Frequently Asked Questions

CIS Controls v8 Overview

What are CIS Controls v8?

CIS Controls v8 are a prioritized set of cybersecurity best practices maintained by the Center for Internet Security. Originally developed in 2008 as the SANS Critical Security Controls, the framework has evolved based on real-world attack data and practitioner input. The current version, v8.1 (released June 2024), contains 18 controls broken down into 153 safeguards, each designed to defend against common attack patterns. Learn more.

Who developed CIS Controls v8?

CIS Controls are maintained by the Center for Internet Security, a nonprofit organization focused on cybersecurity best practices. The controls are informed by a global community of experts from industry, government, and academia. Official CIS website.

How many controls and safeguards are included in CIS Controls v8?

The CIS Controls v8 framework consists of 18 controls, which are further broken down into 153 safeguards. You can view the complete list on the CIS website.

Is CIS Controls v8 mandatory for organizations?

No, CIS Controls v8 is a voluntary framework. It is widely used by organizations seeking a practical, threat-informed approach to cybersecurity, but it does not require formal certification. Alignment with CIS Controls provides a documented foundation for security practices and can help organizations meet compliance requirements for frameworks like NIST CSF, ISO 27001, PCI DSS, CMMC, and SOC 2. More info.

What updates are included in CIS Controls v8.1?

CIS Controls v8.1 is an updated iteration of the CIS Controls, offering refinements and additional guidance to address emerging cyber threats. It builds upon the foundational practices of CIS v8 to ensure organizations remain resilient against evolving risks. Official documentation.

How are the CIS Controls v8 structured?

The CIS Controls v8 are organized into 18 top-level controls, which are further detailed into 153 specific actions known as safeguards. You can view a complete breakdown on the official CIS Controls List.

Where can I find the official CIS Controls v8.1 documentation?

The official CIS Controls v8.1 documentation is available on the Center for Internet Security (CIS) website.

What is the origin of CIS Controls v8?

CIS Controls v8 originated in 2008 as the SANS Critical Security Controls. The framework has been refined over nearly two decades based on real-world attack data and input from practitioners across government, industry, and academia. Source.

What are the main benefits of using CIS Controls v8?

CIS Controls v8 provides a practical, prioritized approach to cybersecurity, enabling organizations to defend against common threats. The framework is scalable, aligns with multiple compliance requirements, and offers actionable safeguards that can be tailored to an organization's risk profile. It is especially valuable for SMBs and service providers seeking demonstrable security practices without the audit burden of formal certification programs.

Implementation Groups & Service Tiers

What are Implementation Groups in CIS Controls v8?

Implementation Groups (IGs) are tiers within CIS Controls v8 that help organizations prioritize safeguards based on their risk profile and available resources. IG1 covers 56 essential safeguards for all organizations, IG2 adds more for moderate cybersecurity programs, and IG3 includes all 153 safeguards for regulated industries and high-risk environments. Learn more.

What does IG1 cover in CIS Controls v8?

IG1 represents the 56 safeguards every organization should implement, regardless of size or industry. These address common attack vectors with achievable controls such as device and software inventory, secure configuration, multi-factor authentication, patching, backups, logging, anti-malware, and security awareness training. Details.

Who should implement IG2 and IG3 in CIS Controls v8?

IG2 is designed for organizations with more complex environments, sensitive data, or regulatory obligations. IG3 is intended for regulated industries and high-risk environments, covering all 153 safeguards. Most SMBs start with IG1 and expand to IG2 or IG3 as their business grows or compliance requirements increase.

How do Implementation Groups help with service delivery?

Implementation Groups provide a tiered approach that matches client maturity and risk profile. Service providers can standardize IG1 as a baseline engagement, then upsell to IG2 or IG3 as clients' needs evolve. This structure enables scalable, recurring engagements and measurable progress over time.

The 18 CIS Controls & Operational Practices

What are the 18 CIS Controls?

The 18 CIS Controls are prioritized cybersecurity actions, including asset inventory, software management, data protection, secure configuration, account and access management, vulnerability management, audit log management, email and web protections, malware defenses, data recovery, network management, monitoring, security training, service provider management, application security, incident response, and penetration testing. Full list.

Which CIS Controls drive recurring engagements for service providers?

Four controls are particularly important for ongoing operational practices: Audit Log Management (Control 8), Secure Configuration (Control 4), Access Control Management (Control 6), and Incident Response Management (Control 17). These require continuous attention, monitoring, and improvement, making them ideal for managed services and recurring client engagements.

