CIS Controls: A Practical Security Framework for IT Teams and MSPs

April 27th, 2026
George Rouse
CIS, Framework / Standards, Regulatory Compliance

According to the 2026 Kaseya State of the MSP Report, 71% of MSPs reported year-over-year revenue growth in cybersecurity, but almost half cite the complexity of security products as their top barrier to growth.

When organizations ask “where do we start with cybersecurity?” the answer is rarely straightforward. There are dozens of frameworks, hundreds of guidance documents, and an overwhelming range of security controls to consider. The CIS Controls cut through that complexity with a deliberately practical answer: here are the 18 most important security actions, in priority order, with specific implementation guidance for organizations of different sizes.

That prioritization is what makes CIS Controls distinctive. Rather than a comprehensive catalog of everything an organization should eventually do, the Controls focus on the foundational actions that address the most common attack vectors and deliver the highest risk reduction per unit of effort.

Implement and Track CIS Controls With Compliance Manager GRC

Compliance Manager GRC includes purpose-built templates for all three CIS v8.1 Implementation Groups, tracking safeguard completion, identifying gaps, and generating audit-ready evidence reports automatically.

Explore Compliance Manager GRC

What Are the CIS Controls?

The CIS Controls are a prioritized set of cybersecurity best practices developed and maintained by the Center for Internet Security, a non-profit organization. Originally released as the “SANS Top 20” and later adopted and evolved by CIS, the Controls represent a consensus view of the most effective defensive actions against the most common attacks.

The framework is widely referenced by regulatory bodies and compliance standards. NIST, HIPAA, PCI DSS, and many state-level cybersecurity regulations reference or align with the CIS Controls. For organizations subject to multiple compliance requirements, implementing CIS Controls often provides significant coverage across several frameworks simultaneously.

The Controls are free to use and publicly available, with supporting documentation including implementation guidance, mappings to other frameworks, and benchmarks for specific technologies. CIS Benchmarks provide hardening guidance for operating systems, applications, and cloud services.

CIS Controls v8.1: The Current Framework

CIS Controls v8.1 is the current version of the framework. v8 was released in 2021 as the most significant evolution in years, and v8.1 refined and updated the safeguard detail. Key changes from v7:

Cloud and mobile focus. v8 was redesigned for the reality that IT environments now span on-premises infrastructure, cloud services, mobile devices, and remote work, not just the traditional enterprise perimeter.

Consolidated from 20 to 18 Controls. Several overlapping controls were merged, and the framework was reorganized around three Implementation Groups (IG1, IG2, and IG3) that allow organizations to scope the framework appropriately for their size and risk profile.

Safeguards model. v8 introduced “Safeguards” as the granular actions within each Control, replacing the previous “Sub-Controls” terminology. CIS Controls v8.1 contains 153 Safeguards across the 18 Controls.

Implementation Groups: Scaling the Controls to Your Organization

One of the most practically useful features of CIS Controls is the Implementation Group model, which lets organizations scope the framework to their size, resources, and risk profile rather than treating the full 153 safeguards as an undifferentiated list.

IG1, Essential Cyber Hygiene (56 Safeguards): Designed for small organizations with limited IT and cybersecurity staff. IG1 represents the baseline that every organization should achieve regardless of size, the controls that address the most common, low-sophistication attacks that affect the overwhelming majority of organizations. If an organization does nothing else, achieving IG1 substantially improves its security posture.

IG2 (130 Safeguards, includes all IG1): Appropriate for organizations managing sensitive data with some dedicated IT and security staff. IG2 adds 74 additional safeguards for more sophisticated threats, compliance requirements, and more complex environments. Some safeguards at this level require enterprise-grade technology and specialized expertise.

IG3 (all 153 Safeguards, includes IG1 and IG2): Appropriate for large organizations or those with mature security teams managing high-value assets or critical infrastructure. IG3 adds 23 safeguards addressing advanced threats and requires dedicated security expertise to implement fully.

For most SMBs and the clients MSPs serve, IG1 and IG2 are the relevant target levels. Full IG1 compliance addresses the overwhelming majority of real-world attack vectors that SMB organizations face.

Compliance Manager GRC includes separate templates for each Implementation Group, automatically loading the specific safeguards required for the selected level.

The 18 CIS Controls

Control 1: Inventory and Control of Enterprise Assets. Know every device in the environment. You cannot protect what you don’t know about.

Control 2: Inventory and Control of Software Assets. Track all software and only allow authorized software to run. Unauthorized software is a primary malware entry point.

Control 3: Data Protection. Develop processes and technical controls for identifying, classifying, securing, retaining, and disposing of data. Includes encryption and data loss prevention.

Control 4: Secure Configuration of Enterprise Assets and Software. Establish and maintain secure configurations for all hardware and software. Default configurations are frequently insecure.

Control 5: Account Management. Use processes and tools to assign and manage credentials for all accounts, including administrator, service, and application accounts, following least privilege principles.

Control 6: Access Control Management. Create and manage access credentials based on need-to-know and need-to-use. Covers MFA enforcement, privilege management, and access reviews.

Control 7: Continuous Vulnerability Management. Continuously acquire, assess, and act on new threat and vulnerability information to identify, remediate, and minimize the window of opportunity for attackers.

Control 8: Audit Log Management. Collect, alert, review, and retain audit logs to support detection of incidents and post-incident forensic analysis.

Control 9: Email and Web Browser Protections. Improve protections against threats delivered through email and web browsers, the two most common initial access vectors.

Control 10: Malware Defenses. Use automated tools to prevent or control installation and execution of malicious code at the endpoint.

Control 11: Data Recovery. Establish and maintain data recovery practices sufficient to restore in-scope data to a pre-incident state within defined RTO and RPO targets.

