CIS Controls v8: A Prioritised Path to Cyber Hygiene
Frameworks can feel abstract. The CIS Critical Security Controls are the opposite: 18 concrete, prioritised controls — and 153 specific safeguards — that map directly to the attacks organisations actually face. Version 8 reorganised them around activities rather than who owns the device, which fits a cloud and remote-work world far better.
Start with the first six
CIS orders the controls by impact. The first handful deliver outsized risk reduction and are where almost everyone should begin:
1. Inventory of enterprise assets
You can’t protect what you don’t know you have.
2. Inventory of software assets
Know and control what’s allowed to run.
3. Data protection
Classify, handle and retain data appropriately.
4. Secure configuration
Harden devices and software from default settings.
5. Account management
Govern the lifecycle of every account.
6. Access control management
Grant least privilege; revoke promptly.
Implementation Groups
You don’t implement all 153 safeguards at once. CIS defines three Implementation Groups (IGs) so you can scale to your size and risk.
| Group | For | Safeguards |
|---|---|---|
| IG1 — essential cyber hygiene | Small orgs, limited IT resources | 56 |
| IG2 | Orgs managing more sensitive data | +74 |
| IG3 | Mature orgs facing targeted attacks | +23 (all 153) |
IG1 is now positioned as a minimum standard of cyber hygiene for every organisation.
The bottom line
The CIS Controls are the most practical starting point in security: prioritised, concrete, and mapped to real attacks. Begin with IG1, prove the basics, then scale to IG2/IG3 as your risk grows. They also map cleanly to NIST CSF and ISO 27001, so the work compounds.
Track CIS Controls against live signals
Cyber Horizon maps the CIS Controls to your cloud, identity and endpoint integrations — so your safeguard coverage reflects your real environment, and rolls up to NIST and ISO too.
Book a Demo