2026 Complete Guide

The CIS Controls (Center for Internet Security Critical Security Controls) are a prioritized set of 18 defensive actions, organized into 153 safeguards, that any organization can use to harden its environment against common cyberattacks. They are maintained by the Center for Internet Security and cross-walked into nearly every major government framework, including the NIST Cybersecurity Framework and NIST SP 800-53.

This guide is written for security engineers, IT leads, virtual CISOs, and founders who need a defensible security program without a full GRC team. It covers what the CIS Controls require in 2026, the three Implementation Groups (IG1, IG2, IG3), the difference between the Controls and the Benchmarks, realistic cost ranges, and how the program maps to NIST, ISO 27001, and PCI DSS.

Most teams start with the CIS Controls because they are free, version-controlled, and prescriptive in a way NIST is not. NIST tells you what outcomes to achieve. The CIS Controls tell you what to configure, which logs to keep, and which assets to inventory first. Many programs use NIST CSF for governance and the CIS Controls for execution.

💡 Pro Tip

Quick orientation: the CIS Controls are the what to do list (18 controls, 153 safeguards). The CIS Benchmarks are the how to configure it list (per-platform hardening guides for Windows, Linux, AWS, Kubernetes, and 100+ other technologies). Most organizations need both. The Controls run the program. The Benchmarks lock down the systems.

For broader framework context, see the NIST Cybersecurity Framework guide and the cybersecurity compliance guide.

What are the CIS Controls?

The CIS Critical Security Controls are a community-developed cybersecurity framework first published in 2008 (then called the SANS Top 20) and now in version 8.1 as of 2024. The Center for Internet Security took stewardship in 2015 and runs the consensus process that updates them every three to four years. The current count is 18 controls and 153 safeguards.

Each control covers one defensive domain: asset inventory, secure configuration, account management, vulnerability management, malware defense, audit logging, incident response, and so on. Each control contains a list of safeguards, the specific testable actions that implement it. A safeguard reads like a control statement from NIST SP 800-53, but shorter and more prescriptive.

The 18 controls in v8.1 are:

Inventory and Control of Enterprise Assets
Inventory and Control of Software Assets
Data Protection
Secure Configuration of Enterprise Assets and Software
Account Management
Access Control Management
Continuous Vulnerability Management
Audit Log Management
Email and Web Browser Protections
Malware Defenses
Data Recovery
Network Infrastructure Management
Network Monitoring and Defense
Security Awareness and Skills Training
Service Provider Management
Application Software Security
Incident Response Management
Penetration Testing

Controls 1 through 6 are the basic cyber hygiene controls. They cover roughly 80% of common attack paths according to the CIS community analysis published alongside v8. If you do nothing else, the first six controls move the needle the most.

The Controls are free to download. The Center for Internet Security distributes them as PDFs, Excel workbooks, and a navigator tool. There is no certification, no auditor, no badge. What exists instead is an extensive set of cross-walks: every safeguard maps to controls in NIST SP 800-53, NIST SP 800-171, the NIST Cybersecurity Framework, ISO/IEC 27001, and PCI DSS v4.0. That cross-walk is why the framework has stuck around for nearly two decades: it translates between the abstract frameworks auditors care about and the concrete work engineers actually do.

Why CIS Controls matter in 2026

The CIS Controls answer a question no other framework answers cleanly: given finite money and people, what should we do first?

NIST CSF tells you to "Identify, Protect, Detect, Respond, Recover" and leaves the prioritization to you. ISO 27001 gives you 93 Annex A controls and asks you to justify exclusions. The CIS Controls explicitly sequence the work into three Implementation Groups by company size and risk profile.

Three forces have pushed the CIS Controls deeper into mainstream compliance since 2022:

State data-protection laws referencing them. Multiple state laws now provide affirmative defense or safe harbor for breach litigation if a company implemented a recognized cybersecurity framework. The CIS Controls are explicitly named in laws including Ohio's Data Protection Act and Connecticut's Public Act 21-119.

Federal cross-walks. Defense contractors implementing NIST SP 800-171 for Controlled Unclassified Information commonly use the CIS Controls as the implementation layer. The 110 NIST 800-171 controls map directly onto roughly 130 CIS safeguards.

Insurance underwriter adoption. Cyber insurance carriers now require evidence of specific CIS safeguards (multi-factor authentication, endpoint detection and response, immutable backups) before binding coverage. Several major carriers publish CIS-aligned questionnaires pulled directly from the v8 safeguard list.

