CIS Controls v8 checklist: 18 controls, 153 safeguards, mapped to IGs
CIS v8 isn’t a one-time certification — it’s evidence your controls operate continuously. This checklist walks every control an auditor examines, and flags which a platform can automate.
What CIS v8 requires
CIS v8 is assessed against 153 controls across 5 families: Basic (IG1), Foundational (IG2), Organizational (IG3), Asset control, Implementation Groups. Each must be both designed and operating — auditors want evidence it worked throughout the period, not just that it existed on paper.
The control checklist
All 18 CIS Controls v8 (153 safeguards across IG1–IG3). Use the table below as your working checklist — 18 line items. Controls marked Auto can be monitored continuously by SBCMSP; Manual controls need a documented process and human evidence.
| Control | Requirement | Coverage |
|---|---|---|
| CIS Controls v8 — all 18 controls | ||
| CIS 1 | Inventory & control of enterprise assets | Auto |
| CIS 2 | Inventory & control of software assets | Auto |
| CIS 3 | Data protection | Auto |
| CIS 4 | Secure configuration of assets & software | Auto |
| CIS 5 | Account management | Auto |
| CIS 6 | Access control management | Auto |
| CIS 7 | Continuous vulnerability management | Auto |
| CIS 8 | Audit log management | Auto |
| CIS 9 | Email & web browser protections | Auto |
| CIS 10 | Malware defenses | Auto |
| CIS 11 | Data recovery | Manual |
| CIS 12 | Network infrastructure management | Auto |
| CIS 13 | Network monitoring & defense | Auto |
| CIS 14 | Security awareness & skills training | Manual |
| CIS 15 | Service provider management | Manual |
| CIS 16 | Application software security | Manual |
| CIS 17 | Incident response management | Manual |
| CIS 18 | Penetration testing | Manual |
Evidence you must collect
For every control, an auditor expects evidence it operated throughout the review period. Common examples:
- Access reviews with timestamps and approver
- Change tickets linked to deployments
- Encryption and configuration snapshots
- Vendor / supplier risk assessments on file
Automating the checklist
Roughly two-thirds of CIS v8 controls can be monitored automatically. SBCMSP watches those continuously, collects timestamped evidence, and flags drift — so the audit becomes a review of a report you already have, not a month-long scramble.