Skip to Content
Governance and Compliance

What Are the CIS Controls (Critical Security Controls)?

The CIS Controls (CIS Critical Security Controls) are a prioritized set of cybersecurity best practices maintained by the Center for Internet Security. The current version, v8.1, organizes defense into 18 controls and 153 safeguards, ordered from the most essential to the most advanced, based on real attack data. Unlike a law, the CIS Controls are not mandatory: they are a practical roadmap that answers the question “where do I start?” and that serves as a base for meeting frameworks such as the NIST CSF and CMMC.

Zamak TechnologiesUpdated on July 10, 2026

How the CIS Controls work in practice

The strength of the CIS Controls is the order of priority: they say not just what to do, but what to do first. Instead of a list of 153 loose tasks, the company picks its group and moves forward. The cycle has four steps.

1

Choose the implementation group

IG1, IG2 or IG3: the group sets how many safeguards apply, based on the size, complexity and threat level the company faces.

2

Start with essential hygiene (IG1)

The 56 safeguards of IG1 are the floor every company should have: asset inventory, access control, backup, email and browser defense.

3

Measure and close the gaps

Each safeguard is a measurable task, which lets you score where the company stands and prioritize what is missing by the greatest defensive gain.

4

Map to the other frameworks

The CIS Controls cross-map to NIST CSF, ISO 27001 and others, so the effort here advances compliance there.

Source: Center for Internet Security (CIS), CIS Critical Security Controls v8.1.

The three Implementation Groups (IG)

  • IG1 (Essential cyber hygiene) The 56 safeguards every company should have, regardless of sector or size. It is the floor of defense.
  • IG2 (Moderate complexity) Adds safeguards for companies with more systems and regulatory obligations, reaching 130 in total.
  • IG3 (Sophisticated threat) Brings together all 153 safeguards, for organizations that face advanced adversaries and high-value data.

Why a prioritized roadmap matters so much

18 and 153
controls and safeguards organize the CIS Controls v8.1 (CIS)
56
safeguards form IG1, the floor of essential cyber hygiene for any company (CIS)
3
cumulative implementation groups (IG1, IG2, IG3) scale the effort to the risk (CIS)

Most companies do not suffer for lack of a tool, but for not knowing where to start, and for leaving the basics open. The CIS Controls exist to attack that: they are built from real attack data, cross-referencing MITRE ATT&CK and the Verizon Data Breach Investigations Report, to focus effort on what attackers actually exploit. The gain is concrete: a large share of incidents exploit precisely the essential-hygiene flaws that IG1 covers, such as missing MFA, outdated systems and an incomplete inventory. Starting with IG1 is the move with the greatest security return for the investment made, before moving on to more sophisticated controls.

How a company adopts the CIS Controls

Adopting the CIS Controls is less about buying something and more about executing in the right order. The most direct path:

  1. Do the inventory firstYou cannot protect what you do not know. The first control is precisely knowing which devices and software exist in the environment.
  2. Implement IG1 in fullTreat the 56 essential safeguards as the non-negotiable floor: MFA, tested backup, vulnerability patching, access control.
  3. Score yourself and prioritize the gapsMeasure how much of your group is already implemented and attack the gaps by the greatest defensive gain, not by the order of the list.
  4. Move up a group as risk growsCompanies with more exposure advance to IG2 and IG3, always building on what the previous group already secured.

In practice

The question that reveals the real risk: does the company have today a reliable inventory of every device and piece of software running on its network, or a list that went stale months ago?

How Zamak uses the CIS Controls

Zamak Technologies uses the CIS Controls as one of the roadmaps of Governance and Compliance in the Zamak Method: implementing essential hygiene (IG1), measuring the posture and sustaining the evidence on a compliance platform. A good starting point is the Compliance Audit Express, which shows in minutes where the company is most exposed.

Frequently asked questions about the CIS Controls

Are the CIS Controls mandatory?
No. They are a voluntary set of best practices. But they have become such a solid reference that many frameworks and regulators use them as a base, and adopting them advances compliance with mandatory standards.
What is the difference between the CIS Controls and the NIST CSF?
The NIST CSF is a high-level risk management framework (what to govern); the CIS Controls are a prioritized, concrete list of actions (what to do first). Many companies use the CIS Controls to execute what the NIST CSF directs.
Where should a small company start?
With IG1. Its 56 safeguards are the cyber hygiene floor designed precisely for companies with limited resources, and they cover the flaws most attacks exploit.
What is a safeguard?
It is the specific, measurable task within a control. The control states the objective (for example, control access); the safeguard states the concrete action (for example, require MFA on remote access).
Are the implementation groups cumulative?
Yes. IG2 includes all of IG1's safeguards and adds its own; IG3 includes everything. A company moves up a group without discarding what it already implemented.
Do the CIS Controls work for cloud and remote work?
Yes. v8.1 was updated for cloud, hybrid and remote environments, and aligned with NIST CSF 2.0, including the govern function.

Related terms

Endpoint and Identity
MFAPAM (privileged access)SSO (single sign-on)
Detection and Response
EDRMDRXDRMITRE ATT&CKSIEMSOC (security operations center)
Network and Access
ZTNAFirewallVPNSASE
Governance and Compliance
LGPDISO 27001SOC 2NIST CSFShadow ITCyber maturity assessmentHIPAAPCI DSSGDPRCMMCCIS ControlsISO 42001 (AI management)NIST AI RMFNIST 800-171FTC SafeguardsISO 27701 (privacy)FedRAMPGRC (governance, risk, compliance)vCIOvCISO
Concepts and Fundamentals
Deep webZero TrustDefense in depthAttack surfaceEndpointLeast privilege
AI and Security
Shadow AIAI governancePrompt injectionOWASP LLM Top 10Deepfake