Control 12: Network Infrastructure Management. Establish, implement, and manage network infrastructure to prevent attackers from exploiting vulnerable network services and configurations.

Control 13: Network Monitoring and Defense. Monitor the network for anomalous or malicious activity and deploy mechanisms to detect and respond to those activities.

Control 14: Security Awareness and Skills Training. Establish and maintain a security awareness program that addresses the human risk factor through training and simulated phishing.

Control 15: Service Provider Management. Develop a process to evaluate and manage service providers (including MSPs) based on the risk they pose to the organization’s data and systems.

Control 16: Application Software Security. Manage the security lifecycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses.

Control 17: Incident Response Management. Establish a program to develop and maintain incident response capability, including defined playbooks and tested procedures.

Control 18: Penetration Testing. Test the effectiveness of defenses through controlled simulated attacks to identify exploitable vulnerabilities before attackers do.

CIS Controls and Other Frameworks

The CIS Controls don’t exist in isolation. They map directly to other frameworks organizations need to comply with, which is one of the primary reasons implementing CIS Controls is worth the investment even for organizations that aren’t specifically required to follow CIS.

NIST CSF: The CIS Controls map extensively to NIST CSF functions (Identify, Protect, Detect, Respond, Recover). Organizations using NIST CSF find CIS Controls provide the implementation-level detail that the CSF’s more abstract functions require.

PCI DSS: Controls 1 through 7 and 10 through 12 align strongly with PCI DSS requirements. CIS Control implementation reduces PCI DSS audit preparation effort significantly.

HIPAA: The CIS Controls address many of the HIPAA Security Rule’s administrative, physical, and technical safeguard requirements.

ISO 27001: Significant alignment exists between CIS Controls and ISO 27001 Annex A controls. Organizations pursuing ISO 27001 certification benefit from existing CIS Controls implementation as evidence of control maturity.

This cross-framework coverage is why CIS Controls is a practical starting point for most organizations: implementing the Controls creates compliance evidence across multiple frameworks simultaneously, reducing the overhead of managing each framework independently.

Implementing CIS Controls with Kaseya

The Kaseya platform provides direct technical support for implementing the majority of CIS Controls across managed environments:

Controls 1 and 2 (Asset Inventory): VSA’s automated device discovery and software inventory builds and maintains the asset registers that Controls 1 and 2 require. IT Glue provides the documentation layer for asset tracking and configuration records.

Controls 4 and 5 (Secure Configuration, Account Management): VSA policy-based configuration management enforces secure configuration standards across managed endpoints. Kaseya 365 User supports MFA enforcement and privileged access management.

Control 7 (Vulnerability Management): Kaseya vulnerability scanning and automated patch management directly addresses the continuous vulnerability management requirement.

Controls 9 and 10 (Email and Browser Protections, Malware Defenses): Inky (email security) and Datto EDR address the email, browser, and malware defense controls.

Control 11 (Data Recovery): Datto BCDR provides the backup and recovery capability Control 11 requires, with automated verification and immutable cloud storage.

Control 14 (Security Awareness): BullPhish ID delivers security awareness training and phishing simulation.

Control 17 (Incident Response): Kaseya’s MDR service provides 24/7 monitoring and response capability that supports a managed incident response program.

Compliance Manager GRC is where all of this comes together for compliance purposes. It includes purpose-built CIS Controls v8.1 templates for all three Implementation Groups, automatically loading the specific safeguards required for the selected IG level. The platform tracks implementation progress across all 153 safeguards, identifies gaps, and automatically generates the compliance manuals, evidence reports, and audit documentation that demonstrate CIS Controls adherence to clients, auditors, and cyber insurers.

For MSPs, this turns CIS Controls from a framework to review into a managed compliance service to deliver. Explore Compliance Manager GRC.

Key Takeaways

  • CIS Controls v8.1 provides 18 prioritized security actions organized into Implementation Groups that scale to organization size. IG1 (56 Safeguards) is the essential baseline every organization should achieve.
  • The Implementation Group model makes CIS Controls practical for organizations of any size, SMBs target IG1 and IG2, enterprises target IG3.
  • CIS Controls map to NIST CSF, PCI DSS, HIPAA, and ISO 27001, making implementation valuable as compliance evidence across multiple frameworks simultaneously.
  • The Kaseya platform directly implements the majority of CIS Controls through VSA, Datto EDR, IT Glue, Inky, BullPhish ID, and Datto BCDR.
  • Compliance Manager GRC provides purpose-built CIS v8.1 templates for all three Implementation Groups, tracking safeguard completion and generating audit-ready evidence documentation automatically.

One Complete Platform for IT & Security Management

Kaseya 365 is the all-in-one solution for managing, securing, and automating IT. With seamless integrations across critical IT functions, it simplifies operations, strengthens security, and boosts efficiency.

Get a demo Explore Kaseya 365

One platform. Everything IT.

Kaseya 365 customers experience the benefits of the best IT Management and Security tools in a single solution.

Explore Kaseya 365

Your success is our #1 priority

Partner First is a commitment to flexible terms, shared risk and dedicated support for your business.

Explore Partner First Pledge

2025 Global MSP Benchmark Report

The 2025 Global MSP Benchmark Report from Kaseya is your go-to resource for understanding where the industry is headed.

Download Now

Explore Categories

HIPAA policy changes

Everything You Know About HIPAA Is Changing: An Early Look at How to Prepare Your MSP

On December 27, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS)Read More

Read blog post

What is NIST Compliance? A Guide to NIST Standards, Framework & Controls

Data protection is a top concern for businesses both large and small, and that’s where NIST comes in. NIST, orRead More

Read blog post

IT Compliance: Understanding Its Purpose and Benefits

IT compliance refers to a set of statutory rules and regulations that businesses must follow to minimize the threat ofRead More

Read blog post