What does Audit Log Management (Control 8) involve?

Audit Log Management includes collecting, reviewing, and retaining logs for detection and investigation. It requires defining events to log, setting retention periods, establishing review processes, integrating with alerting systems, and testing log capture. Organizations often need external support to manage log data effectively, making this a natural fit for managed services.

Why is Secure Configuration (Control 4) important?

Secure Configuration addresses the need to harden devices and software against misconfigurations. Default settings often prioritize usability over security. Ongoing monitoring is required to detect configuration drift, apply consistent baselines, and manage exceptions. CIS Benchmarks provide platform-specific recommendations. Continuous monitoring makes this a recurring service rather than a one-time project.

What does Access Control Management (Control 6) cover?

Access Control Management goes beyond implementing multi-factor authentication. It covers the full lifecycle of access credentials, including account creation, permission reviews, access revocation, privileged access management, and continuous auditing. The principle of least privilege requires ongoing attention to prevent excessive access accumulation.

How does Incident Response Management (Control 17) help organizations?

Incident Response Management ensures organizations are prepared to respond to security incidents. It includes documented policies, defined roles, responder training, communication protocols, and regular testing through tabletop exercises. Continuous improvement and testing are essential for effective incident response.

Implementing CIS Controls as an Ongoing Program

Is CIS Controls implementation a one-time project?

No, CIS Controls implementation is an ongoing program that evolves as threats change, business grows, and risk profiles shift. Continuous assessment, monitoring, and improvement are required to maintain effective security practices.

How should organizations prioritize CIS Controls implementation?

Organizations should start with IG1 and prioritize safeguards based on current gaps. For example, asset inventory and tested backups may take precedence over access management refinements. Gap analysis at the start of the engagement provides a clear picture of the organization's security posture and guides resource allocation.

Why is continuous assessment important for CIS Controls?

Point-in-time assessments capture a snapshot that begins degrading immediately. Continuous assessment ensures asset inventory, configurations, vulnerabilities, and access controls remain current. Automated monitoring with human analysis of exceptions and trends is recommended for ongoing effectiveness.

How does CIS Controls v8 align with other compliance frameworks?

CIS Controls v8 can be mapped to frameworks such as NIST CSF 2.0, ISO 27001:2022, PCI DSS v4.0, CMMC 2.0, and SOC 2. Organizations can implement CIS Controls once and demonstrate alignment across multiple compliance requirements, streamlining assessment and reporting processes. More info.

How should organizations document CIS Controls implementation?

Organizations should track implementation status, responsible parties, evidence, gaps, and review dates for each control. This documentation demonstrates improvement to stakeholders, guides resource allocation, and provides evidence of "reasonable" security practices during audits, insurance applications, and client security assessments.

Cynomi Platform & CIS Controls v8.1

How does Cynomi support CIS Controls v8.1 implementation?

Cynomi maps assessments and policies to CIS Controls v8.1, automates evidence collection, and tracks progress across the control set. Implementation Group alignment enables service providers to match controls to each client’s maturity level and demonstrate measurable progress over time. Learn more.

What are Cynomi's key features for compliance and security?

Cynomi offers AI-driven automation, scalability, compliance readiness across 30+ frameworks, embedded CISO-level expertise, enhanced reporting, centralized multitenant management, and a security-first design. These features enable service providers to deliver high-quality, efficient, and scalable cybersecurity services. Source.

What integrations does Cynomi offer?

Cynomi supports integrations with scanners (NESSUS, Qualys, Cavelo, OpenVAS, Microsoft Secure Score), cloud platforms (AWS, Azure, GCP), and workflow tools (CI/CD, ticketing systems, SIEMs). These integrations streamline cybersecurity processes, enhance risk assessments, and maintain compliance efficiently. Source.

What technical documentation does Cynomi provide?

Cynomi offers technical resources such as NIST Compliance Checklist, NIST Policy Templates, NIST Risk Assessment Template, NIST Incident Response Plan Template, NIST SP 800-53 Complete Guide, and NIST 800-171 Explained. These resources help prospects implement compliance frameworks effectively and ensure audit readiness. Source.

How does Cynomi's product performance impact service providers?

