What are the CIS Controls?
The CIS Critical Security Controls, commonly just "the CIS Controls", are a prioritized set of cybersecurity safeguards maintained by the Center for Internet Security (CIS). They are not a regulation and not a certifiable standard; they are a community-built, opinionated answer to one question: of everything you could do to defend an organization, what should you actually do, and in what order?
That framing is the whole point. Most frameworks tell you to consider a broad set of requirements and leave the sequencing to you. The CIS Controls instead rank the work, so a team with limited time and people knows which safeguards to put in place first and which can wait until the basics are solid. You implement them, you measure your progress against them — you do not "pass" them.
The current version is v8.1. Version 8 was published in 2021 and reduced the set from 20 controls to 18; v8.1, released in 2024, refines that set and updates the mapping so it lines up cleanly with NIST CSF 2.0. If you read older material referring to 20 controls, that describes v7 — the structure below is v8.1.
Controls vs Safeguards
The two terms are easy to blur, so it is worth being precise. A Control is one of the 18 top-level areas — "inventory and control of enterprise assets", for example. A Safeguard is a specific action within that Control, such as establishing and maintaining a detailed asset inventory. There are 18 Controls and more than 150 Safeguards in total. You organize your thinking around the Controls, but the Safeguard is the thing you actually implement, evidence and measure.