Framework

CIS Critical Security Controls v8.1
safeguard assessment, mapping, and evidence

The CIS Critical Security Controls are a prioritised set of defensive actions published by the Center for Internet Security. Run CIS Controls v8.1 assessments across all 18 controls and 153 safeguards, scope by Implementation Group (IG1, IG2, IG3), and produce evidence packs that hold up alongside ISO 27001, NIST CSF, and PCI DSS.

Get Started Free

No credit card required. Free plan available forever.

CIS Controls v8.1: a prioritised, defender-first catalogue

The CIS Critical Security Controls are a prioritised set of defensive actions published by the Center for Internet Security. Version 8.1, released to align with NIST CSF 2.0, consolidates the historical SANS Top 20 lineage into 18 controls and 153 safeguards. The catalogue is defender-first by design: each safeguard is written as something a security team actually does, not as an outcome to interpret. CIS Controls are widely adopted by small and mid-size enterprises, used as a baseline by managed service providers, and cited in regulatory expectations from the FTC Safeguards Rule to several US state breach laws.

CIS Controls overlap heavily with the NIST Cybersecurity Framework and the NIST SP 800-53 catalogue, and CIS publishes mappings to both. The difference is intent: NIST CSF is an outcome model for executive communication, SP 800-53 is the comprehensive control catalogue used for FISMA and FedRAMP, and the CIS Controls are the tactical, prioritised list a working team can implement first. Many programmes use NIST CSF for board reporting, CIS Controls for the operating safeguard set, and 800-53 only when required for federal authorisation.

For Australian entities, the closest companion is the Essential Eight, which is also a prioritised technical control set with a maturity model. CIS Controls cover a wider surface area; the Essential Eight is denser per strategy and has a strong regulatory footing under the Australian Government Protective Security Policy Framework. Many programmes adopt both with a mapping spreadsheet so the same evidence answers both catalogues.

Implementation Groups: scoping before safeguards

CIS v8.1 organises safeguards into three Implementation Groups (IGs) so an organisation does not implement every safeguard from day one. Pick the IG that matches the data sensitivity, threat profile, and operational maturity of the entity. IG selection is the single most consequential scoping decision in a CIS Controls programme, because every safeguard count and every audit conversation flows from it.

IG1: essential cyber hygiene

Designed for small and medium organisations with limited IT and cybersecurity expertise where the data sensitivity is low to moderate. IG1 covers 56 foundational safeguards focused on inventory, configuration, account management, vulnerability management, and incident response basics. CIS positions IG1 as the floor every enterprise should reach before considering bespoke controls.

IG2: enterprise-grade controls

Aimed at organisations with multiple departments, varying risk profiles, and IT staff that can run a managed security programme. IG2 adds 74 safeguards on top of IG1, totalling 130. The additions cover network monitoring, log analysis, supplier security, service account management, and more rigorous configuration baselines.

IG3: mature, target-rich environments

Aimed at enterprises with sensitive or regulated data, where confidentiality, integrity, and availability failures could have severe operational, financial, or safety consequences. IG3 adds 23 further safeguards (153 total) on penetration testing, red team exercises, advanced detection, and resilience testing.

How to think about the 18 controls

Reading CIS v8.1 control by control is straightforward but tells you little about how to run the programme. The grouping below is operational: it reflects the kind of evidence each cluster produces and the type of engagement that tends to feed it. Treat it as a planning aid, not a replacement for the official safeguard list.

Foundational visibility (Controls 1 to 3)

Inventory of enterprise assets, inventory of software assets, data protection

These three controls are the precondition for every other control. A safeguard like Continuous Vulnerability Management (Control 7) is only as good as the asset list it scans. Tie attack surface, subdomain enumeration, and authenticated scan output to the asset register so safeguards 1.1, 1.2, and 2.1 are evidence-backed rather than aspirational.

Hardening and access (Controls 4 to 6)

Secure configuration, account management, access control management

Authenticated scan output is the highest-signal evidence here. Configuration drift, default credentials, missing MFA, and dormant accounts all become tracked findings with an owner and a target date. Pair safeguard 4.7 (manage default accounts) and 5.3 (disable dormant accounts) with the scan window that produced the evidence.

Continuous vulnerability and audit (Controls 7 and 8)

Continuous vulnerability management, audit log management

Control 7 is explicit that vulnerability scanning is an ongoing activity, not an annual event. Schedule daily, weekly, or monthly scans aligned to asset criticality, retain raw output, and link each scan back to the asset list. Audit log content, retention, and review evidence (8.1 to 8.11) sit alongside the same engagement record so the assessor sees a single thread rather than scattered exports.

Endpoint and infrastructure (Controls 9 to 12)

Email and web browser protections, malware defenses, data recovery, network infrastructure

Configuration findings, missing antimalware builds, untested backups, and over-permissive network rules each map to a specific safeguard. Recovery and network controls benefit from being tied to engagement scope so a network architecture review and a backup tabletop both feed the same evidence pack.

