CIS Critical Security Controls v8.1

A prioritised set of 18 cyber security controls (Implementation Groups IG1/IG2/IG3) widely adopted as the cyber-hygiene baseline. v8.1 added explicit coverage of cloud, mobile, and service-provider risks. CIS Controls map directly to NIST CSF, ISO 27001, and PCI DSS — making them a practical lingua franca for cross-framework programmes.

Composition

153 controls currently indexed; participates in 29 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• Anti-malware protection with EDR and email/web safeguards
• Authentication architecture and multi-factor authentication
• Board-approved policy framework anchoring derived operational controls (legacy "supplier-policy" cluster name)
• Centralised logging with retention, tamper protection, and integrity
• Cloud Security Posture Management — continuous configuration assessment
• Comprehensive asset inventory with classification and ownership
• Continuous monitoring of networks, systems, applications, and outsourced development
• Cyber resilience metrics — KPIs, KRIs, Board reporting cadence
• Cyber risk assessment — technology, process, people, third-party, supply chain, post-quantum
• Data Loss Prevention — multi-channel egress protection
• Data classification with protection controls — DLP, masking, retention, secure disposal
• Data-at-rest protection — encryption, access, processor controls
• Data-in-transit protection and physical media handling
• DevSecOps maturity — security-as-code, pipeline-enforced controls, API security
• Event-to-incident categorisation and assessment
• Incident response execution — detection through eradication, recovery, and lessons learned
• Incident response plan preparation, independent review, and risk-response planning
• Logical and physical access restriction — least privilege baseline
• Network protection — segmentation, monitoring, perimeter, and data leak prevention
• Network segmentation with zero-trust principles
• Privileged access management and access rights lifecycle
• Ransomware-resilient backup architecture
• Secure SDLC — threat modelling, secure coding, SAST/DAST, dependency scanning, DevSecOps
• Secure configuration baselines and hardening discipline
• Secure disposal of equipment, media, and personal information
• Software installation discipline — authorised software, configuration, source code access
• VAPT cycle — vulnerability assessment and penetration testing programme
• Vulnerability management programme — discovery, prioritisation, remediation
• Workforce security awareness, role-based training, and human-factor controls