How to Comply with CIS Controls v8

The CIS Critical Security Controls v8 are a prioritized set of best practices for defending against the most common cyber attacks. Developed by the Center for Internet Security, they provide actionable guidance organized into 18 control groups covering inventory management, access control, data protection, and incident response.

90%

Coverage

Controls Required

Not Applicable

Why CIS v8 Compliance Matters

The CIS Critical Security Controls v8 provide a prioritized, prescriptive set of actions to defend against the most common cyber attacks. Implementation Groups (IG1, IG2, IG3) allow organizations to adopt controls incrementally based on their risk profile. CIS Controls are widely used as a practical implementation guide alongside framework-level standards.

Compliance Checklist by Domain

The 44 controls below are mapped to CIS v8 requirements. Work through each domain to build your compliance program.

Govern (3 controls)

Control	CIS v8 References	Also In
Governance Policy	CIS 1.1	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Risk Management	CIS 1.2	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Roles & Responsibilities	CIS 1.3	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR

Identify (5 controls)

Control	CIS v8 References	Also In
Asset Management	CIS 1.1 CIS 2.1	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Risk Assessment	CIS 7.1	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Data Classification	CIS 3.1 CIS 3.7	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Vulnerability Mgmt	CIS 7.1 CIS 7.2 CIS 7.4	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Threat Intelligence	CIS 13.8	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53

Protect (21 controls)

Control	CIS v8 References	Also In
Awareness & Training	CIS 14.1 CIS 14.2	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Access Control	CIS 5.1 CIS 6.1 CIS 6.2	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Multi-Factor Auth	CIS 6.3 CIS 6.4 CIS 6.5	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Encryption	CIS 3.6 CIS 3.9 CIS 3.10	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Data Protection	CIS 3.1 CIS 3.10 CIS 3.12	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Backup & Recovery	CIS 11.1 CIS 11.2 CIS 11.4	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Privileged Access	CIS 5.4 CIS 6.5	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Firewall / Net Seg	CIS 9.2 CIS 9.3 CIS 12.2	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Endpoint Protection	CIS 10.1 CIS 10.2	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Patch Management	CIS 7.3 CIS 7.4	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Secure Config	CIS 4.1 CIS 4.2 CIS 4.6	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Secure Development	CIS 16.1 CIS 16.2	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Email Security	CIS 9.6 CIS 9.7	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Web Security	CIS 9.5 CIS 16.4	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Zero Trust	CIS 6.1 CIS 12.2	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Mobile Security	CIS 1.4 CIS 1.5	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Cloud Security	CIS 4.1 CIS 6.1	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
DNS Security	CIS 9.2	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53
WAF	CIS 13.10	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
DLP	CIS 3.12	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
API Security	CIS 16.4	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR

Detect (6 controls)

Control	CIS v8 References	Also In
Cont. Monitoring	CIS 8.2 CIS 8.5 CIS 8.11	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Logging & Audit	CIS 8.1 CIS 8.2 CIS 8.9	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Intrusion Detection	CIS 13.1 CIS 13.3	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Anomaly Detection	CIS 8.5 CIS 8.6	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
SIEM / SOC	CIS 8.2 CIS 8.11	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Insider Threat	CIS 6.1 CIS 6.2 CIS 8.6	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR

Respond (5 controls)

Control	CIS v8 References	Also In
Incident Response	CIS 17.1 CIS 17.2 CIS 17.3	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Forensics	CIS 17.6	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Communication	CIS 17.2	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Mitigation	CIS 17.4	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Reporting	CIS 17.3	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR

Recover (4 controls)

Control	CIS v8 References	Also In
Recovery Planning	CIS 11.1 CIS 17.7	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Business Continuity	CIS 11.3 CIS 11.4	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Lessons Learned	CIS 17.8	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Disaster Recovery	CIS 11.1 CIS 11.5	NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR

Controls Not Required by CIS v8

These 5 controls are not directly addressed by CIS v8 but may still be relevant to your security program.

How CIS v8 Compares

See how CIS v8 coverage overlaps with other frameworks:

View CIS v8 Framework Page Explore in Dashboard