CIS Controls Implementation: All 18 Controls v8

CIS Controls v

8 (currently v8.1, released June 2024) comprises

18 prioritized security measures with

153 safeguards in total. They were developed by the Center for Internet Security based on real-world attack data. The

18 controls replace the former

20 controls from version

7 — through consolidation and addition of new areas like Data Protection (Control 3) and Service Provider Management (Control 15). The controls are organized into three Implementation Groups (IG1, IG2, IG3) that enable phased implementation based on organization size and risk profile.

In version 8, the framework was consolidated from

20 to

18 controls. The former controls for email and browser protection were integrated into other controls, and new topics were added: Data Protection (Control 3), Service Provider Management (Control 15), and Application Software Security (Control 16). Additionally, v

8 introduced the concept of safeguards —

153 specific individual measures replacing the former sub-controls. The Implementation Groups (IG 1 with 56, IG 2 with 74, IG 3 with

23 safeguards) replace the old Basic/Foundational/Organizational categorization.

Implementation Group

1 (IG1) comprises

56 safeguards and suits organizations without a dedicated security team. According to CIS, it addresses over 90% of the most common attacks and can be implemented in three to six months. Implementation Group

2 (IG2) adds

74 additional safeguards for organizations with their own IT security team and more complex infrastructure. Implementation Group

3 (IG3) adds the remaining

23 safeguards and targets organizations with a SOC team and high maturity level. ADVISORI recommends always starting with IG 1 and increasing maturity step by step.

Duration depends on the chosen Implementation Group and your current maturity level. IG 1 (

56 safeguards) can be implemented in three to six months for most organizations. For IG2, plan an additional six to twelve months; for IG3, another six months. ADVISORI begins with a gap analysis that maps your current state against all

18 controls within two to three weeks. This produces a prioritized roadmap that addresses quick wins first, delivering the greatest security improvement with the least effort.

CIS Controls v

8 can be mapped directly to other frameworks. Approximately 80% of ISO 27001 Annex A measures are covered by the CIS Controls. For NIS2, the controls provide a practical implementation guide for the required risk management measures. In the context of DORA, they particularly support ICT risk management and incident response requirements. ADVISORI creates a compliance mapping with every implementation showing which regulatory requirements are covered by which CIS safeguards.

Costs vary by scope, organization size, and target Implementation Group. An initial gap analysis for all

18 controls typically starts in the low five-figure range. Full IG 1 implementation for a mid-sized company generally falls between EUR 50,

000 and 150,

000 — including consulting, tool integration, and training. Return on investment materializes through reduced cyber insurance premiums (15§30% reduction), shorter audit cycles, and avoided incident costs.

Technical requirements depend on the Implementation Group. For IG1, existing tools often suffice: Active Directory for access management, group policies for configuration hardening, and existing monitoring tools. From IG 2 onward, specialized solutions are recommended such as SIEM systems (e.g., Microsoft Sentinel, Splunk), vulnerability scanners (Tenable, Qualys), and PAM solutions (BeyondTrust, CyberArk). ADVISORI integrates the controls into your existing tool landscape and avoids unnecessary new acquisitions.