What CIS Controls v8 is and why it matters for SaaS
The CIS Controls (published by the Center for Internet Security) are a prioritised set of cybersecurity best practices that provide a concrete, actionable roadmap for security programmes. Version 8, released in May 2021, was a significant restructuring — consolidating the previous 20 controls into 18, replacing 171 sub-controls with 153 Safeguards, and introducing three Implementation Groups (IGs) to make the framework applicable to organisations of all sizes.
For SaaS companies, CIS Controls v8 is valuable for three reasons. First, it's free and doesn't require a certification body. Second, it's SMB-friendly: IG1 covers the essentials that every organisation should have regardless of size. Third, it maps directly to SOC 2, ISO 27001, and NIST CSF — meaning progress on CIS Controls translates to progress toward certifications.
What changed from v7.1 to v8
| Aspect | v7.1 | v8 | Why it matters for SaaS |
|---|---|---|---|
| Number of Controls | 20 | 18 | Wireless network and mobile controls merged into existing controls |
| Sub-controls → Safeguards | 171 sub-controls | 153 Safeguards | Clearer, more actionable individual requirements |
| BYOD / mobile coverage | Separate mobile devices control | Integrated throughout | Better reflects modern remote/hybrid work |
| Cloud / SaaS focus | Limited cloud guidance | Cloud and SaaS assets included throughout | Controls now explicitly cover cloud VMs, SaaS tools, containers |
| Data protection (new Control 3) | Less structured | Dedicated Control 3 with data classification, encryption, disposal | Aligns better with GDPR and CCPA requirements |
| Implementation Groups | IG1/IG2/IG3 introduced | IGs refined and clarified | Clearer what "basic", "foundational", and "advanced" mean |
| Service Provider Management | Covered in Control 15 | New Control 15 with explicit third-party risk focus | Mirrors SOC 2 CC9.2 vendor risk requirements |
The three Implementation Groups explained
This is the most important structural feature of CIS Controls v8. Every Safeguard is assigned to an Implementation Group — IG1, IG2, or IG3. Organisations should start with IG1 and progressively add IG2 and IG3 Safeguards as their security programme matures.
- IG1 — Essential Cyber Hygiene (all organisations): 56 Safeguards. These are the minimum security standard for every enterprise, regardless of size. They address the most common attack vectors and provide basic protection. Any organisation not implementing all IG1 Safeguards is below the baseline. For very small SaaS teams (1–10 people), IG1 is the immediate target.
- IG2 — Foundational Security (mid-size and growing): IG1 + 74 additional Safeguards. Designed for organisations that manage sensitive information, have regulatory obligations, or need to satisfy enterprise customer security questionnaires. SOC 2 Type I/II readiness broadly aligns with IG2. If you're pursuing SOC 2 or ISO 27001, IG2 is where you need to be.
- IG3 — Advanced Security (large or regulated): IG1 + IG2 + 23 additional Safeguards. For organisations with significant regulatory exposure (FedRAMP, HIPAA covered entity, financial services). Adds network intrusion detection, advanced penetration testing, and the most demanding monitoring requirements.
The 18 CIS Controls and what they cover
| Control | Domain | Min IG | Key requirement for SaaS |
|---|---|---|---|
| CIS 1 | Enterprise Asset Inventory | IG1 | Complete inventory of hardware, VMs, containers — updated quarterly |
| CIS 2 | Software Asset Inventory | IG1 | Authorised software list; EOL software removed within 30 days |
| CIS 3 | Data Protection | IG1 | Full-disk encryption on endpoints; data classification; secure disposal |
| CIS 4 | Secure Configuration | IG1 | Baseline configurations; screen lock ≤15 min; host firewalls |
| CIS 5 | Account Management | IG1 | Account inventory; unique passwords; no dormant accounts >45 days; dedicated admin accounts |
| CIS 6 | Access Control Management | IG1 | MFA for all external apps and remote access; formal provisioning/deprovisioning |
| CIS 7 | Vulnerability Management | IG1 | Automated OS + app patching monthly; external vuln scans monthly (IG2) |
| CIS 8 | Audit Log Management | IG1 | Centralised log collection; 90-day minimum retention; NTP sync |
| CIS 9 | Email and Web Browser Protections | IG1 | DNS filtering; supported browsers only; URL filtering (IG2) |
| CIS 10 | Malware Defences | IG1 | EDR/anti-malware on all endpoints; auto-updated daily |
| CIS 11 | Data Recovery | IG1 | Automated daily backups; encryption; tested quarterly; isolated copy (IG2) |
| CIS 12 | Network Infrastructure Management | IG1 | Current firmware; network segmentation (IG2); secure management plane (IG2) |
| CIS 13 | Network Monitoring and Defence | IG2 | SIEM or centralised alerting; HIDS/EDR; NIDS (IG3) |
| CIS 14 | Security Awareness Training | IG1 | Annual awareness programme; phishing simulations; authentication training |
| CIS 15 | Service Provider Management | IG1 | Third-party inventory; TPRM policy; security contract requirements (IG2) |
| CIS 16 | Application Software Security | IG2 | Secure SDLC; SCA scanning; vulnerability disclosure process; remediation SLAs |
| CIS 17 | Incident Response Management | IG1 | Named IR owner; documented IRP; incident reporting process; tabletop exercise (IG2) |
| CIS 18 | Penetration Testing | IG2 | Annual external pen test; remediation SLAs; validation (IG3) |
The 10 IG1 controls SaaS startups most commonly fail
Based on common assessment patterns, these IG1 controls are most often missing in early-stage SaaS companies:
- CIS 6.3 — MFA for all externally-exposed applications. SaaS founders often use SSO personally but haven't enforced MFA for all users or all cloud console access. Enterprise customers check this.
