Compliance NIST
CIS

CIS or NIST CSF? Choosing the Right Cybersecurity Framework (Or Both)

Kelly O’Brien
by Kelly O’Brien
7 min read
July 24, 2025 at 1:00 PM

The Center for Internet Security (CIS) Critical Security Controls are a prioritized set of best practices designed to help organizations defend against common cyber threats. Version 8.0, released in 2021, introduced major changes to better reflect modern IT environments, including support for cloud infrastructure, remote work, and hybrid networks. It also reorganized and clarified the Controls to improve usability and alignment with other frameworks, such as NIST CSF.

CIS Version 8.1, released in June 2024, builds on that foundation. It keeps the same 18 Controls and overall structure, but sharpens the language, refines definitions, especially for asset types, and updates mappings to align with NIST Cybersecurity Framework (CSF) 2.0. The update also introduces a formal governance focus, helping organizations better document roles, responsibilities, and oversight of their security programs.

CIS Controls are divided into three Implementation Groups (IGs) to help organizations of different sizes and risk levels adopt protections in a manageable way. IG1 provides essential safeguards for smaller teams or less complex environments. IG2 and IG3 add more advanced protections for larger organizations or those in regulated industries.

Whether you're using CIS Controls as your primary framework or in combination with something broader like NIST CSF 2.0, version 8.1 offers improved clarity and alignment without disrupting existing implementations. This guide explains how v8.1 differs from v8.0, who it’s best suited for, and how it can be applied effectively, on its own or alongside NIST CSF, to build a more resilient cybersecurity program.

What Are the CIS Controls?

The CIS developed a set of 18 security controls for organizations to follow to enhance their cybersecurity. These controls are categorized into three levels of effort, referred to as Implementation Groups (IGs). In CIS Controls v8.1, Implementation Groups (IGs) provide a method for organizations to prioritize which security measures to implement based on their size, resources, and risk exposure. There are three groups: IG1, IG2, and IG3. Each group builds on the previous one.

  • IG1 is the basic set, ideal for small and mid-sized businesses.
  • IG2 and IG3 add more advanced protections for bigger or more complex organizations.

The controls cover topics like:

  • Keeping track of your hardware and software
  • Setting secure configurations
  • Controlling who can access your systems
  • Regularly testing your security
Group Who It's For Focus
IG1 Small to mid-sized orgs with limited IT/security staff Basic cyber hygiene—essential safeguards to defend against common threats
IG2 Mid-sized to larger orgs with more IT resources Controls that deal with more sophisticated threats and operational complexity
IG3 Large, mature orgs in regulated or high-risk sectors Advanced protections against targeted, well-funded attacks

 

Number of Safeguards in Each Group (v8.1)

Group Number of Safeguards Description
IG1 56 Covers the most basic and critical safeguards
IG2 74 additional Builds on IG1; adds more depth and operational controls (total: 130)
IG3 23 additional High-security controls for complex or high-risk environments (total: 153)

 

Note: Each group adds more controls and safeguards, but all start with IG1 as the foundation.

Example Breakdown

Let’s say you’re a small business with a few dozen employees and minimal cybersecurity expertise:

  • Start with IG1: It covers practical steps like inventorying devices, using strong passwords, enabling firewalls, and keeping software updated.

If you’re a growing company with a dedicated IT team:

If you're in finance, healthcare, or a critical industry:

  • IG3 applies: Includes advanced threat detection, role-based access, and robust incident management.

What’s New in CIS Version 8.1?

Released in June 2024, Version 8.1 is a minor update that builds on the foundation of Version 8.0. While the core structure remains the same, several updates enhance clarity, improve alignment with other frameworks, and enhance overall usability.

Key Changes in v8.1:

  • Updated NIST CSF Mapping: Aligns with NIST Cybersecurity Framework 2.0, helping users stay current with federal guidance.
  • Refined Terminology: Improved definitions for asset types like cloud services, operational technology, and devices.
  • Governance Enhancements: Introduces more explicit guidance on roles, policies, and accountability, strengthening the governance component.
  • Editorial Improvements: Corrected typos, resolved confusing language, and improved consistency across the document.

