🌏 Global · CIS Critical Security Controls v8

How do you score on the CIS Controls?

The CIS Critical Security Controls are a globally recognised, prioritised set of safeguards. Run a free external scan to see how your public-facing posture maps to CIS v8.

Scan your site free →
No signup · results in ~30 seconds · open source

What are the CIS Controls?

The CIS Critical Security Controls (CIS Controls v8) are a prioritised set of 18 controls maintained by the Center for Internet Security. They distil the most effective defensive actions into a manageable, ordered roadmap used by organisations worldwide.

v8 introduces Implementation Groups (IG1–IG3) so organisations can right-size adoption. IG1 is essential cyber hygiene for every organisation; IG2 and IG3 add depth for those handling more sensitive data or facing more capable adversaries.

Representative controls

01

Inventory of assets & software

Actively manage all enterprise assets and software so only authorised items connect and run.

02

Data protection

Identify, classify and protect data with encryption in transit and at rest.

03

Secure configuration

Establish and maintain secure baselines for hardware, software and services.

04

Account & access management

Manage the lifecycle and privileges of accounts, and enforce least privilege and MFA.

05

Continuous vulnerability management

Continuously assess and remediate vulnerabilities to shrink the attack surface.

06

Email & web browser protections

Reduce the attack surface of email and browsers, the most common entry points.

07

Malware defenses

Prevent or control the installation and execution of malicious software.

08

Audit log management

Collect, review and retain logs to detect and investigate attacks.

What the free scan checks

Our free scanner assesses the externally observable safeguards — TLS configuration, security headers, email authentication (SPF/DKIM/DMARC) and exposed services — that map to CIS Controls such as data protection, secure configuration and email/web protections.

Run your free CIS Controls scan →

Frequently asked questions

Are the CIS Controls a compliance standard?

The CIS Controls are a best-practice framework rather than a regulation, but they map to many standards (NIST CSF, ISO 27001, PCI DSS) and are widely used to prioritise a security programme.

What is an Implementation Group?

Implementation Groups (IG1–IG3) let organisations adopt the controls in proportion to their risk and resources. IG1 is the essential cyber-hygiene baseline every organisation should meet.

Does the scan cover all 18 controls?

No. Many CIS Controls are internal or procedural. This external scan grades the internet-facing safeguards; use it alongside a full CIS assessment for complete coverage.

Other frameworks