Detection, awareness, and supplier (Controls 13 to 15)

Network monitoring and defense, security awareness, service provider management

Detection coverage gaps and training records are usually scattered across SIEM exports, LMS reports, and procurement folders. Treat each gap as a finding, link supplier security questionnaires to the supplier record, and tie supplier-side incidents back to safeguard 15.4 and 15.7 so concentration risk is visible.

Application security and response (Controls 16 to 18)

Application software security, incident response, penetration testing

SAST and SCA output drives 16.1 through 16.14, including dependency tracking, vulnerability remediation timelines, and threat modeling evidence. Incident records cover 17.1 to 17.9, and every penetration test engagement, finding, and re-test feeds 18.1 to 18.5 with the report retained as evidence.

Scoping without losing the audit trail

CIS scoping decisions tend to look obvious at the time and confusing six months later. Capture every decision (which IG, which safeguards deferred, which compensating controls applied, which assets and providers in and out of scope) in a single record tied to the engagement so the chain of reasoning survives staff turnover and the next assessment cycle.

  • Pick the Implementation Group based on the data sensitivity, threat profile, and operational maturity of the entity, not on aspirational maturity targets
  • Document why an IG was chosen and which safeguards within that IG are deferred, modified, or compensated for, with rationale
  • Map enterprise assets, software, data, and service providers before claiming any safeguard as Implemented
  • Treat safeguards as binary at the point of evidence (Implemented, Partially Implemented, or Not Implemented), not as a sliding score
  • Keep one source of record for safeguard status, evidence artefacts, and remediation actions so the same data answers the assessor and the audit committee
  • Refresh the scope record whenever the asset boundary, data classification, or service provider mix changes, not only on the annual review

Turning safeguard gaps into tracked work

The CIS Self Assessment Tool (CSAT) gives a snapshot of safeguard status, but a snapshot is not a programme. Every Not Implemented or Partially Implemented safeguard should produce a remediation item with a planned fix, target date, and owner. SecPortal's findings management is built around the same model: a finding has severity, an owner, a control mapping, and a remediation timeline. Treat the safeguard register as a live view of open work, not a quarterly export.

  • Open a remediation item the moment a safeguard is found Not Implemented or Partially Implemented during scanning, audit, or attestation
  • Capture the safeguard reference, asset scope, severity, owner, and the evidence pointer per item
  • Record the planned remediation steps, milestones, target completion date, and any compensating controls applied during the gap
  • Track schedule slippage explicitly: original date, current date, reason for change, approving authority
  • Close the item only after re-test or recheck evidence is captured and tied back to the original finding
  • Roll status into the safeguard register so the picture stays current rather than drifting between reviews

Continuous vulnerability management (Control 7) without the manual lift

CIS Control 7 is the safeguard most likely to fall behind in real environments because it requires sustained operational rhythm rather than a one-shot project. Schedule scans on a cadence aligned to asset criticality (daily for internet-facing critical systems, weekly for internal critical, monthly for low-impact), retain raw output, and link each scan back to the asset list. The continuous monitoring workflow and external scanning capability are designed to produce that record without manual chasing. Pair them with the vulnerability assessment workflow so each scan run is tied to an engagement, an asset list, and a safeguard mapping.

Penetration testing (Control 18) as a programme, not a deliverable

Control 18 is added at IG2 (external) and IG3 (external and internal). The safeguards require not only the test itself but also the scope record, periodic cadence, finding remediation, and re-test evidence. The penetration testing workflow captures scope, methodology, findings, retests, and the deliverable inside one engagement record. For consultancies running CIS-aligned pentests on behalf of clients, the security consultants workspace bundles that with branded client portals, AI report generation, and findings deduplication across engagements.

Evidence the assessor actually wants

Evidence packs fail review when artefacts are scattered across drives, ticket systems, and screenshots without a clear link back to a safeguard. Build the bundle as you go, keep raw scanner output alongside the summary, and tie every artefact to the engagement. The narrative writes itself when the underlying record is consistent.

  • Scope and applicability statement (entity boundary, IG selection, data classification, service providers in and out of scope)
  • Asset inventory aligned to safeguard 1.1 with software inventory aligned to safeguard 2.1, refreshed on a documented cadence
  • Authenticated and external scanner output retained per asset and per scan window for safeguards 4.1 to 4.7 and 7.5 to 7.7
  • Account and access review records covering MFA enforcement, dormant account checks, and privilege separation for Controls 5 and 6
  • Audit log content, retention, alerting, and review samples aligned to safeguards 8.1 through 8.11
  • Penetration testing engagement record, report, and re-test evidence aligned to safeguards 18.1 through 18.5
  • Incident records, post-incident reviews, and tabletop exercise notes aligned to Control 17
  • Service provider register with classification, security clauses, and incident links aligned to Control 15
  • CIS Controls Self Assessment Tool (CSAT) export or equivalent safeguard register with status, owner, and evidence per item

Where SecPortal fits in the CIS Controls workflow

SecPortal is the operating layer for the CIS programme, not a replacement for CIS guidance or the assessor. The platform handles scope, scans, findings, safeguard mapping, remediation tracking, and the assessor-ready output, so the assessment runs as a structured workflow rather than a long email thread. Compliance tracking covers CIS Controls alongside the other frameworks an entity frequently has to satisfy, including ISO 27001, SOC 2, PCI DSS, and Cyber Essentials Plus.

