Definition
The CIS Controls were created in 2008 as the SANS “Top 20 Critical Security Controls”, transferred to CIS, and have been refined through several versions. Version 8 (2021) collapsed the previous 20 controls to 18 and introduced Implementation Groups to help organisations of different sizes prioritise.
The Implementation Groups make CIS unusually pragmatic. IG1 is the baseline every organisation should achieve regardless of size or sector. IG2 adds further safeguards for organisations with sensitive data and moderate IT complexity. IG3 adds the most rigorous safeguards for organisations with extensive complexity, regulated data, and adversaries that target them specifically.
CIS Benchmarks are the related configuration-hardening guides for specific operating systems, applications, and cloud services. They are widely used as the practical “how do I configure this securely” reference behind many CIS Controls and other frameworks.
Core components
- Eighteen Controls. Asset inventory, software inventory, data protection, secure configuration, account management, access control, vulnerability management, audit log management, email and browser protections, malware defenses, data recovery, network infrastructure management, network monitoring, security awareness, service provider management, application software security, incident response, penetration testing.
- Implementation Group 1 (IG1). Baseline cyber hygiene. Every organisation should achieve at least IG1.
- Implementation Group 2 (IG2). Additional safeguards for organisations with sensitive data and moderate IT complexity.
- Implementation Group 3 (IG3). Most rigorous safeguards for organisations with extensive IT complexity, regulated data, and targeted adversaries.
- Safeguards. Specific implementation actions within each control, assigned to IG1, IG2, or IG3.
- CIS Benchmarks. Configuration-hardening guides for Windows, macOS, Linux, M365, Azure, AWS, GCP, browsers, and many other targets.
Why it matters
CIS Controls v8 are widely cited by cyber-insurance carriers, US state governments (including California, New York, and Texas), and enterprise security programmes. The Implementation Group structure makes them adoptable by organisations at every maturity level.
For MSPs, CIS plus CIS Benchmarks is one of the most actionable framework pairs to deliver against — concrete, prioritised, and broadly accepted by insurers and assessors.
Cyber-insurance assessments increasingly ask about CIS IG1 implementation specifically because it is the demonstrable cyber-hygiene baseline.
How Lavawall® helps with CIS Controls v8 (Center for Internet Security Critical Security Controls)
Lavawall® maps directly to CIS Controls v8 across all 18 controls and IG1/IG2/IG3 safeguards. Configuration evidence is collected continuously from Windows, macOS, and Linux endpoints with results aligned to CIS Benchmarks.
Patching evidence (Control 7), software inventory (Control 2), account inventory (Control 5), application control (Control 2.5), audit log management (Control 8), and other controls flow directly from the same agent — no separate integration.
For cyber-insurance assessments specifically, the CIS-aligned posture report covers what most carriers ask about and produces co-branded output the MSP can deliver to the client.
Frequently asked
- What is the difference between CIS Controls and CIS Benchmarks?
- Controls are the high-level prioritised security requirements (the 18 controls). Benchmarks are the configuration-hardening guides for specific systems that operationalise many of them.
- What changed in v8 from v7?
- Version 8 collapsed 20 controls to 18, introduced Implementation Groups, and reorganised around tasks (e.g., “Account Management”) rather than asset types.
- Is CIS the same as NIST CSF?
- No. NIST CSF is a high-level outcome-oriented framework. CIS is a prioritised set of specific controls. CIS appears as an Informative Reference in NIST CSF mappings.