Version 8.1

CIS Controls

The Center for Internet Security (CIS) Controls are a prioritized set of cybersecurity best practices that help organizations defend against the most common cyber threats. The CIS Controls provide a comprehensive approach to managing and reducing cybersecurity risks by focusing on critical actions that reduce attack surfaces and mitigate threats.

The latest update to the CIS Controls, Version 8.1, aims to address the evolving cybersecurity landscape, offering improved guidance and more relevant practices to protect against today’s cyber threats.

A Brief History of the CIS Controls:

CIS Control's Journey to 8.1

Early 2008 - 2014
CIS Controls Version 1.0 - 5.0
- The "SANS Top 20" or “SANS Critical Security Controls” (now known as the CIS Critical Security Controls) was developed by a group of cybersecurity experts to establish a set of actionable best practices for securing IT systems. The first version was designed to be practical and concise, focusing on reducing the most critical risks.
- Version 5.0 included expanded coverage and refined practices, emphasizing a stronger framework for improving an organization’s overall cybersecurity posture.
October 15, 2015
CIS Controls Version 6.0
- In 2015, CIS officially took charge of the CIS Controls with the release of Version 6. The aim of the CIS Controls was to offer organizations practical guidance to significantly enhance their cybersecurity defenses.
- Version 6.0 is aligned with other prominent cybersecurity frameworks, such as NIST Cybersecurity Framework, ISO, and PCI.
May 19, 2018
CIS Controls Version 7.0
- The major update added more details to the controls, better alignment with emerging threats, and the introduction of a "critical controls" approach, further prioritizing actions based on their effectiveness in mitigating risk.
May 18, 2021
CIS Controls Version 8.0
- Version 8.0 moved towards a more holistic, industry-standard approach, focusing on the integration of security, privacy, and operational resilience. The structure and recommendations were refined to be more applicable across diverse organizational environments.
June 25, 2025
CIS Controls Version 8.1
- Version 8.1 introduces fine-tuned improvements and addresses emerging threats, vulnerabilities, and technologies, making it the most relevant version yet for organizations of all sizes. It realigned its security function mappings to better match NIST CSF 2.0, ensuring a more cohesive and updated approach to securing mobile devices and aligning with the latest NIST cybersecurity framework. This adjustment strengthens the integration of mobile device management practices with broader organizational security strategies.

What Are the Differences Between CIS V 7.0 and 8.0?

Structure Changes

Version 7.0 introduced the concept of “Implementation Groups” to help organizations prioritize controls based on their size and resources. In Version 8.0, these groups were further refined and expanded to address current technologies such as cloud environments and advanced threat landscapes.

Broader Scope in V8.0

Version 8.0 introduced 18 controls (compared to 20 in v7.0) and emphasized critical areas such as data security and continuous monitoring. Version 8.0 also includes specific recommendations for managing the security of supply chains, something not explicitly covered in previous versions.

Updated Prioritization

The prioritization in Version 8.0 focused on the most impactful areas, adjusting for cloud, IoT, and remote workforce considerations that were growing concerns in Version 7.0 but were less detailed.

Why CIS Controls are Updating to 8.1

CIS Controls Version 8.1 builds on the success of Version 8.0 and incorporates adjustments that reflect the changing cybersecurity landscape. The increase in sophisticated cyber attacks, the rapid adoption of cloud technologies, and the expanding scope of remote work require continual updates to ensure the controls remain effective. This version is designed to provide even more actionable guidance for organizations to protect their systems and data against increasingly complex cyber threats.

What’s new in CIS Controls v8.1?

CIS Controls v8.1 builds on the strong foundation of Version 8, refining and expanding on key areas to address the evolving cybersecurity landscape. With the rise of new technologies, increasingly sophisticated cyber attacks, and more complex organizational structures, the updates in v8.1 ensure that organizations of all sizes have a modern, actionable framework to secure their systems effectively.

The key updates to Version 8.1 focus on refining practices related to cloud security, supply chain risk, and the growing need for automated monitoring and response capabilities.

Cloud Security Enhancements

As organizations continue to migrate to the cloud, ensuring security in these environments becomes critical. Version 8.1 introduces more robust guidelines for managing cloud security risks. These include better configuration management, cloud provider assessments, and securing cloud infrastructure components to ensure that sensitive data and applications are protected in these dynamic environments.

