Interconnekt
Compliance9 min read

Asked for CIS Controls and the Essential Eight? Here's how they actually map.

Auditors and insurers increasingly want both CIS Controls v8 and the Essential Eight. They overlap, but they aren't the same shape. Here's the control-by-control mapping we use - and the four CIS controls the Essential Eight quietly leaves you exposed on.

Abstract Signal cover illustration.
Joel Kino
Interconnekt
Share

It used to be that a customer asked about one framework. Now we increasingly see both in the same request: the cyber insurer wants Essential Eight alignment, the enterprise customer's vendor questionnaire is built on CIS Controls v8, and someone internally has decided you should "be compliant with both." The instinct is to run two separate programmes. Don't. They overlap enough that doing one well gets you most of the way through the other, and the smart move is to understand exactly where they line up and where they don't before you spend a dollar.

The two frameworks aren't the same shape

The Essential Eight, from the Australian Cyber Security Centre, is eight mitigation strategies you implement to a defined maturity level (ML1, ML2, ML3). It's deliberately narrow and unusually prescriptive: it tells you not just to control applications but how, with maturity levels that specify the exact posture. Its strength is that it's hard to fudge. Its weakness is that eight strategies is not a complete security programme.

CIS Controls v8, from the Center for Internet Security, is eighteen controls broken into safeguards, grouped into three Implementation Groups (IG1 is basic cyber hygiene, IG2 and IG3 add rigour for larger or higher-risk organisations). It's broad: asset inventory, data protection, awareness training, incident response, and vendor management all get their own control. The trade-off is that it's less prescriptive per control. CIS tells you to manage your accounts; it leaves more of the "how" to you than the Essential Eight does.

So the comparison people want - "is ML2 the same as IG1?" - doesn't have a clean answer. The Essential Eight goes deeper on its eight strategies than CIS IG1 does on the equivalent safeguards, but CIS IG1 covers ground the Essential Eight never touches. They're complementary, not interchangeable.

The mapping, control by control

Here's how each Essential Eight strategy lines up against the CIS v8 controls it satisfies. This is the table we put in front of customers who need to show coverage against both. Where an Essential Eight strategy is implemented honestly, the listed CIS controls are substantially (not always fully) addressed:

  • Application control maps to CIS 2 (Inventory and Control of Software Assets, including the allowlisting safeguards) and CIS 10 (Malware Defenses). If you're running application control in enforcement mode, you've done the hardest part of CIS 2.
  • Patch applications maps to CIS 7 (Continuous Vulnerability Management). Same evidence: scan, prioritise, remediate within an SLA, prove it.
  • Configure Microsoft Office macro settings maps to CIS 9 (Email and Web Browser Protections) and CIS 4 (Secure Configuration of Enterprise Assets and Software).
  • User application hardening maps to CIS 4 (Secure Configuration) and CIS 9. Disabling Flash, ads, and Java in browsers is a CIS 4 and CIS 9 safeguard by another name.
  • Restrict administrative privileges maps to CIS 5 (Account Management) and CIS 6 (Access Control Management). This is where the two frameworks overlap most cleanly.
  • Patch operating systems maps to CIS 7 (Continuous Vulnerability Management), same control as application patching.
  • Multi-factor authentication maps to CIS 6 (Access Control Management). CIS spreads MFA across several safeguards covering remote access, admin accounts, and external-facing apps.
  • Regular backups maps to CIS 11 (Data Recovery). The Essential Eight's restore-testing requirement is exactly the CIS 11 safeguard most organisations skip.

Where the Essential Eight leaves you exposed

This is the part that matters most and gets the least airtime. You can be fully Essential Eight ML2 compliant and still have material gaps against CIS IG1, because the Essential Eight simply has no control for several things CIS treats as basic hygiene. The four that bite SMBs hardest:

  • CIS 1 (Inventory and Control of Enterprise Assets). The Essential Eight assumes you know what you're protecting but never makes you prove it. You cannot honestly do application control or patching without an asset inventory, yet nothing in the Essential Eight forces you to maintain one. CIS makes it Control 1 for a reason.
  • CIS 14 (Security Awareness and Skills Training). The Essential Eight is entirely technical. It has nothing to say about the human layer, which is where most breaches actually start. CIS requires a structured awareness programme.
  • CIS 17 (Incident Response Management). The Essential Eight tells you how to prevent and limit incidents, not what to do when one happens. No playbook, no roles, no tested response. CIS 17 requires a documented, exercised incident response capability.
  • CIS 15 (Service Provider Management). If you outsource IT, cloud, or security (most SMBs do), CIS makes you manage and assess those providers. The Essential Eight is silent on supply chain entirely.

