ControlMap

CIS Controls v8

The CIS Critical Security Controls v8 are a prioritized set of best practices for defending against the most common cyber attacks. Developed by the Center for Internet Security, they provide actionable guidance organized into 18 control groups covering inventory management, access control, data protection, and incident response.

90%
Coverage
44
Controls Covered
5
Gaps
49
Total Controls

Covered Controls

Controls that have explicit mappings to CIS v8 requirements.

Govern (3 controls)

Gp Governance Policy
CIS 1.1
 Rm Risk Management
CIS 1.2
 Rr Roles & Responsibilities
CIS 1.3

Identify (5 controls)

Am Asset Management
CIS 1.1, CIS 2.1
 Ra Risk Assessment
CIS 7.1
 Da Data Classification
CIS 3.1, CIS 3.7
 Vn Vulnerability Mgmt
CIS 7.1, CIS 7.2, CIS 7.4
 Ti Threat Intelligence
CIS 13.8

Protect (21 controls)

Aw Awareness & Training
CIS 14.1, CIS 14.2
 Ac Access Control
CIS 5.1, CIS 6.1, CIS 6.2
 Mf Multi-Factor Auth
CIS 6.3, CIS 6.4, CIS 6.5
 En Encryption
CIS 3.6, CIS 3.9, CIS 3.10
 Dp Data Protection
CIS 3.1, CIS 3.10, CIS 3.12
 Bk Backup & Recovery
CIS 11.1, CIS 11.2, CIS 11.4
 Pa Privileged Access
CIS 5.4, CIS 6.5
 Fw Firewall / Net Seg
CIS 9.2, CIS 9.3, CIS 12.2
 Ep Endpoint Protection
CIS 10.1, CIS 10.2
 Pm Patch Management
CIS 7.3, CIS 7.4
 Cf Secure Config
CIS 4.1, CIS 4.2, CIS 4.6
 Sd Secure Development
CIS 16.1, CIS 16.2
 Ml Email Security
CIS 9.6, CIS 9.7
 Ws Web Security
CIS 9.5, CIS 16.4
 Zt Zero Trust
CIS 6.1, CIS 12.2
 Mb Mobile Security
CIS 1.4, CIS 1.5
 Cl Cloud Security
CIS 4.1, CIS 6.1
 Ds DNS Security
CIS 9.2
 Wf WAF
CIS 13.10
 Dl DLP
CIS 3.12
 Ap API Security
CIS 16.4

Detect (6 controls)

Sm Cont. Monitoring
CIS 8.2, CIS 8.5, CIS 8.11
 Lg Logging & Audit
CIS 8.1, CIS 8.2, CIS 8.9
 Id Intrusion Detection
CIS 13.1, CIS 13.3
 An Anomaly Detection
CIS 8.5, CIS 8.6
 Sg SIEM / SOC
CIS 8.2, CIS 8.11
 It Insider Threat
CIS 6.1, CIS 6.2, CIS 8.6

Respond (5 controls)

Ir Incident Response
CIS 17.1, CIS 17.2, CIS 17.3
 Fn Forensics
CIS 17.6
 Co Communication
CIS 17.2
 Mt Mitigation
CIS 17.4
 Rp Reporting
CIS 17.3

Recover (4 controls)

Rc Recovery Planning
CIS 11.1, CIS 17.7
 Bc Business Continuity
CIS 11.3, CIS 11.4
 Ll Lessons Learned
CIS 17.8
 Dr Disaster Recovery
CIS 11.1, CIS 11.5

Not Covered by CIS v8 (5 controls)

These controls are tracked by ControlMap but do not have explicit CIS v8 mappings. Organizations relying on CIS v8 should consider supplementing with additional frameworks to address these gaps.

Sc Supply Chain Risk
Covered by: NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, 800-53, HIPAA, GDPR
 Cm Compliance
Covered by: NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
 Be Business Environment
Covered by: NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, 800-53, HIPAA, GDPR
 Cr Comms & Restore
Covered by: NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
 Vr Vendor Risk Mgmt
Covered by: NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, 800-53, HIPAA, GDPR

CIS v8 vs Other Frameworks

CIS v8 provides 90% coverage of the 49 cybersecurity controls tracked by ControlMap. NIST CSF 2.0 covers 100%, ISO 27001 covers 100%, SOC 2 covers 100%, PCI DSS covers 100%, CMMC covers 94%, 800-53 covers 100%, HIPAA covers 94%, GDPR covers 96%. For maximum coverage, organizations often combine CIS v8 with complementary frameworks to address gaps in areas like supply chain risk, compliance, business environment.

Other Frameworks

NIST CSF 2.0 ISO 27001 SOC 2 PCI DSS CMMC 800-53 HIPAA GDPR
View CIS v8 in Interactive Dashboard