What’s New or Improved:

  • Realigned framework mappings to support NIST CSF 2.0 and other standards.
  • Expanded glossary and refined asset definitions for greater precision.
  • Introduced a dedicated Governance function with practical guidance on oversight and responsibilities.
  • Improved overall consistency to reduce friction when implementing alongside other frameworks.

Practical Impact:

  • Easy Upgrade Path: Because the structure is unchanged, organizations already using v8.0 can adopt v8.1 with minimal effort. A detailed change log is available to help guide updates.
  • Stronger Governance Support: Clearer expectations around policies and roles make it easier to demonstrate governance and compliance.
  • More Relevant to Modern Environments: Updated definitions better reflect current technologies, including cloud, IoT, and OT, which helps users working in complex or hybrid environments.
  • Better Alignment with Other Frameworks: Enhanced mapping improves compatibility with standards like NIST CSF 2.0 and ISO/IEC 27001:2022.

No major content was removed, so if you're using Version 8.0, transitioning to 8.1 is a straightforward next step.

Comparison: v8.0 vs v8.1

Area v8.0 (May 2021) v8.1 (June 2024)
Core Controls 18 controls, focused on hygiene and defense Same 18 controls, same structure
Asset & Terminology Simplified language, measurable language Refined asset classes, expanded glossary definitions
Governance Governance is implicit in controls Governance has been elevated to a formal function
Standards Alignment Linked to NIST CSF 1.1, MITRE, OWASP, etc. Remapped to NIST CSF 2.0, ensuring updated alignment
Usability Clear, measurable, practical Enhanced with context, clarity, coexistence, and consistency; minimal disruption for existing implementers

 

Why This Matters for You

If you're managing or advising on cybersecurity, here's what you should take away:

  • No disruption: You don’t need to redo your whole security plan if you’re already using v8.0. Review the updates and make any necessary adjustments.
  • Clearer language helps everyone: v8.1 makes it easier for teams to understand and apply the controls.
  • Governance is now front and center: It’s no longer just about the tech but more about how your organization manages security overall.
  • Better fit for cloud and hybrid work: With cloud usage now the norm, the updated guides and more explicit asset definitions make the Controls easier to apply.

CIS or NIST?

CIS Controls v8.1 is best suited for:

  • IT and security teams looking for clear, actionable steps
  • Small to mid-sized businesses (SMBs) aiming for quick wins, especially with Implementation Group 1
  • Teams establishing a baseline before adopting more complex frameworks
  • Organizations focused on system hardening or secure configurations
  • Users who need alignment with technical tools like CIS Benchmarks

NIST CSF 2.0 is a better fit for:

  • Larger organizations or those with mature risk management programs
  • CISOs and executive leaders managing cybersecurity at a strategic level
  • Companies in highly regulated industries such as finance, healthcare, or energy
  • Organizations building governance models, measuring risk, or aligning security with business goals
  • Entities involved in government contracts or part of regulated supply chains

How They Work Together

CIS Controls and the NIST CSF aren’t competing approaches. They’re designed to work together. The NIST CSF offers a high-level strategy for managing cybersecurity as a business risk, while the CIS Controls provide the detailed, technical actions needed to implement that strategy. In simple terms, the NIST CSF serves as the blueprint, while the CIS Controls provide the toolkit. With the updated mappings in Version 8.1, CIS Controls now align more closely with NIST CSF 2.0, making it easier for organizations to use both frameworks in a coordinated and effective way.

Think of it this way:

  • NIST CSF = The blueprint
  • CIS Controls = The toolkit

Side-by-Side Comparison

Aspect CIS Controls v8.1 NIST CSF 2.0
Purpose Tactical security controls Strategic risk management
Structure 18 Controls, 153 Safeguards 6 Core Functions with Categories and Subcategories
Level of Detail Highly prescriptive and technical High-level and flexible
Audience IT and security teams, SMBs Executives, CISOs, risk managers
Use Case Implement specific protections Develop and guide cybersecurity strategy
Compliance Tie-ins Maps directly to CIS Benchmarks and system-level controls Supports regulatory alignment and enterprise governance
2024 Updates New governance function, clearer asset types, updated NIST CSF 2.0 mapping New "Govern" function, AI, and supply chain risk, outcome-based metrics

 

Used together, CIS Controls and NIST CSF 2.0 can help organizations of any size turn high-level strategy into practical, effective action.

