How have the CIS Controls evolved?

Originally known as the SANS Top 20, the CIS Controls have evolved through multiple versions, with version 8.1 being the latest, aligning with NIST CSF and integrating mobile and cloud security.

What are the top CIS Controls?

The top controls include asset inventory, software control, data protection, secure configuration, account and access management, vulnerability management, audit logging, and incident response.

What are Implementation Groups (IGs)?

IGs are phased adoption tiers (IG1, IG2, IG3) that help organizations implement CIS Controls based on their size, risk profile, and resources.

How does Arctic Wolf support CIS Controls?

Arctic Wolf provides solutions that align with CIS Controls, helping organizations efficiently implement and maintain a strong cybersecurity posture.

CIS Controls

Q: What are the CIS Controls?

The CIS Controls are a prioritized set of cybersecurity best practices developed by the Center for Internet Security to help organizations defend against common cyber threats.

What Are the CIS Controls?

The Center for Internet Security (CIS) Controls are a prioritized set of cybersecurity best practices that help organizations defend against the most common cyber threats. The CIS Controls provide a comprehensive approach to managing and reducing cybersecurity risks by focusing on critical actions that reduce attack surfaces and mitigate threats.

These controls are now on version 8.1.

History of the CIS Controls

2008 – 2014: CIS Controls v1.0 through v5.0 are published and updated. The controls were originally known as the “SANS Top 20” or “SANS Critical Security Controls,” and were designed to actionable best practices for securing IT systems.

2015: CIS Controls version 6 is published. This marks when the Center for Internet Security took control of the framework, aligning the controls with other internationally recognized security frameworks such as NIST CSF.

2018: CIS Controls version 8 is released, further detailing the controls and introducing a “critical controls” approach to prioritize action to mitigate severe risks.

2021: CIS Controls version 8.0 is published, focusing on the integration of security, privacy, and operational resilience.

2025: The current version of CIS Controls, version 8.1 is published, with further mapping to NIST CSF and integration of mobile device management practices.

The current version of the CIS Controls contains structure changes, is broader in scope, and contains updated prioritization to help organizations consider their internet of things (IoT) devices and cloud infrastructure alongside a more remote workforce.

Take a deep dive into the most recent updates to the CIS Controls.

The Value of the CIS Controls for Organizations

The CIS Controls provide organizations with a practical, prioritized roadmap for defending against cyber threats, and are designed to be actionable. By following them, organizations can:

Reduce exposure to the most common and damaging cyber attacks

Improve overall security posture with proven, consensus-driven best practices

Align with regulatory and compliance requirements more easily

Strengthen trust with partners, customers, and possibly cyber insurance providers by demonstrating a proactive approach to cybersecurity

The CIS Controls serve as both a baseline for security operations and a benchmark for continuous improvement. Explore how to measure your security maturity against the CIS Controls with the Arctic Wolf Cyber Resilience Assessment.

Top 18 CIS Controls

1. Inventory and Control of Enterprise Assets.

Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments.

2. Inventory and Control of Software Assets.

Actively manage all software on the network so that only authorized software is installed.

3. Data Protection.

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

4. Configuration of Enterprise Assets and Software.

Establish and maintain secure configuration of all assets and software.

5. Account Management.

Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.

6. Access Control Management.

Use processes and tools to create, assign, manage, and revoke access credentials and privileges for users, administrator, and service accounts for enterprise assets and software.

7. Continuous Vulnerability Management.

Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure to remediate, and minimize, the window of opportunity for attackers.

8. Audit Log Management.

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

9. Email and Web Browser Protections.

Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.

10. Malware Defenses.

Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

11. Data Recovery.

Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

12. Network Infrastructure Management.

Establish, implement, and actively manage network devices, to prevent threat actors from exploiting vulnerable network services and access points.

13. Network Monitoring and Defenses.

Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.

14. Security Awareness and Skills Training.

Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

15. Service Provider Management.

Develop a process to evaluate service providers who hold sensitive data or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.

16. Application Software Security.

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

17. Incident Response Management.

Establish a program to develop and maintain an incident response (IR) capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.

18. Penetration Testing.

Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology) and simulating the objectives and actions of an attacker.

These 18 controls cover a wide range of cybersecurity actions and focus areas, all intended to help organizations manage and protect their security environment. The controls above cover identity and access management (IAM), as well as vulnerability management, user training, and post-breach best practices. It’s important for an organization to have a holistic approach that hits every pillar of a strong cybersecurity architecture, not just one or a few.

Common Implementation Gaps Related to the CIS Controls

While the CIS Controls are widely recognized as an effective framework, organizations often face challenges in fully implementing them, including:

Resource limitations.

Complex environments

Cultural resistance

Prioritization difficulties

To address these gaps, CIS introduced Implementation Groups (IG1, IG2, IG3), which help organizations adopt controls in stages based on risk profile, business size, and available resources. This phased approach ensures even resource-constrained organizations can make measurable progress toward stronger defenses.

IG1 is comprised of basic cyber hygiene, and is focused on protecting against the most common, pervasive attacks (e.g. phishing and malware). IG1 of the CIS Controls covers more essential actions that are both low in cost and resource use, such as asset inventory, secure configuration, and vulnerability management.

IG2 is focused on foundational cybersecurity, allowing organizations to prioritize defenses against more targeted attacks and reduction of breach impacts. IG2 of the CIS Controls builds on IG1 and can include cybersecurity controls such as centralized logging, monitoring, and incident response processes.

IG3 is the most advanced of the implementation groups, and is focused on protecting against advanced, persistent, and highly targeted and sophisticated attacks. The scope of IG3 is all 18 CIS Controls and should deliver defense-in-depth security across the enterprise IT environment.

CIS Controls and Arctic Wolf

Arctic Wolf’s suite of solutions all falls under various CIS security controls and helps organizations of all sizes achieve these controls efficiently and seamlessly. A strong security strategy is one that is holistic; where every aspect works together to build a secure environment and further the Security Journey.

View our on-demand webinar, “CIS Top 18 Controls – What’s New with V8.1.”

Take the Arctic Wolf Cyber Resilience Assessment to better understand your organization’s security posture.

Arctic Wolf

Arctic Wolf provides your team with 24x7 coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.

© 2025 Arctic Wolf Networks Inc. All Rights Reserved.
Privacy Notice	Terms of Use	Cookie Policy	Accessibility Statement	Information Security	Sustainability Statement	Cookies Settings

Platform

Concierge

Journey

Reduce Attack Frequency

Reduce Attack Severity

Transfer Risk

Get Started

Why Arctic Wolf

Expertise by Topic

Incident Response Timelines

Expertise by Industry

Resource Center

Trending Resources

The Arctic Wolf Threat Report draws upon the first-hand experience of our security experts, augmented by research from our threat intelligence team.

The Arctic Wolf State of Cybersecurity: 2025 Trends Report serves as an opportunity for decision makers to share their experiences over the past 12 months and their perspectives on some of the most important issues shaping the IT and security landscape.

Join Arctic Wolf on an interactive journey to discover a better path past the hazards of the modern threat landscape.

Security Bulletins

Salesforce Discloses Unauthorized Access to Customer Data via Compromised Gainsight-published Applications

CVE-2025-64446: Critical Fortinet FortiWeb Path Traversal Vulnerability Exploited to Create Administrative Accounts

Microsoft Patch Tuesday: November 2025

Partners

Company

Careers

Press

Brand Partnerships