🛡️
← Back to Standards

CIS Controls v8

Center for Internet Security Critical Security Controls Version 8

Organization: CIS Category: Technical Controls
5
Related Articles
8
Articles with Obligations
6
Key Sections
18
Coverage Areas

Overview

Prioritized set of 18 actions that provide a proven defense against common cyber attacks. Focuses on practical, actionable security measures that can be implemented to significantly improve security posture.

Applicability

Practical cybersecurity controls for IT infrastructure

Relevance to Network and Information Security Directive (NIS2)

Practical implementation guidance for NIS2 technical and organizational security measures

Key Coverage Areas

1
Asset inventory and control
2
Software and hardware inventory
3
Data protection
4
Secure configuration
5
Account management
6
Access control management
7
Continuous vulnerability management
8
Audit log management
9
Email and web browser protections
10
Malware defenses
11
Data recovery capabilities
12
Network infrastructure management
13
Network monitoring and defense
14
Security awareness training
15
Service provider management
16
Application software security
17
Incident response management
18
Penetration testing

Standard Sections & Chapters

IG1

Implementation Group 1 (essential cyber hygiene)

IG2

Implementation Group 2 (growing enterprise)

IG3

Implementation Group 3 (mature security programs)

1-6

Basic CIS Controls (foundational)

7-16

Foundational CIS Controls

17-18

Organizational CIS Controls

Related Network and Information Security Directive (NIS2) Articles

Article I: SECTORS OF HIGH CRITICALITY

View Article →
Sections: IG2, IG3

Advanced technical controls

Implementation Guidance:

Implement CIS IG2 or IG3 depending on organization maturity

Article II: OTHER CRITICAL SECTORS

View Article →
Sections: IG1, IG2

Foundational technical controls

Implementation Guidance:

Implement CIS IG1 minimum, IG2 recommended

Article 21: Cybersecurity risk-management measures

View Article →
Sections: 1-18

Practical technical security controls

Implementation Guidance:

Implement CIS Controls appropriate to organization size (IG1, IG2, or IG3)

Mapped Obligations:

  • Ensure business continuity through backup management and disaster recovery plans
  • Manage security in system development and maintenance including vulnerability handling
  • Provide basic cyber hygiene practices and cybersecurity training
  • Implement cryptography and encryption policies where appropriate
  • Enforce human resources security, access control and asset management
  • Use multi-factor or continuous authentication where appropriate

Article 22: Union level coordinated security risk assessments of critical supply chains

View Article →
Sections: 11

Data recovery capabilities

Implementation Guidance:

Implement CIS Control 11 for backup and recovery

Article 28: Database of domain name registration data

View Article →
Sections: 15

Service provider management

Implementation Guidance:

Use CIS Control 15 for third-party risk management

Quick Information

Organization
CIS
Category
Technical Controls
Certification
Not available

Related Pages

← All Network and Information Security Directive (NIS2) Standards View All Articles Compliance Guide
Get Implementation Help

🤝 Still Feeling Overwhelmed?

EU cybersecurity laws can be complex. Our free tools and guides work great for most people, but if you're dealing with something particularly challenging or have tight deadlines, we're here to help.

Talk to an expert → or Browse all our free resources →