Implement the CIS Critical Security Controls
What are the CIS Controls?
The CIS Critical Security Controls are a prioritized, prescriptive set of cybersecurity best practices maintained by the Center for Internet Security (CIS). Where many frameworks tell you what outcomes to achieve, the CIS Controls tell you what to do first — they are ordered by impact and grounded in real-world attack data from sources like MITRE ATT&CK and the Verizon Data Breach Investigations Report. The current version, CIS Controls v8.1 (released June 2024), defines 18 controls and 153 safeguards.
Implementation Groups
The CIS Controls are designed to be adopted incrementally through three Implementation Groups:
- IG1 — the 56 foundational safeguards that constitute essential cyber hygiene. Every organization, regardless of size, should meet IG1 to defend against the most common attacks.
- IG2 — additional safeguards for organizations that manage more sensitive data and operate more complex environments.
- IG3 — the full set, for mature organizations in high-risk sectors facing sophisticated, targeted threats.
This tiering makes the CIS Controls one of the most practical starting points for a security program: a smaller organization can implement IG1 and demonstrably reduce risk without committing to a full enterprise framework on day one.
What v8.1 changed
Version 8.1 is a refinement rather than a rewrite. It adds alignment with NIST CSF 2.0 — including the new Govern function — clarifies safeguard language, and refreshes mappings to other frameworks, all while keeping the familiar 18-control structure. (Note that the CIS Controls are distinct from the CIS Benchmarks, which are system-specific configuration-hardening guides; the two are complementary.)
How the CIS Controls map to other frameworks
Because the CIS Controls are prescriptive and well-mapped, they make an excellent baseline and crosswalk layer. The safeguards align cleanly with NIST CSF, ISO 27001 Annex A, and the SOC 2 Trust Services Criteria, and they provide a practical on-ramp toward more prescriptive regimes like PCI DSS and CMMC.
How episki helps
episki ships the full CIS Controls v8.1 catalog — all 18 controls and 153 safeguards — as living controls tagged by Implementation Group. Pick IG1, IG2, or IG3, assign owners, and collect evidence once; episki cross-maps each safeguard to your other frameworks so a single piece of evidence proves CIS, NIST CSF, ISO 27001, and SOC 2 at the same time.
CIS Controls outcomes with episki
Why teams choose episki for CIS Controls
- Asset, software, and data management
- Access control, MFA, and account management
- Continuous vulnerability and log management
- IG1 — 56 foundational safeguards
- IG2 — added rigor for larger orgs
- IG3 — mature, high-risk environments
- Crosswalk to NIST CSF 2.0
- Crosswalk to ISO 27001 and SOC 2
- A practical on-ramp to CMMC and PCI DSS
CIS Controls readiness inside episki
Plug episki into your stack and work directly from this checklist during the free trial.
- ✓ Implementation Group selection (IG1 / IG2 / IG3)
- ✓ Enterprise asset and software inventory (Controls 1-2)
- ✓ Data protection and secure configuration (Controls 3-4)
- ✓ Account and access control management (Controls 5-6)
- ✓ Continuous vulnerability and audit log management (Controls 7-8)
- ✓ Crosswalks to NIST CSF, ISO 27001, and SOC 2