Strengthened Supply Chain Risk Management

Cyber attacks targeting supply chains have become increasingly prevalent, with attackers often using third-party vendors as a backdoor into larger organizations. Version 8.1 enhances the focus on securing the supply chain by advising organizations to verify vendor cybersecurity postures, assess risks related to third-party access, and continuously monitor the security of external partnerships. This approach aligns closely with new emerging best practices, including those seen in the NIST CSF 2.0 framework, which places increased emphasis on the need for cybersecurity across supply chains.

Automated Monitoring and Response

With cyber threats evolving rapidly, relying on manual processes for detection and response is no longer sufficient. v8.1 emphasizes the integration of automated tools for continuous monitoring and threat detection. This shift allows for faster identification of security incidents and enables organizations to respond more efficiently, minimizing damage from potential breaches. Automation also allows security teams to focus their efforts on higher-level strategy, leveraging machine learning and advanced analytics to stay ahead of threats.

IoT and Device Security

With the growing presence of Internet of Things (IoT) devices in every aspect of business, Version 8.1 includes specific controls aimed at securing IoT networks. As many IoT devices are inadequately secured, organizations are at risk of these devices becoming an entry point for attackers. The new guidelines focus on strengthening the security of IoT devices through better management, monitoring, and secure configuration practices.

Enhanced Focus on Cybersecurity Governance

Organizations are increasingly recognizing the importance of having strong cybersecurity governance structures. Version 8.1 incorporates clearer guidance on the roles, responsibilities, and authorities needed to create an effective cybersecurity strategy. This includes aligning with frameworks like the NIST CSF 2.0 that advocate for a holistic approach to cybersecurity governance. CIS v8.1 provides tools for ensuring that governance and security practices align with overall organizational goals, improving accountability and risk ownership.

Legal Disclaimer:

This information is provided for informational purposes and is not legal advice and should not be interpreted as such. Consult with your own legal counsel to determine your regulatory obligations and assess the effectiveness of your compliance programs. Arctic Wolf products and services are not compliance solutions but are tools that can support your compliance programs.

Cyber JumpStart

Start your security journey today with this complimentary suite of tools designed to help you manage your cyber risk, map your security posture against industry-standard frameworks like the CIS Controls, and create an incident response plan, while also unlocking insights into overcoming cyber insurance qualifying requirements.

On-Demand Webinar

CIS Top 18 Controls – What's New with V8.1

Join our experts as they guide you through V8.1 of the CIS controls and provide action items to implement new controls and harden your attack surface.

Ready to Get Started?

We’re here to help. Reach out to schedule an introductory call with one of our team members and learn more about how Arctic Wolf can benefit your organization.

General Questions

© 2025 Arctic Wolf Networks Inc. All Rights Reserved.
Privacy Notice	Terms of Use	Cookie Policy	Accessibility Statement	Information Security	Sustainability Statement	Cookies Settings

Platform

Concierge

Journey

Reduce Attack Frequency

Reduce Attack Severity

Transfer Risk

Get Started

Why Arctic Wolf

Expertise by Topic

Incident Response Timelines

Expertise by Industry

Resource Center

Trending Resources

The Arctic Wolf Threat Report draws upon the first-hand experience of our security experts, augmented by research from our threat intelligence team.

The Arctic Wolf State of Cybersecurity: 2025 Trends Report serves as an opportunity for decision makers to share their experiences over the past 12 months and their perspectives on some of the most important issues shaping the IT and security landscape.

Join Arctic Wolf on an interactive journey to discover a better path past the hazards of the modern threat landscape.

Security Bulletins

CVE-2025-64155: FortiSIEM Remote Unauthenticated Command Injection Vulnerability

CVE-2025-25249: Remote Code Execution Vulnerability in FortiOS and FortiSwitchManager

Microsoft Patch Tuesday: January 2026

Partners

Company

Careers

Press

Brand Partnerships

CIS Controls

A Brief History of the CIS Controls:

CIS Control's Journey to 8.1

CIS Controls Version 1.0 - 5.0

CIS Controls Version 6.0

CIS Controls Version 7.0

CIS Controls Version 8.0

CIS Controls Version 8.1