CISA also references the CIS Controls in its Cyber Performance Goals, particularly for small and mid-sized organizations that lack resources to build a custom control set from NIST 800-53.

CIS Controls v8 and v8.1 (what changed)

CIS Controls v8 was released in May 2021 and introduced the most significant restructuring in the framework's history. The control count dropped from 20 to 18, controls were reorganized around activities rather than asset types, and the Implementation Group system was formalized.

The major v7-to-v8 changes: v7 was implicitly on-premises, v8 treats cloud, mobile, and remote work as primary use cases. v7 had separate controls for "wireless access" and "boundary defense"; v8 consolidated these into broader categories such as Network Infrastructure Management. v7 had a basic/foundational/organizational tier system; v8 replaced it with IG1, IG2, IG3. The safeguard count went from 171 to 153 with significantly tighter wording.

v8.1, published in 2024, is a refinement release. It aligned terminology with the NIST Cybersecurity Framework 2.0 release, clarified ambiguous safeguard descriptions, and refreshed the mapping documents. Organizations on v8 do not need to re-implement anything to move to v8.1.

CIS Implementation Groups: IG1, IG2, IG3

The Implementation Groups are the single most useful organizing principle in the framework. They prevent the trap that every other prescriptive framework falls into: a one-size-fits-all list that exhausts small teams and underwhelms enterprise security programs.

Group	Organization profile	Safeguards	Typical use case
IG1 (Essential cyber hygiene)	Small businesses with limited IT and security expertise. Data is primarily employee and financial information.	56 safeguards (subset of v8)	Sub-50-employee SaaS startups, small professional services firms, retail with under $5M revenue.
IG2 (Risk-managed)	Mid-sized organizations with dedicated IT staff and sensitive client or business data. May be subject to regulatory pressure.	74 additional safeguards (130 total)	50 to 500-employee SaaS, regional healthcare, mid-market financial services, defense subcontractors.
IG3 (Expert)	Mature organizations with security professionals on staff. Data sensitivity is high and a successful attack would cause significant public harm.	23 additional safeguards (153 total)	Public companies, large healthcare systems, banks, federal contractors, critical infrastructure operators.

IG1 is the floor. The CIS community calls it "essential cyber hygiene" and treats it as the minimum any organization should achieve, regardless of size. The 56 IG1 safeguards include maintaining an asset inventory, deploying MFA for administrative accounts, restoring from documented backups, and configuring browsers and email clients with security headers.

IG2 adds risk-management practices for companies processing regulated data or sensitive IP: centralized identity management, application allow-listing, audit log centralization, network segmentation. IG3 adds controls against sophisticated threat actors: red-team testing, application sandboxing, advanced authentication for privileged accounts, continuous adversary emulation.

The right answer for most organizations is to target IG1 fully in year one, IG2 in years two to three, and IG3 only if the threat model demands it. Companies that jump straight to IG3 typically half-implement IG1 and IG2 simultaneously, which is worse than fully implementing IG1 alone.

CIS Benchmarks vs CIS Controls

This is the most common point of confusion. They are different things designed to work together.

CIS Controls are the high-level program: 18 controls, 153 safeguards. They tell you what to do.

CIS Benchmarks are the low-level system configurations. 100+ benchmarks cover specific platforms: Windows Server 2022, Ubuntu 22.04, AWS Foundations, Microsoft 365, Kubernetes, Cisco IOS, and dozens more. Each is a hardening guide with hundreds of specific settings.

CIS Control 4 says "Secure Configuration of Enterprise Assets and Software." The corresponding Windows Server 2022 Benchmark spells out the exact registry keys, group policy objects, and audit settings that satisfy Control 4 on a Windows host. The Control names the goal; the Benchmark names the bits.

Most teams use both. The Controls drive the program-level conversation with leadership and auditors. The Benchmarks drive configuration management code in Terraform, Ansible, or Group Policy. CIS publishes Hardened Images on AWS, Azure, and Google Cloud Marketplaces that ship with the Benchmarks pre-applied.

The Benchmarks are free. Paid CIS SecureSuite membership ($2,500 to $52,500 annually) adds the CIS-CAT Pro automated assessment tool, customizable profiles, and the CIS WorkBench platform.

