Asked for CIS Controls and the Essential Eight? Here's how they actually map.
Auditors and insurers increasingly want both CIS Controls v8 and the Essential Eight. They overlap, but they aren't the same shape. Here's the control-by-control mapping we use - and the four CIS controls the Essential Eight quietly leaves you exposed on.
It used to be that a customer asked about one framework. Now we increasingly see both in the same request: the cyber insurer wants Essential Eight alignment, the enterprise customer's vendor questionnaire is built on CIS Controls v8, and someone internally has decided you should "be compliant with both." The instinct is to run two separate programmes. Don't. They overlap enough that doing one well gets you most of the way through the other, and the smart move is to understand exactly where they line up and where they don't before you spend a dollar.
The two frameworks aren't the same shape
The Essential Eight, from the Australian Cyber Security Centre, is eight mitigation strategies you implement to a defined maturity level (ML1, ML2, ML3). It's deliberately narrow and unusually prescriptive: it tells you not just to control applications but how, with maturity levels that specify the exact posture. Its strength is that it's hard to fudge. Its weakness is that eight strategies is not a complete security programme.
CIS Controls v8, from the Center for Internet Security, is eighteen controls broken into safeguards, grouped into three Implementation Groups (IG1 is basic cyber hygiene, IG2 and IG3 add rigour for larger or higher-risk organisations). It's broad: asset inventory, data protection, awareness training, incident response, and vendor management all get their own control. The trade-off is that it's less prescriptive per control. CIS tells you to manage your accounts; it leaves more of the "how" to you than the Essential Eight does.
So the comparison people want - "is ML2 the same as IG1?" - doesn't have a clean answer. The Essential Eight goes deeper on its eight strategies than CIS IG1 does on the equivalent safeguards, but CIS IG1 covers ground the Essential Eight never touches. They're complementary, not interchangeable.
The mapping, control by control
Here's how each Essential Eight strategy lines up against the CIS v8 controls it satisfies. This is the table we put in front of customers who need to show coverage against both. Where an Essential Eight strategy is implemented honestly, the listed CIS controls are substantially (not always fully) addressed:
- Application control maps to CIS 2 (Inventory and Control of Software Assets, including the allowlisting safeguards) and CIS 10 (Malware Defenses). If you're running application control in enforcement mode, you've done the hardest part of CIS 2.
- Patch applications maps to CIS 7 (Continuous Vulnerability Management). Same evidence: scan, prioritise, remediate within an SLA, prove it.
- Configure Microsoft Office macro settings maps to CIS 9 (Email and Web Browser Protections) and CIS 4 (Secure Configuration of Enterprise Assets and Software).
- User application hardening maps to CIS 4 (Secure Configuration) and CIS 9. Disabling Flash, ads, and Java in browsers is a CIS 4 and CIS 9 safeguard by another name.
- Restrict administrative privileges maps to CIS 5 (Account Management) and CIS 6 (Access Control Management). This is where the two frameworks overlap most cleanly.
- Patch operating systems maps to CIS 7 (Continuous Vulnerability Management), same control as application patching.
- Multi-factor authentication maps to CIS 6 (Access Control Management). CIS spreads MFA across several safeguards covering remote access, admin accounts, and external-facing apps.
- Regular backups maps to CIS 11 (Data Recovery). The Essential Eight's restore-testing requirement is exactly the CIS 11 safeguard most organisations skip.
Where the Essential Eight leaves you exposed
This is the part that matters most and gets the least airtime. You can be fully Essential Eight ML2 compliant and still have material gaps against CIS IG1, because the Essential Eight simply has no control for several things CIS treats as basic hygiene. The four that bite SMBs hardest:
- CIS 1 (Inventory and Control of Enterprise Assets). The Essential Eight assumes you know what you're protecting but never makes you prove it. You cannot honestly do application control or patching without an asset inventory, yet nothing in the Essential Eight forces you to maintain one. CIS makes it Control 1 for a reason.
- CIS 14 (Security Awareness and Skills Training). The Essential Eight is entirely technical. It has nothing to say about the human layer, which is where most breaches actually start. CIS requires a structured awareness programme.
- CIS 17 (Incident Response Management). The Essential Eight tells you how to prevent and limit incidents, not what to do when one happens. No playbook, no roles, no tested response. CIS 17 requires a documented, exercised incident response capability.
- CIS 15 (Service Provider Management). If you outsource IT, cloud, or security (most SMBs do), CIS makes you manage and assess those providers. The Essential Eight is silent on supply chain entirely.
The practical upshot: treating the Essential Eight as your whole security programme leaves you blind on asset visibility, your people, your incident readiness, and your suppliers. None of those are exotic. They're the gaps an experienced assessor or a real incident will find first. If your only framework is the Essential Eight, these four are your homework.
Which one should be your system of record?
We use the Essential Eight as the technical control spine and wrap the CIS controls it omits around it. The reasoning is practical: the Essential Eight is more prescriptive, so the evidence expectations are clearer and harder to argue with, and in Australia it's the framework regulators and insurers reference by name. That makes it the cleaner backbone for the eight controls it covers. Then we layer CIS 1, 14, 15, and 17 on top as a programme wrapper, because those are the gaps that turn a passing audit into an actual security posture.
If your driver is a CIS-based vendor questionnaire rather than an Australian insurer, the same controls still apply - you just present them in CIS order. The work doesn't change; the reporting frame does. That's the whole point of getting the mapping right once: you do the controls a single time and speak whichever framework the person asking understands.
Where to start
Run both gap analyses honestly before you set a target. We score your environment against the Essential Eight maturity levels in an Essential 8 Gap Analysis and against CIS v8 Implementation Groups in a CIS Gap Analysis, then reconcile the two so you're not paying twice for overlapping evidence. If you're earlier in the journey and just need a defensible baseline, our Compliance Foundation Programme takes you from gap analysis through to a documented, evidence-grade posture against both frameworks. And if the gap that worries you is incident readiness - the CIS 17 hole the Essential Eight leaves open - that's the Incident Response conversation.
The frameworks aren't competitors and you don't have to choose. Done right, the Essential Eight gives you depth on the technical basics and CIS gives you the breadth the Essential Eight is missing. The expensive mistake is running them as two programmes. Map them once, implement each control once, and report against whichever name the person in front of you uses.