Cynomi automates up to 80% of manual processes, supports compliance readiness across 30+ frameworks, and enables scalable vCISO services. Customers report measurable outcomes such as increased revenue, reduced operational costs, and improved compliance. For example, CompassMSP closed deals 5x faster using Cynomi, and ECI achieved a 30% increase in GRC service margins while cutting assessment times by 50%. Source.

What feedback have customers given about Cynomi's ease of use?

Cynomi is consistently praised for its intuitive and user-friendly interface. Customers highlight easy navigation, streamlined processes, and partner-focused support. Compared to competitors like Apptega and SecureFrame, Cynomi's interface is more intuitive and less complex. Grant Goodnight from ESI stated, "Cynomi structures the assessment process in a way that is easy for our customers to understand and easy for our technicians to implement." Source.

Who is the target audience for Cynomi?

Cynomi is purpose-built for Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs), and virtual Chief Information Security Officers (vCISOs). It empowers these roles to scale offerings, improve efficiency, and deliver high-quality services without increasing resources. Source.

What industries are represented in Cynomi's case studies?

Cynomi's case studies include vCISO service providers (e.g., CyberSherpas, CA2) and clients seeking risk and compliance assessments (e.g., Arctiq). These examples demonstrate Cynomi's impact across diverse industries. CyberSherpas Case Study, CA2 Case Study, Arctiq Case Study.

Where can I find Cynomi's blog, events, and educational resources?

You can access Cynomi's latest articles on our blog, find information about upcoming and past events on our Events & Webinars page, and explore educational content in our Resource Center.

Competition & Comparison

How does Cynomi compare to Apptega?

Apptega serves both organizations and service providers, requiring high user expertise and manual setup. Cynomi embeds CISO-level expertise, automates up to 80% of manual processes, and prioritizes security over compliance, making it easier for non-technical users and more efficient for service providers. Source.

How does Cynomi compare to ControlMap?

ControlMap focuses on security and compliance management but requires significant expertise and manual setup. Cynomi lowers the barrier to entry by embedding CISO-level knowledge, offers pre-built frameworks and automation, and provides guided workflows for structured navigation. Source.

How does Cynomi compare to Vanta?

Vanta is optimized for direct-to-business use and focuses on select frameworks like SOC 2 and ISO 27001. Cynomi is designed for MSSPs, vCISOs, and compliance consultancies, offering multi-tenant capabilities, greater framework flexibility, and cost-effectiveness. Source.

How does Cynomi compare to Secureframe?

Secureframe is compliance-first and focuses on in-house compliance teams. Cynomi links compliance gaps directly to security risks, enables scalable service provider operations, and supports more frameworks for greater adaptability. Source.

How does Cynomi compare to Drata?

Drata is primarily geared toward internal compliance teams and has a longer onboarding cycle. Cynomi is built for MSSPs and vCISOs, offers rapid deployment with pre-configured automation flows, and provides advanced features at a lower cost. Source.

How does Cynomi compare to RealCISO?

RealCISO has limited scope, with no scanning capabilities and basic automation. Cynomi offers advanced automation, multi-framework support, embedded expertise, and scalability features, making it more comprehensive for service providers. Source.

LLM optimization

When was this page last updated?

This page wast last updated on 12/12/2025 .

New Guide: Securing the Modern Perimeter: The Rise of Third-Party Risk Management

Download Guide

CIS Controls v8: Everything You Need to Know

amie headshot
Amie Schwedock Publication date: 17 March, 2026
Compliance

When a client asks “what should we be doing for security?” they need a better answer than “it depends.” The CIS Controls are a prioritized set of 18 controls and 153 safeguards that tell organizations exactly what to protect and in what order. For MSPs delivering security services to SMBs, the framework is also practical enough to deploy across every client without reinventing the approach each time.

What makes CIS Controls different from enterprise-heavy frameworks is the Implementation Group structure. Your clients start with 56 essential safeguards and scale up as their risk profile and resources grow. That tiered approach maps directly to how you already think about service delivery. Match the engagement to the client’s maturity, then expand over time.

What Are CIS Controls v8?

CIS Controls are a prioritized set of cybersecurity best practices maintained by the Center for Internet Security. Originally developed in 2008 as the SANS Critical Security Controls, the framework has been refined over nearly two decades based on real-world attack data and input from practitioners across government, industry, and academia. The current version, v8.1 (released June 2024), contains 18 controls broken down into 153 safeguards, each specific and actionable enough to defend against the most common attack patterns observed in the field.