Mapping CIS Controls to NIST CSF, NIST 800-53, and ISO 27001

The CIS Controls explicitly map to every major framework. The mapping documents are free downloads.

To NIST Cybersecurity Framework. The 18 controls map to the six NIST CSF functions (Govern, Identify, Protect, Detect, Respond, Recover). Controls 1, 2, 3, 15 land in Identify. Controls 4 through 12 cover Protect. Controls 8, 13 cover Detect. Controls 17, 18 cover Respond and Recover.

To NIST SP 800-53. Every CIS safeguard maps to one or more controls in NIST SP 800-53 Rev 5. One CIS safeguard often satisfies parts of multiple 800-53 controls. Federal contractors and FedRAMP candidates use the cross-walk to demonstrate that a CIS-aligned program satisfies the relevant 800-53 baseline. See the NIST 800-53 controls guide.

To NIST SP 800-171. The 110 controls in NIST SP 800-171 Rev 3 governing Controlled Unclassified Information map to roughly 130 CIS safeguards. Many defense contractors implement against the CIS Controls operationally and use the mapping for CMMC assessments. See the NIST 800-171 compliance guide.

To ISO 27001 Annex A and PCI DSS. The 93 controls in ISO 27001:2022 Annex A map to the CIS safeguards with gaps in the governance areas where ISO 27001 requires formal ISMS documentation. See the ISO 27001 certification guide. For PCI DSS v4.0, mapping documents show roughly 95% safeguard coverage of the 12 PCI requirements.

CIS Controls cost and timeline

The CIS Controls cost nothing. The Controls, Benchmarks, navigator tool, and all mapping documents are free downloads. What costs money is implementation.

A realistic budget for a 100-person SaaS implementing IG1 in year one:

Internal effort: 0.5 to 1.5 FTE over six months. Loaded cost roughly $80,000 to $250,000 depending on geography.
Tooling gaps: $40,000 to $120,000 annually. Typical purchases: an asset inventory or attack surface management tool, an EDR platform, a SIEM, a vulnerability scanner, a backup verification tool.
External help (optional): $20,000 to $80,000 for a vCISO or compliance consultancy to run the readiness assessment and policy set.
CIS SecureSuite membership (optional): $2,500 to $52,500 annually for CIS-CAT Pro and customizable Benchmark profiles.

Total year-one cost for a 100-person SaaS targeting IG1: $140,000 to $500,000, with year-two operating cost typically 40-60% lower.

For an enterprise targeting IG3 across thousands of endpoints, costs scale into the millions and the timeline extends to 24-36 months. The dominant variable is environment heterogeneity.

Timeline for IG1:

Months 1-2: Asset inventory baseline (Controls 1, 2). Cloud sprawl, shadow IT, and contractor devices typically account for 15-30% of the asset base nobody on the team knew about.
Months 2-4: Identity and access (Controls 5, 6). MFA rollout, account lifecycle, privileged access.
Months 3-5: Configuration and vulnerability management (Controls 4, 7). CIS Benchmarks applied here.
Months 4-6: Logging, malware defense, backup (Controls 8, 10, 11).
Month 6: Internal readiness assessment. Most teams reach 70-85% IG1 implementation by month six.

CIS Controls process: the 9-step rollout

There is no official CIS Controls implementation methodology, but the community has converged on a consistent rollout pattern:

Step 1. Pick the Implementation Group. IG1 for sub-100-employee organizations. IG2 for mid-market. IG3 only if the threat model demands it. Document the choice and the reasoning.

Step 2. Baseline inventory. Build an authoritative inventory of enterprise assets (Control 1) and software assets (Control 2) before anything else. Every later safeguard depends on knowing what exists. Manual spreadsheets become stale within weeks.

Step 3. Gap assessment. Score the current environment against the chosen Implementation Group's safeguards. CIS-CAT Pro automates much of this for the Benchmark side. The Control side typically requires interviews and document review.

Step 4. Prioritize. Sequence remaining gaps by risk reduction per dollar. Asset inventory and MFA come first; penetration testing and red-teaming come last. The CIS Community Defense Model v2.0 publishes data on which safeguards block the most ATT&CK techniques per safeguard implemented.

Step 5. Apply CIS Benchmarks. For each system class (Windows, Linux, AWS, M365), apply the corresponding CIS Benchmark configuration. Use CIS Hardened Images where available. Track exceptions in a documented control matrix.