The practical upshot: treating the Essential Eight as your whole security programme leaves you blind on asset visibility, your people, your incident readiness, and your suppliers. None of those are exotic. They're the gaps an experienced assessor or a real incident will find first. If your only framework is the Essential Eight, these four are your homework.

Which one should be your system of record?

We use the Essential Eight as the technical control spine and wrap the CIS controls it omits around it. The reasoning is practical: the Essential Eight is more prescriptive, so the evidence expectations are clearer and harder to argue with, and in Australia it's the framework regulators and insurers reference by name. That makes it the cleaner backbone for the eight controls it covers. Then we layer CIS 1, 14, 15, and 17 on top as a programme wrapper, because those are the gaps that turn a passing audit into an actual security posture.

If your driver is a CIS-based vendor questionnaire rather than an Australian insurer, the same controls still apply - you just present them in CIS order. The work doesn't change; the reporting frame does. That's the whole point of getting the mapping right once: you do the controls a single time and speak whichever framework the person asking understands.

Where to start

Run both gap analyses honestly before you set a target. We score your environment against the Essential Eight maturity levels in an Essential 8 Gap Analysis and against CIS v8 Implementation Groups in a CIS Gap Analysis, then reconcile the two so you're not paying twice for overlapping evidence. If you're earlier in the journey and just need a defensible baseline, our Compliance Foundation Programme takes you from gap analysis through to a documented, evidence-grade posture against both frameworks. And if the gap that worries you is incident readiness - the CIS 17 hole the Essential Eight leaves open - that's the Incident Response conversation.

The frameworks aren't competitors and you don't have to choose. Done right, the Essential Eight gives you depth on the technical basics and CIS gives you the breadth the Essential Eight is missing. The expensive mistake is running them as two programmes. Map them once, implement each control once, and report against whichever name the person in front of you uses.

Keep reading

More from the blog

Abstract Signal cover illustration.Compliance6 min read

ML1 is enough. Most SMBs still overshoot.

The Essential Eight has three maturity levels. Most SMBs reach for ML2 or ML3 because the number looks better. Here's why ML1, done honestly, beats ML2 done badly - and what the gap actually costs.

24 May 2026Read more
Read ML1 is enough. Most SMBs still overshoot.
Abstract Signal cover illustration.Strategy9 min read

Microsoft Copilot Cowork is GA: what it costs, and how to stay in control

Copilot Cowork is now generally available, and it is billed in a way that catches people out: a fixed seat plus a metered usage charge that can dwarf it. Here is how the pricing works, what it can cost, and every lever to cap the spend.

18 June 2026Read more
Read Microsoft Copilot Cowork is GA: what it costs, and how to stay in control
Abstract Signal cover illustration.How-to6 min read

When to refresh your office network (and what good looks like now)

Slow Wi-Fi gets blamed on laptops, broadband, and bad luck long before anyone blames the network. Here's how to tell when the network is the problem, and what a network worth keeping looks like in 2026.

4 June 2026Read more
Read When to refresh your office network (and what good looks like now)
Abstract Signal cover illustration.How-to7 min read

Azure for SMBs: what we run, and what you probably don't need

Azure is sold like an infinite menu, which is exactly why SMB cloud bills get out of hand. Here's the sensible footprint most small businesses actually need - and the enterprise sprawl you can safely ignore.

3 June 2026Read more
Read Azure for SMBs: what we run, and what you probably don't need
Abstract Signal cover illustration.Opinion4 min read

Why we publish our prices (and most MSPs don't)

The argument for transparent pricing, the objections we get, and the customers it brings - unfiltered. A post we've been threatening to write for two years.

27 Mar 2026Read more
Read Why we publish our prices (and most MSPs don't)
Abstract Signal cover illustration.How-to11 min read

Copilot rollout playbook: from license to measured productivity

Microsoft 365 Copilot is the most expensive per-user add-on a business will add this year. Most rollouts fail on the prep, not the technology. Here's the sequence we use to make sure it actually pays for itself.

14 Mar 2026Read more
Read Copilot rollout playbook: from license to measured productivity
Abstract Signal cover illustration.Security9 min read

The SMB buyer's guide to Managed Detection and Response

Every MDR vendor's site says the same things. Here's how to actually tell them apart: the difference between an alert and a response, who's watching at 2am, and the questions that separate real 24/7 detection from a dashboard you'll never open.

28 Feb 2026Read more
Read The SMB buyer's guide to Managed Detection and Response
Stay in the loop

Get the next post in your inbox

If this was useful, the next one will be too. Summaries plus a monthly digest on managed IT, the Essential Eight, and Australian SMBs - unsubscribe anytime.

Monthly digest and post summaries. We use Resend (United States) to deliver email. See our Privacy Policy.