CIS Controls v8: The Proven Framework for Prioritised Cybersecurity Defence
The CIS Critical Security Controls (CIS Controls), published by the Center for Internet Security, are a prioritised set of actions that form the foundation of basic cyber hygiene. Version 8, released in 2021, consolidated 20 controls into 18 controls organised around the modern enterprise's technology footprint — reflecting cloud, mobile, and remote work realities. The CIS Controls are unique among security frameworks in their emphasis on prioritisation — they tell you not just what to do, but what to do first.
The 18 CIS Controls
CIS Control 1 — Inventory and Control of Enterprise Assets: Know every device on your network. You cannot protect what you don't know you have.
CIS Control 2 — Inventory and Control of Software Assets: Know every application and software package authorised for use. Unauthorised software is a primary attack vector.
CIS Control 3 — Data Protection: Identify, classify, and protect sensitive data. Encryption, DLP, data lifecycle management.
CIS Control 4 — Secure Configuration of Enterprise Assets and Software: Establish and maintain secure configurations. Default configurations are almost always insecure.
CIS Control 5 — Account Management: Use processes and tools to manage the lifecycle of user accounts. Provision appropriately, review regularly, deprovision immediately.
CIS Control 6 — Access Control Management: Least privilege, need-to-know, role-based access, MFA.
CIS Control 7 — Continuous Vulnerability Management: Continuously assess, track, and remediate vulnerabilities.
CIS Control 8 — Audit Log Management: Collect, alert, review, and retain audit logs.
CIS Control 9 — Email and Web Browser Protections: Anti-phishing, content filtering, browser security configuration.
CIS Control 10 — Malware Defences: Endpoint protection, anti-malware tools, behaviour monitoring.
CIS Control 11 — Data Recovery: Tested backup and recovery capability.
CIS Control 12 — Network Infrastructure Management: Secure network architecture, network device configuration management.
CIS Control 13 — Network Monitoring and Defence: Intrusion detection, network traffic analysis, SIEM.
CIS Control 14 — Security Awareness and Skills Training: Regular, role-specific security training.
CIS Control 15 — Service Provider Management: Vendor risk management, supply chain security.
CIS Control 16 — Application Software Security: Secure SDLC, code review, vulnerability scanning of applications.
CIS Control 17 — Incident Response Management: IR plan, IR team, tabletop exercises.
CIS Control 18 — Penetration Testing: Regular penetration testing of systems and networks.
Implementation Groups: Prioritising by Organisation Size and Risk
CIS Controls v8 organises controls into three Implementation Groups (IGs) based on an organisation's resources, risk profile, and security maturity:
IG1 (Basic Cyber Hygiene): The minimum standard of cybersecurity for all organisations. 56 safeguards across the 18 controls that every organisation with any IT assets should implement. Focus: prevent commodity attacks (phishing, ransomware, credential theft). Appropriate for small organisations with limited IT resources.
IG2 (Foundational): Builds on IG1 with 74 additional safeguards for organisations with dedicated IT staff handling sensitive data. Focus: detect and respond to attacks. Appropriate for mid-size organisations with regulatory compliance requirements.
IG3 (Organisational): The full CIS Controls implementation — all 153 safeguards. Focus: reduce the impact of sophisticated attacks. Appropriate for large organisations with dedicated security teams in high-risk sectors.
This implementation group structure is one of CIS Controls' most practical features — small organisations don't have to implement controls designed for enterprise environments, and they know exactly which controls they should implement first.
CIS Benchmarks: Configuration Hardening at the System Level
CIS Benchmarks are detailed technical security configuration guides for specific platforms, operating systems, middleware, and cloud services. They translate the principles of CIS Control 4 (Secure Configuration) into specific, testable configuration settings:
Available for: Windows Server, Linux (CentOS, Ubuntu, RHEL, Debian), macOS, Kubernetes, Docker, AWS, Azure, GCP, Office 365, Nginx, Apache, PostgreSQL, MySQL, and many more.
Two levels: L1 (essential security, minimal performance impact) and L2 (defence-in-depth, may impact usability/performance). Most organisations implement L1 as standard and L2 for high-sensitivity systems.
Automated compliance: CIS-CAT Pro (commercial) and free tools like InSpec and Chef Compliance automate CIS Benchmark compliance assessment, enabling continuous measurement of configuration compliance across your entire fleet.
Why Organisations Choose Savadub
Deep GRC Expertise
Our team holds practitioner-level expertise across every major compliance framework — not just theoretical knowledge, but hands-on implementation experience across multiple industries and organisation sizes.
Engineers, Not Just Consultants
We implement controls, not just recommend them. Our GRC engineers configure the systems, write the integrations, and build the monitoring pipelines that make compliance operational.
Global and African Regulatory Coverage
We understand both the global frameworks and the African regulatory environment — NDPR, NDPA, CBN directives, NITDA guidelines, and regional data protection laws — making us uniquely positioned for organisations operating across Africa and internationally.
Internal and External Audit Capability
We provide both embedded internal audit functions and independent third-party audit support, including CPA-accredited audit coordination for SOC examinations.
End-to-End Engagement
From initial gap assessment through certification, continuous monitoring, and ongoing compliance management — we are your long-term GRC partner, not a one-time consultant.
Industries We Serve
Financial Services · Healthcare · Technology & SaaS · Manufacturing · Logistics & Trade · Government & Public Sector · Energy & Critical Infrastructure · Education & EdTech · Media & Broadcasting · Retail & E-Commerce · Professional Services · Food & Beverage
Deliverables You Receive
Working with Savadub, every engagement delivers a concrete set of outputs:
- Gap Assessment Report — prioritised findings with effort estimates and risk ratings
- Compliance Roadmap — milestone-based plan from current state to certification or attestation
- Risk Register — organisational risk register with treatment plans
- Policy Pack — all required policies authored, reviewed, and approved
- Technical Control Implementation Evidence — configurations, screenshots, and audit trails
- Internal Audit Report — independent assessment of control effectiveness
- Audit Evidence Repository — organised, auditor-ready evidence collection
- Executive Summary Presentation — board and leadership-ready compliance status
- Remediation Tracker — structured tracking of open findings and closure evidence
- Continuous Monitoring Setup — ongoing CCM pipeline for post-certification compliance
Get Started with Savadub
Savadub's GRC practice combines deep compliance expertise with technical engineering capability. We don't just advise — we build, implement, and operate your compliance program from the ground up.
Book a free GRC consultation with our team. We will review your current posture, identify your most critical gaps, and give you a clear, costed roadmap to compliance.
Contact us:
- Email: grc@savadub.com
- Phone: +234 816 734 2201
- WhatsApp: +234 903 234 8435
- Website: www.savadub.com
