CIS Controls v8 Guide

The Center for Internet Security has created the CIS Controls as a set of globally recognized best practices for securing IT systems and data against contemporary threats. Version 8 (v8) demonstrates the latest direction of cloud services, remote work, and hybrid IT environments, providing a modern cybersecurity oriented framework for every organization's cyber priorities.

What are CIS controls?

The CIS Controls are a prioritized set of security practices that help organizations defend against the most pervasive cyberattacks. The controls are built around practical, implementable steps that can be tailored to organizations of any size or maturity level.

Originally designed for traditional IT infrastructure, the controls have evolved to address today’s complex mix of on-premise, cloud, and hybrid environments. They provide a common foundation for building measurable cybersecurity programs, aligning neatly with other frameworks such as NIST CSF and ISO 27001.

What’s new in v8?

Version 8 streamlines and brings together the previous framework and uses language that is consistent with our understanding of today's organizational realities. The most notable changes are:

• The number of controls has been consolidated from 20 to 18, reducing duplicity and simplification for the organization to implement and assess compliance.

• Addresses the cloud and remote work - using not only borders, existing as in remotely or purchased, and addresses the assets that continue to exist beyond the walls of a traditional perimeter.

• Data driven, and keeps protection with information, regardless of where it exists.

• New (but familiar) Implementation Groups (IGs) that reflect an organization's maturity, risk, or resources.

• Improved links to risk management allowing an organization to ensure the business' priorities to controls.

All of these changes assist in creating a more flexible framework and highlights the relevance to provide guidance in today's hybrid and transforming environment.

18 Safeguards Overview

CIS Controls v8 is organized into 18 key control areas known as Safeguards. Each safeguard provides actionable steps to help teams implement effective defenses across people, processes, and technology. Safeguard categories include:

Each safeguard is assigned to one or more Implementation Groups (IGs) that represent increasing levels of cybersecurity maturity.

Implementation Groups (IG1, IG2, IG3)

Each group builds on the last, allowing organizations to scale their security investments as maturity grows.

Why CIS v8 Matters

CIS Controls v8 supports organizations in their transition to proactive resilience instead of reactive patching. It provides a clear, data-driven foundation to focus on protecting critical assets while maintaining some flexibility to address new and emerging threats.

Benefits of implementing CIS Controls v8 include:

• Practical and prioritized prioritization of steps to address real-world threats

• Alignment with premier standards and frameworks like NIST CSF and ISO 27001

• Measurement of progress through implementation groups

• More straightforward communication for both technical and executive-level stakeholders

• Support for cloud and hybrid IT environments

Organizations implementing CIS v8 will safeguard their organizations and all stakeholders will feel more accountable, ready, and engaged in continuous improvement and ongoing conversations around their cybersecurity posture.

Implementation steps

To adopt the CIS Controls effectively, organizations should follow a phased approach:

Define scope and objectives: identify which systems, data, and environments are in scope for implementation.

Assess current security posture: map existing controls to CIS requirements and identify gaps.

Prioritize safeguards by risk and IG level: determine which implementation group applies and focus efforts accordingly.

Develop and document policies: align new controls with existing governance, policies, and training programs.

Implement controls and validate: roll out safeguards in waves, performing validation through testing and monitoring.

Continuously measure and improve: use metrics to assess maturity and refine controls as the environment evolves.

CIS Controls v8 program offers an explicit and concrete path for organizations to measurably improve their cybersecurity posture. It brings together strategy, operations, and technology under one set of actionable priorities that evolve as the threat landscape evolves.

Platforms like Complyance allow teams to not just automate evidence collection and map CIS safeguards with other frameworks, but to continuously track maturity across Implementation Groups. It’s the transition from a checklist to a living cybersecurity program.

FAQs

Is CIS v8 mandatory for compliance? No. The CIS Controls are voluntary best practices, though many frameworks and insurers reference them as a baseline for good security.

How often should organizations review their CIS compliance? Annually at a minimum, or whenever major infrastructure, vendor, or data changes occur.

Can CIS v8 replace ISO 27001 or NIST CSF? No. It complements them. CIS focuses on operational security practices, while ISO and NIST address broader management and governance.

‍How do the Implementation Groups compare to maturity models like C2M2? They serve a similar purpose, providing a scalable way to measure and improve cybersecurity capability.