- CIS 5.3 — Disable dormant accounts within 45 days. Former contractors, old test accounts, and unused service accounts are common. No automated review process means this slips.
- CIS 5.4 — Dedicated administrator accounts. Developers using their personal Google account with Owner-level cloud IAM permissions is a near-universal finding in early-stage SaaS.
- CIS 11.5 — Test data recovery. Backups exist. Restoration has never been tested. This is the most common BCP finding.
- CIS 17.4 — Documented incident response plan. Most founders know what they'd do in a breach — but nothing is written down or communicated to the team.
- CIS 8.2 — Centralised audit log collection. AWS CloudTrail exists in each account, but logs aren't centralised, alerts aren't configured, and retention isn't verified.
- CIS 14.2 — Phishing simulation training. General security awareness training may exist, but phishing simulation is separately required by CIS 14.2.
- CIS 15.1 — Third-party service provider inventory. A comprehensive list of all SaaS tools, sub-processors, and cloud services with data access scope is rarely maintained.
- CIS 3.6 — Full-disk encryption on endpoints. macOS FileVault or Windows BitLocker — often enabled but not enforced via MDM.
- CIS 9.2 — DNS filtering. Free options exist (Cloudflare Gateway, NextDNS) but are rarely configured for teams without a security-focused IT function.
How CIS Controls v8 maps to SOC 2 and ISO 27001
| CIS Control | SOC 2 TSC | ISO 27001:2022 Annex A | NIST CSF 2.0 |
|---|---|---|---|
| CIS 1–2 (Asset Inventory) | CC6.1 | A.5.9, A.5.10 | IDENTIFY — ID.AM |
| CIS 3 (Data Protection) | CC6.7, A1.2 | A.5.12, A.8.24, A.5.33 | PROTECT — PR.DS |
| CIS 4 (Secure Config) | CC7.1 | A.8.9, A.8.7 | PROTECT — PR.PS |
| CIS 5–6 (Accounts / Access) | CC6.2, CC6.3 | A.5.15–A.5.18, A.8.2 | PROTECT — PR.AA |
| CIS 7 (Vulnerability Mgmt) | CC7.1 | A.8.8 | IDENTIFY — ID.RA |
| CIS 8 (Audit Logs) | CC7.2 | A.8.15, A.8.16 | DETECT — DE.CM |
| CIS 10 (Malware) | CC6.8 | A.8.7 | PROTECT — PR.PS |
| CIS 11 (Data Recovery) | A1.2, A1.3 | A.8.13, A.5.29 | RECOVER — RC.RP |
| CIS 15 (Service Providers) | CC9.2 | A.5.19–A.5.22 | GOVERN — GV.SC |
| CIS 16 (AppSec) | CC8.1 | A.8.25–A.8.29 | PROTECT — PR.PS |
| CIS 17 (Incident Response) | CC7.3–CC7.5 | A.5.24–A.5.28 | RESPOND — RS.MA |
| CIS 18 (Pen Testing) | CC4.1 | A.8.34 | IDENTIFY — ID.RA |
The minimum viable CIS IG1 checklist for SaaS startups
If you're a SaaS startup with no formal security programme, start here. These 10 items address IG1 controls most commonly missing and provide the highest risk reduction per hour invested:
- Enable full-disk encryption on all laptops (macOS: FileVault via Jamf/Mosyle; Windows: BitLocker via Intune) — 1 day
- Enforce MFA on all cloud consoles (AWS IAM, GCP, Azure) and your IdP — 2 hours
- Create dedicated admin accounts; remove Owner-level access from personal accounts — 1 day
- Audit all accounts; disable dormant accounts; remove ex-employees — 2–4 hours
- Deploy EDR on all endpoints (Microsoft Defender free if Windows; Malwarebytes for Mac; CrowdStrike Falcon Go for teams) — 1 day
- Configure DNS filtering (Cloudflare Gateway Zero Trust free tier or NextDNS free) — 2 hours
- Enable and centralise AWS CloudTrail / GCP Audit Logs / Azure Monitor — half day
- Verify daily automated backups exist; schedule a restoration test in the next 30 days — 2 hours
- Assign a named incident response owner and document a 1-page IRP — 2 hours
- Run a phishing simulation and security awareness training for all staff — 2 hours
Related generators: CIS Controls v8 Gap Assessment, NIST CSF 2.0 Gap Assessment, ISO 27001 Gap Assessment, Incident Response Plan, Vulnerability Management Policy.
Related reading: NIST CSF 2.0 Gap Assessment Guide, ISO 27001 Gap Assessment Guide, Cyber Essentials Certification Guide (UK), ISO 27001 vs SOC 2.
⚠️ This guide is for informational purposes only. CIS Controls alignment does not constitute a certification. Consult a qualified cybersecurity professional for advice specific to your organisation.