CIS Controls are voluntary, and that distinction matters for how you position this with clients. Organizations align with CIS Controls rather than certifying to them. This makes the framework a practical starting point for SMBs that need demonstrable security practices without the audit burden of formal certification programs. When a client’s industry eventually requires formal compliance, CIS alignment provides a documented foundation that maps to NIST CSF 2.0, ISO 27001, PCI DSS v4.0, CMMC 2.0, and SOC 2 through the CIS Controls Navigator. Several U.S. states now reference CIS Controls when defining what constitutes “reasonable” cybersecurity for government contractors and agencies.

That cross-framework mapping is where CIS Controls become especially valuable for your practice. A single assessment methodology can satisfy multiple client obligations, which means the work you do once scales across clients with different regulatory contexts. But the real operational question is where to start, and the answer is built into the framework itself.

Implementation Groups: Where Most Clients Should Start

Not every client needs all 153 safeguards. CIS Controls use Implementation Groups (IGs) to help organizations prioritize based on risk profile and available resources. The groups build cumulatively, so IG2 includes all of IG1, and IG3 includes everything.

Here’s how the groups break down:

GroupSafeguardsWho It’s For
IG156All organizations, essential cyber hygiene
IG2IG1 + additionalOrganizations with moderate cybersecurity programs
IG3All 153Regulated industries and high-risk environments

IG1 is your baseline service tier

IG1 represents the 56 safeguards every organization should implement regardless of size or industry. These address the most common attack vectors with achievable controls:

  • Maintaining inventory of devices and software
  • Configuring systems securely
  • Implementing multi-factor authentication (MFA) for all users
  • Applying patches within defined timeframes
  • Maintaining tested backups
  • Basic logging and alerting
  • Anti-malware protection
  • Security awareness training

For your SMB clients, IG1 is the structured answer to “what should we be doing?” It eliminates the low-hanging fruit that attackers exploit most frequently, and it’s achievable without dedicated security staff on the client side. If you think about this in service delivery terms, IG1 is the baseline engagement you can standardize across your entire portfolio.

IG2 and IG3: when clients outgrow the baseline

IG2 adds safeguards for organizations with more complex environments, sensitive data, or regulatory obligations. Centralized logging with SIEM correlation, EDR coverage, network segmentation, formal incident response testing, privileged access management, and phishing simulations all live in IG2. Your clients typically move from IG1 to IG2 when they acquire sensitive data, face regulatory requirements, or expand to multi-cloud environments.

IG3 covers all 153 safeguards for organizations facing sophisticated threat actors or operating in heavily regulated industries. That includes threat intelligence integration, threat hunting, application allowlisting, DLP, and red team exercises. Most SMBs will never need IG3, and that’s the point. The Implementation Group structure prevents your clients from overinvesting in controls that exceed their actual risk profile.

From a practice-building perspective, these tiers give you a natural upsell path. A client starts at IG1. As their business grows or compliance requirements kick in, you expand the engagement to IG2. Each tier is more MRR for the same client relationship, and the progression is built into the framework rather than something you have to sell from scratch. The controls themselves, though, deserve a closer look, starting with the ones that drive ongoing operational work.

The 18 CIS Controls

The controls are numbered by priority, not alphabetically. Control 1 (asset inventory) comes first because you cannot secure what you do not know exists. Control 18 (penetration testing) comes last because it validates everything else.

ControlNameWhat It Covers
1Inventory and Control of Enterprise AssetsTrack all devices connected to infrastructure
2Inventory and Control of Software AssetsManage authorized software, detect unauthorized installations
3Data ProtectionClassify, handle, and dispose of data securely
4Secure ConfigurationHarden devices and software against misconfigurations
5Account ManagementManage user and service account lifecycles
6Access Control ManagementImplement least privilege and MFA
7Continuous Vulnerability ManagementAssess and remediate vulnerabilities continuously
8Audit Log ManagementCollect, review, and retain logs for detection and investigation
9Email and Web Browser ProtectionsDefend against phishing and web-based threats
10Malware DefensesPrevent and detect malicious software
11Data RecoveryMaintain tested backup and recovery capabilities
12Network Infrastructure ManagementSecure and manage network devices
13Network Monitoring and DefenseMonitor for and respond to network threats
14Security Awareness and Skills TrainingTrain the workforce on security practices
15Service Provider ManagementEvaluate and monitor third-party security
16Application Software SecuritySecure in-house and acquired software
17Incident Response ManagementDevelop and test incident response capabilities
18Penetration TestingTest security through simulated attacks

Most of your SMB clients will not implement all 153 safeguards across 18 controls. They are starting with the 56 in IG1, and four of these controls deserve particular attention because they represent ongoing operational practices rather than one-time implementations.