Step 6. Build the evidence trail. Each safeguard needs documented evidence that it is operating: configuration state, vulnerability scan reports, access review records, training completion logs. Treat the evidence trail as a first-class deliverable.

Step 7. Internal validation. Run a self-assessment against the full Implementation Group. CIS-CAT Pro for technical safeguards; manual review for policy and process safeguards. Identify gaps and remediate before any external assessment.

Step 8. External validation (optional). Engage a vCISO firm, MSSP, or CMMC assessor to validate. The CIS Controls themselves do not certify, but implementation can be validated as part of a NIST CSF assessment, ISO 27001 internal audit, or CMMC assessment.

Step 9. Continuous improvement. Re-baseline annually. Re-apply Benchmarks after major OS or platform upgrades. The CIS Controls operate continuously, not as a one-time project.

CIS Controls for different organization types

Small SaaS (IG1). The 56 IG1 safeguards are tractable for a 10-50 employee SaaS company over six months. The dominant work is asset inventory, identity hygiene (SSO, MFA, joiner-mover-leaver process), and backup verification. Many founders fold the CIS Controls into their SOC 2 program because the IG1 safeguards substantially cover the SOC 2 Security Trust Services Criterion. See the build a compliance program guide for the integrated approach.

Mid-market (IG2). Companies in the 100-500 employee range typically need IG2 because enterprise buyers require it or regulatory pressure (HIPAA, GLBA) demands it. New work over IG1: centralized log management, network segmentation, application allow-listing, and formal vendor management. Budget 12-18 months on top of IG1.

Defense contractors and CUI handlers. Companies in the Defense Industrial Base typically use the CIS Controls as the day-to-day operational framework and the NIST SP 800-171 control set as the assessment framework. The two map well, and CMMC assessors are familiar with this pattern. See the NIST 800-171 compliance guide for the CMMC mechanics.

Public companies and critical infrastructure. SOX-regulated public companies wrap the CIS Controls around their IT general controls; the safeguards covering access management, change control, and audit logging map into SOX ITGC families. Energy, water, and transportation operators align CIS alongside sector-specific requirements such as NERC CIP. CISA references the CIS Controls as a recommended baseline for state, local, tribal, and territorial governments and small critical infrastructure operators.

Common pitfalls (and how to avoid them)

Starting with the Benchmarks instead of the Controls. Engineering teams love the Benchmarks because they are concrete. But applying Windows hardening before you have an asset inventory leaves you hardening the wrong systems. Always start with Controls 1 and 2.

Skipping IG1 to chase IG2 or IG3. Half-implementing IG1 while picking favorite safeguards from IG2 produces a Swiss-cheese program that looks comprehensive on paper but fails under audit. Complete IG1 first.

Treating the framework as a checklist. The CIS Controls are continuous operating practices, not project deliverables. A safeguard that says "establish and maintain" requires ongoing operation. Auditors and breach litigants look for evidence of continuous operation.

Ignoring the cross-walk. Many programs implement the CIS Controls and then re-implement NIST CSF separately, doing the same work twice. The cross-walk documents are free. Use them to demonstrate one implementation against multiple frameworks.

Manual evidence collection. Programs that ship screenshots quarterly spend 3-5x more effort than programs that pipe configuration state and access reviews automatically into a GRC platform.

Tools and platforms for CIS Controls implementation

The tooling landscape is fragmented because the safeguards span identity, endpoint, network, cloud, and application domains. No single tool covers everything. A typical IG2 program touches 8-15 distinct tools.

Safeguard area	Typical tooling category	Examples
Asset inventory (Controls 1, 2)	Attack surface management, CMDB, cloud security posture	Axonius, Runzero, Wiz, Lansweeper
Identity (Controls 5, 6)	IdP, SSO, MFA, PAM	Okta, Microsoft Entra ID, JumpCloud, CyberArk, Teleport
Configuration (Control 4)	CIS Benchmark scanners, CSPM, IaC scanning	CIS-CAT Pro, Wiz, Prisma Cloud, Tenable, Checkov
Vulnerability management (Control 7)	VM scanners, EDR vulnerability modules	Tenable, Qualys, Rapid7, CrowdStrike Falcon Spotlight
Logging and SIEM (Controls 8, 13)	SIEM, log aggregation	Splunk, Elastic, Sumo Logic, Datadog Cloud SIEM
Endpoint defense (Control 10)	EDR, XDR	CrowdStrike, SentinelOne, Microsoft Defender for Endpoint
Backup and recovery (Control 11)	Backup with immutability and tested recovery	Rubrik, Cohesity, Veeam, AWS Backup with vault lock
GRC and evidence (cross-cutting)	Compliance automation platforms	Drata, Vanta, Secureframe, AuditBoard

Smaller organizations sometimes consolidate by selecting an MSSP that bundles asset discovery, EDR, SIEM, and vulnerability management under one contract. The trade-off is reduced visibility for lower headcount.