  • Compliance tracking that maps every finding to a CIS safeguard alongside ISO 27001, SOC 2, NIST CSF, NIST SP 800-53, and PCI DSS so a single system carrying multiple authorisations does not mean duplicating evidence
  • Findings management with CVSS 3.1 scoring, 300+ templates, and Nessus or Burp Suite imports so existing scanner output flows into the safeguard register
  • 16-module external scan covering CVE correlation, exposed services, weak TLS, and outdated software for Control 1, 2, 7, and 12 evidence
  • 17-module authenticated scan running behind login or with stored credentials for Control 4, 5, 6, and 10 evidence on workstations and applications
  • Code scanning (SAST and SCA) for Control 16 evidence, with GitHub, GitLab, and Bitbucket connections so the same engagement covers application security alongside infrastructure
  • Continuous monitoring with scheduled scans (daily, weekly, monthly) and trend tracking to satisfy Control 7 cadence requirements
  • Attack surface management for safeguard 1.5 and 2.5 evidence on assets and software discovered outside the planned inventory
  • AI report generation that turns safeguard results, findings, and remediation actions into an assessor-ready narrative with executive summary, technical detail, and remediation roadmap

For programmes that need threat-informed test evidence on top of the safeguard catalogue, the MITRE ATT&CK framework page covers how to tag findings by tactic and technique, which strengthens the Control 13, 17, and 18 evidence trail without changing the underlying assessment workflow.

Looking for a complementary assessor-side workflow? The compliance audits use case captures how to run multi-framework assessments where CIS Controls evidence is reused across ISO 27001, NIST CSF, and SOC 2 control mappings without rebuilding the bundle from scratch.

Key control areas

SecPortal helps you track and manage compliance across these domains.

Controls 1 to 3: Inventory and data

Cover Inventory and Control of Enterprise Assets (Control 1), Inventory and Control of Software Assets (Control 2), and Data Protection (Control 3). Tie subdomain enumeration, attack surface output, and authenticated scan inventory to safeguards 1.1, 1.2, 2.1, 2.2, and 3.1 so the asset and data picture is evidence-backed, not a spreadsheet snapshot.

Controls 4 to 6: Configuration, accounts, and access

Map Secure Configuration of Enterprise Assets and Software (Control 4), Account Management (Control 5), and Access Control Management (Control 6). Authenticated scan output drives 4.1 to 4.7 evidence; account separation and MFA tests cover 5.1 to 5.6 and 6.3 to 6.5 with screenshots and dates per safeguard.

Controls 7 to 8: Vulnerability management and audit logs

Cover Continuous Vulnerability Management (Control 7) and Audit Log Management (Control 8). Schedule recurring external and authenticated scans for 7.1, 7.5, 7.6, and 7.7. Capture log content, retention, alerting, and review evidence for 8.1 through 8.11 alongside the underlying scan and finding records.

Controls 9 to 12: Email, malware, recovery, and network

Map Email and Web Browser Protections (Control 9), Malware Defenses (Control 10), Data Recovery (Control 11), and Network Infrastructure Management (Control 12). Pair test results with the safeguard so a missing browser policy, an outdated antimalware build, or an unrestricted firewall rule each become a tracked finding with an owner.

Controls 13 to 15: Monitoring, awareness, and supplier risk

Cover Network Monitoring and Defense (Control 13), Security Awareness and Skills Training (Control 14), and Service Provider Management (Control 15). Tie tabletop and detection coverage findings to 13.1 to 13.11. Track training completion records under 14.1 to 14.9 and supplier security questionnaires, contracts, and incidents under 15.1 to 15.7.

Controls 16 to 18: Software, response, and testing

Map Application Software Security (Control 16), Incident Response Management (Control 17), and Penetration Testing (Control 18). SAST and SCA output drives 16.1 to 16.14. Incident records cover 17.1 to 17.9. Each penetration test engagement, scope, finding, and re-test feeds 18.1 to 18.5 directly, with the report retained as evidence.

Related features

Compliance tracking without a full GRC platform

Vulnerability management software that tracks every finding

AI-powered reports in seconds, not days

Orchestrate every security engagement from start to finish

Monitor continuously catch regressions early

Test web apps behind the login

Map your attack surface before attackers do

Run CIS Controls assessments without spreadsheet sprawl

Map findings to all 18 controls and 153 safeguards, scope by Implementation Group, and export an assessor-ready evidence pack. Start free.

Get Started Free

No credit card required. Free plan available forever.