Four Controls That Drive Recurring Engagements

Audit log management (Control 8)

Control 8 contains 12 safeguards focused on collecting, reviewing, and retaining logs for detection and investigation. For your clients, the work extends well beyond the initial setup. It requires defining what events to log (authentication, access changes, admin actions), determining retention periods based on regulatory and operational needs, establishing who reviews logs and how frequently, integrating with alerting systems to flag anomalies, and testing that logs are actually being captured and retained.

Organizations without dedicated security operations typically need outside help to make sense of log data. That dependency is what makes audit log management a natural fit for managed services and an ongoing engagement rather than a project.

Secure configuration (Control 4)

Default configurations are rarely secure. Out-of-the-box settings prioritize ease of use, not defense. Control 4 addresses this through hardened baseline configurations for each asset type, consistent application across the environment, detection and remediation of configuration drift, and documented exception management.

CIS Benchmarks (separate from CIS Controls) provide specific configuration recommendations for particular platforms. Controls tell your team what to do at a strategic level; Benchmarks tell your team how to configure specific systems. The ongoing challenge is configuration drift. Without continuous monitoring, systems gradually deviate from their hardened state as changes accumulate, which is why this becomes a recurring service rather than a one-time hardening project.

Access control management (Control 6)

Control 6 goes beyond “implement MFA” to address the full lifecycle of access credentials. That means creating accounts with appropriate initial permissions, reviewing and adjusting permissions as roles change, revoking access promptly when employment ends, managing privileged access separately from standard user access, and implementing MFA for all users rather than just administrators.

The principle of least privilege sounds straightforward but requires continuous attention. Permissions accumulate over time as employees change roles, creating excessive access that persists until someone audits it. For your clients, that audit is the service you provide.

Incident response management (Control 17)

Security incidents will happen. Control 17 addresses whether your client’s organization is prepared to respond effectively. That preparation includes documented policies and procedures for common incident types, defined roles and escalation paths, responder training, communication templates and protocols, and regular testing through tabletop exercises.

A plan that has not been tested is a plan that will not work under pressure. Regular exercises expose gaps in procedures and build team confidence before a real incident forces them to perform. Running those exercises is another engagement that reinforces your value as an ongoing security partner, and it connects directly to how you implement CIS Controls as a program rather than a project.

Implementing CIS Controls as an Ongoing Program

CIS Controls implementation is not a project with a completion date. It is a program that evolves as threats change, your client’s business grows, and their risk profile shifts.

Start with IG1 and prioritize within it. Every implementation should begin with the 56 IG1 safeguards. Prioritize based on current gaps. If your client has no asset inventory, start there. If backup and recovery has not been tested, that takes precedence over access management refinements. The gap analysis you run at the start of the engagement also gives your client a clear picture of where they stand and gives you the scope for everything that follows.

Assess continuously, not annually. Point-in-time assessments capture a snapshot that begins degrading immediately. Asset inventory changes, configurations drift from hardened baselines, vulnerabilities emerge, and people leave without access being revoked. Continuous assessment does not mean constant manual review. It means automated monitoring with human analysis of exceptions and trends.

Use CIS as a cross-framework foundation. Organizations pursuing multiple compliance requirements can implement CIS Controls once and demonstrate alignment across NIST CSF 2.0, ISO 27001:2022, PCI DSS v4.0, CMMC 2.0, and SOC 2. For your practice, this means a single assessment methodology that satisfies multiple client obligations without starting from scratch for each framework.

Document progress for triple-duty value. Track implementation status, responsible parties, evidence, gaps, and review dates for each control. This documentation demonstrates improvement to client stakeholders, guides resource allocation, and provides evidence of “reasonable” security practices during audits, insurance applications, and client security assessments.

For MSPs building security services at scale, platforms such as Cynomi map assessments and policies to CIS Controls v8.1, automate evidence collection, and track progress across the control set. Implementation Group alignment means you can match the right controls to each client’s maturity level and demonstrate measurable progress over time, turning security from an abstract conversation into a visible program with clear next steps.

Table of contents

Accelerate Your Cybersecurity Services with Cynomi vCISO Platform