How have the CIS Controls evolved?

Originally known as the SANS Top 20, the CIS Controls have evolved through multiple versions, with version 8.1 being the latest, aligning with NIST CSF and integrating mobile and cloud security.

What are the top CIS Controls?

The top controls include asset inventory, software control, data protection, secure configuration, account and access management, vulnerability management, audit logging, and incident response.

What are Implementation Groups (IGs)?

IGs are phased adoption tiers (IG1, IG2, IG3) that help organizations implement CIS Controls based on their size, risk profile, and resources.

How does Arctic Wolf support CIS Controls?

Arctic Wolf provides solutions that align with CIS Controls, helping organizations efficiently implement and maintain a strong cybersecurity posture.

CIS Controls

Q: What are the CIS Controls?

The CIS Controls are a prioritized set of cybersecurity best practices developed by the Center for Internet Security to help organizations defend against common cyber threats.

What Are the CIS Controls?

The Center for Internet Security (CIS) Controls are a prioritised set of cybersecurity best practices that help organisations defend against the most common cyber threats. The CIS Controls provide a comprehensive approach to managing and reducing cybersecurity risks by focusing on critical actions that reduce attack surfaces and mitigate threats.

These controls are now on version 8.1.

History of the CIS Controls

2008 – 2014: CIS Controls v1.0 through v5.0 are published and updated. The controls were originally known as the “SANS Top 20” or “SANS Critical Security Controls,” and were designed to actionable best practices for securing IT systems.

2015: CIS Controls version 6 is published. This marks when the Center for Internet Security took control of the framework, aligning the controls with other internationally recognised security frameworks such as NIST CSF.

2018: CIS Controls version 8 is released, further detailing the controls and introducing a “critical controls” approach to prioritise action to mitigate severe risks.

2021: CIS Controls version 8.0 is published, focusing on the integration of security, privacy, and operational resilience.

2025: The current version of CIS Controls, version 8.1 is published, with further mapping to NIST CSF and integration of mobile device management practices.

The current version of the CIS Controls contains structure changes, is broader in scope, and contains updated prioritisation to help organisations consider their internet of things (IoT) devices and cloud infrastructure alongside a more remote workforce.

Take a deep dive into the most recent updates to the CIS Controls.

The Value of the CIS Controls for Organisations

The CIS Controls provide organisations with a practical, prioritised roadmap for defending against cyber threats, and are designed to be actionable. By following them, organisations can:

Reduce exposure to the most common and damaging cyber attacks

Improve overall security posture with proven, consensus-driven best practices

Align with regulatory and compliance requirements more easily

Strengthen trust with partners, customers, and possibly cyber insurance providers by demonstrating a proactive approach to cybersecurity

The CIS Controls serve as both a baseline for security operations and a benchmark for continuous improvement. Explore how to measure your security maturity against the CIS Controls with the Arctic Wolf Cyber Resilience Assessment.

Top 18 CIS Controls

1. Inventory and Control of Enterprise Assets

Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments.

2. Inventory and Control of Software Assets

Actively manage all software on the network so that only authorised software is installed.

3. Data Protection

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

4. Configuration of Enterprise Assets and Software

Establish and maintain secure configuration of all assets and software.

5. Account Management

Use processes and tools to assign and manage authorisation to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.

6. Access Control Management

Use processes and tools to create, assign, manage, and revoke access credentials and privileges for users, administrator, and service accounts for enterprise assets and software.

7. Continuous Vulnerability Management

Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure to remediate, and minimise, the window of opportunity for attackers.

8. Audit Log Management

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

9. Email and Web Browser Protections

Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.

10. Malware Defenses

Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

11. Data Recovery

Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

12. Network Infrastructure Management

Establish, implement, and actively manage network devices, to prevent threat actors from exploiting vulnerable network services and access points.

13. Network Monitoring and Defenses

Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.

14. Security Awareness and Skills Training

Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

15. Service Provider Management

Develop a process to evaluate service providers who hold sensitive data or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.

16. Application Software Security

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

17. Incident Response Management

Establish a program to develop and maintain an incident response (IR) capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.

18. Penetration Testing

Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology) and simulating the objectives and actions of an attacker.

These 18 controls cover a wide range of cybersecurity actions and focus areas, all intended to help organisations manage and protect their security environment. The controls above cover identity and access management (IAM), as well as vulnerability management, user training, and post-breach best practices. It’s important for an organisation to have a holistic approach that hits every pillar of a strong cybersecurity architecture, not just one or a few.

Common Implementation Gaps Related to the CIS Controls

While the CIS Controls are widely recognised as an effective framework, organisations often face challenges in fully implementing them, including:

Resource limitations.

Complex environments

Cultural resistance

Prioritisation difficulties

To address these gaps, CIS introduced Implementation Groups (IG1, IG2, IG3), which help organisations adopt controls in stages based on risk profile, business size, and available resources. This phased approach ensures even resource-constrained organisations can make measurable progress toward stronger defenses.

IG1 is comprised of basic cyber hygiene, and is focused on protecting against the most common, pervasive attacks (e.g. phishing and malware). IG1 of the CIS Controls covers more essential actions that are both low in cost and resource use, such as asset inventory, secure configuration, and vulnerability management.

IG2 is focused on foundational cybersecurity, allowing organisations to prioritise defenses against more targeted attacks and reduction of breach impacts. IG2 of the CIS Controls builds on IG1 and can include cybersecurity controls such as centralised logging, monitoring, and incident response processes.

IG3 is the most advanced of the implementation groups, and is focused on protecting against advanced, persistent, and highly targeted and sophisticated attacks. The scope of IG3 is all 18 CIS Controls and should deliver defense-in-depth security across the enterprise IT environment.

CIS Controls and Arctic Wolf

Arctic Wolf’s suite of solutions all falls under various CIS security controls and helps organisations of all sizes achieve these controls efficiently and seamlessly. A strong security strategy is one that is holistic; where every aspect works together to build a secure environment and further the Security Journey.

View our on-demand webinar, “CIS Top 18 Controls – What’s New with V8.1.”

Take the Arctic Wolf Cyber Resilience Assessment to better understand your organisation’s security posture.

Arctic Wolf

Arctic Wolf provides your team with 24x7 coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.

© 2025 Arctic Wolf Networks Inc. All Rights Reserved.
Privacy Notice	Terms of Use	Cookie Policy	Customer Portal Policy	Accessibility Statement	Sustainability Statement	Information Security	Cookies Settings

Platform

Concierge

Journey

Reduce Attack Frequency

Reduce Attack Severity

Transfer Risk

Get Started

Why Arctic Wolf

Expertise by Topic

Expertise by Industry

Resource Centre

Trending Resources

NIS2 aims to make the EU as a whole more resilient to cyber threats and strengthen cooperation between Member States on cybersecurity.

The Arctic Wolf State of Cybersecurity: 2025 Trends Report serves as an opportunity for decision makers to share their experiences over the past 12 months and their perspectives on some of the most important issues shaping the IT and security landscape.

The Arctic Wolf Threat Report draws upon the first-hand experience of our security experts, augmented by research from our threat intelligence team.

Security Bulletins

Update: Arctic Wolf Observes Threat Campaign Targeting BeyondTrust Remote Support Following CVE-2026-1731 PoC Availability

Microsoft Patch Tuesday: February 2026

CVE-2026-21643: Critical SQL Injection in FortiClientEMS

Company

Careers

Press