Recommendations

Here are a few practical steps your team can take now:

  • If you were using CIS v8.0, review the v8.1 change summary from CIS to understand what’s new and what’s been refined.
  • Leverage the updated NIST CSF mapping if you need to demonstrate alignment with industry standards or regulatory frameworks.
  • Reinforce governance practices by ensuring that roles, procedures, and policies are documented and auditable.
  • Reevaluate your Implementation Group (IG) status. Based on your current risk profile, it may be time to move from IG1 to IG2 or IG3 within the context of v8.1.

Final Thoughts

CIS Controls v8.1 builds on a trusted foundation by clarifying language, elevating governance, and improving compatibility with other security frameworks, especially NIST CSF 2.0. The update doesn’t change the core structure of v8.0. Moreover, it enhances how controls can be applied and mapped, making it easier for organizations to connect day-to-day security practices with broader risk management strategies.

For teams already using NIST CSF, CIS Controls v8.1 offers a detailed playbook to help implement the outcomes outlined in the CSF. The two frameworks now align more closely than ever, with updated mappings in v8.1 that support smoother integration and help avoid duplication of effort. That said, NIST CSF 2.0 can also stand on its own. It's well-suited for organizations focused on building a strategic cybersecurity program rooted in risk management, governance, and business alignment, particularly those with regulatory obligations or operating in complex supply chains. It’s especially valuable at the executive level, helping leaders assess, prioritize, and communicate cybersecurity posture across the enterprise.

CIS Controls, on the other hand, provide the tactical, technical safeguards that bring those strategies to life. Whether you use them together or individually, both frameworks have clear roles: NIST CSF defines the “what” and “why,” while CIS Controls offer the “how”.

If your organization is just getting started, beginning with IG1 in CIS Controls v8.1 is a practical, manageable first step. From there, you can build toward IG2 and IG3 as your capabilities and risk exposure evolve. For more mature organizations, combining NIST CSF 2.0’s strategic lens with CIS Controls’ practical actions provides a comprehensive and scalable approach to cybersecurity, one that’s aligned with both current threats and long-term business goals.

How Compass Can Help

Navigating the evolving landscape of cybersecurity frameworks like CIS Controls and NIST CSF 2.0 requires both technical depth and strategic alignment. At Compass IT Compliance, we help organizations of all sizes adopt and implement these frameworks in a way that’s tailored to their risk profile, resource constraints, and compliance obligations. Whether you’re new to CIS and need help identifying your Implementation Group, or you’re looking to align CIS Controls with a broader NIST CSF strategy, our experienced cybersecurity professionals—including auditors, vCISOs, and technical assessors—are ready to guide you every step of the way.

Want to strengthen your cybersecurity program using CIS v8.1, NIST CSF 2.0, or both? Contact us today to schedule a consultation.

Contact Us
Previous story
← Rethinking SOC 2 Audits with Purpose-Built Platforms
Next story
Higher Education’s Push Toward a Virtual CISO Approach →
Replacing the FFIEC CAT with NIST CSF 2.0
Replacing the FFIEC CAT with NIST CSF 2.0
Compliance

Replacing the FFIEC CAT with NIST CSF 2.0

April 18, 2025 at 11:26 AM 5 min read
NIST Cybersecurity Framework 2.0 – Key Takeaways
United States Department of Commerce
Compliance

NIST Cybersecurity Framework 2.0 – Key Takeaways

March 7, 2024 at 1:30 PM 3 min read
Which NIST Standard Is Most Important for Small Businesses?
NIST for Small Business
Compliance

Which NIST Standard Is Most Important for Small Businesses?

July 19, 2024 at 2:53 PM 7 min read

Get Email Notifications

No Comments Yet

Let us know what you think