Skip to main content

CIS Controls v8.1

The CIS Controls (formerly CIS Critical Security Controls) are published by the Center for Internet Security and represent a curated set of actions that, when implemented, defend against the most prevalent and damaging cyber attacks. Version 8.1 is the current release, updated to reflect modern IT environments including cloud workloads, remote work, and mobile devices. What sets CIS apart from larger federal frameworks is its emphasis on prioritization. Controls are organized into three Implementation Groups (IG1, IG2, IG3), each building on the last. IG1 represents the minimum standard of information security — sometimes called “essential cyber hygiene” — and is recommended for all organizations regardless of size or industry. IG2 and IG3 extend coverage for organizations with greater resources and higher risk profiles. With 156 questions across 18 control areas, the CIS v8.1 assessment is well-suited for small and medium-sized organizations wanting a structured, actionable security baseline, as well as larger enterprises using CIS as a complementary framework alongside NIST or ISO 27001.

What Ayliea Assesses

The assessment maps to all 18 CIS Controls, grouped by the major domains they address. Questions evaluate both the presence of controls and their maturity — whether they are documented, tested, and monitored.
Whether your organization maintains accurate inventories of enterprise hardware and software assets. Questions cover discovery processes, unauthorized device detection, and software allowlisting.
How you classify, handle, and protect data throughout its lifecycle — at rest, in transit, and at disposal. Includes data flow mapping and encryption coverage.
The state of your configuration management for enterprise assets and software, as well as account management practices, access control policies, and privileged access governance.
Your vulnerability management program maturity — scanning frequency, remediation SLAs, and prioritization — alongside audit log configuration, retention, and review processes.
Technical controls protecting against phishing, malicious email attachments, malicious web content, and malware execution. Includes email filtering, browser security, and endpoint protection.
Network monitoring and defense capabilities — segmentation, firewall policies, traffic filtering — as well as your data recovery program, backup coverage, and restoration testing.
The breadth and effectiveness of your security awareness training program, penetration testing and red team activity, application security practices, and incident response plan maturity.
Due diligence applied to third-party service providers, contract requirements, and ongoing vendor security monitoring. Also covers internal penetration testing scope and frequency.

Who Needs This Assessment

  • Small and medium-sized businesses building their first structured security program
  • Organizations that want a practical, prioritized security baseline before pursuing heavier frameworks
  • Security teams using CIS as a foundational layer alongside NIST CSF or ISO 27001
  • Organizations preparing for cyber insurance renewals that reference CIS Controls
  • IT teams benchmarking against industry-standard security hygiene
  • Organizations in any industry that do not yet have a formal compliance requirement but want to reduce cyber risk systematically

Getting Started

The CIS Controls v8.1 assessment requires an Organization subscription. Once subscribed, select CIS Controls v8.1 from the framework list in the Assess tab and begin with whichever control area is most relevant to your current priorities. For step-by-step instructions, see the Quickstart guide.