Frequently Asked Questions

What is a CIS control?

A CIS control is one of the 18 prioritized defensive activities published by the Center for Internet Security. Each control covers a defensive domain (asset inventory, access control, logging, incident response) and contains specific safeguards. v8.1 has 18 controls and 153 safeguards covering the major attack paths identified in the NIST Cybersecurity Framework.

What are the CIS top 20 controls?

The "top 20" name refers to v7 and earlier. v8 consolidated related controls into broader categories, dropping the count to 18. Articles referencing "CIS top 20" are using v7 terminology. The current list is the 18 controls in v8.1, organized into Implementation Groups IG1, IG2, and IG3.

What is the difference between CIS and NIST controls?

The CIS Controls are a prioritized list of 18 prescriptive defensive activities aimed at organizations of any size. The NIST Cybersecurity Framework and NIST SP 800-53 are broader frameworks aimed primarily at federal agencies and contractors. They are designed to coexist: NIST CSF for governance, the CIS Controls for prioritized execution, NIST 800-53 as the detailed control catalog.

What are the CIS 18 controls?

The 18 controls in v8.1 are: Inventory and Control of Enterprise Assets, Inventory and Control of Software Assets, Data Protection, Secure Configuration, Account Management, Access Control Management, Continuous Vulnerability Management, Audit Log Management, Email and Web Browser Protections, Malware Defenses, Data Recovery, Network Infrastructure Management, Network Monitoring and Defense, Security Awareness Training, Service Provider Management, Application Software Security, Incident Response Management, and Penetration Testing.

Are the CIS Controls free, and is there a certification?

The Controls, Benchmarks, navigator, and all mapping documents are free downloads. CIS SecureSuite membership ($2,500 to $52,500 annually) adds CIS-CAT Pro automated assessment and customizable Benchmark profiles. There is no formal CIS certification: no auditor, no badge. Organizations validate through internal assessment, third-party consulting, or by mapping CIS to a framework that does certify (ISO 27001 or CMMC).

How long does CIS Controls implementation take?

For a sub-100-employee organization targeting IG1, six months is realistic with a half-FTE to full-FTE of effort. For mid-market targeting IG2, plan 12-18 months on top of IG1. For enterprise IG3, expect 24-36 months. The dominant variable is environment heterogeneity, not headcount.

Bottom line

The CIS Controls are the most practical cybersecurity framework available in 2026. They prioritize the work, scope it by organization size, map cleanly to every other major framework, and cost nothing to adopt. For most organizations under 500 employees, they are the right starting point, with NIST CSF for governance reporting and ISO 27001 or SOC 2 for external attestation when buyers demand it.

The companies that get the most out of the framework treat it as a continuous operating practice. They start with asset inventory and identity, apply the Benchmarks through configuration management code, and automate evidence collection from day one. The companies that struggle treat it as a checklist, skip IG1, and end up with partial implementations across multiple groups.

For broader context, see the cybersecurity compliance guide, build a compliance program guide, and the cybersecurity compliance checklist.

Primary Sources

This article references the following authoritative sources:

NIST Cybersecurity Framework. NIST CSF 2.0 (cross-walks to CIS Controls)
NIST SP 800-53 Rev 5. Security and Privacy Controls (CIS safeguard mapping target)
NIST SP 800-171 Rev 3. Controlled Unclassified Information (CIS cross-walk for defense contractors)
NIST Computer Security Resource Center. Publications and glossary referenced throughout
CISA. Cybersecurity and Infrastructure Security Agency (references CIS Controls in Cyber Performance Goals)
ISO/IEC 27001. Information security management system standard (CIS Annex A mapping)
NIST SP 800-207 Zero Trust Architecture. Architecture model referenced by CIS Controls cloud safeguards