Framework Comparison · Security Program
NIST CSF vs CIS Controls: How They Differ and Work Together
People treat "NIST CSF" and "CIS Controls" as an either/or choice. They aren't. One is a strategic framework that names the security outcomes you should reach; the other is a prioritized list of specific safeguards that get you there. The strongest programs use both.
The short answer
Use NIST CSF 2.0 as the map: it organizes your whole program into six functions and gives you a common language for leadership and auditors. Use the CIS Controls v8.1 as the to-do list: 18 prioritized controls that tell you exactly what to implement first. CSF says what; CIS says how, in order.
NIST CSF: the strategic framework
The NIST Cybersecurity Framework, published by the National Institute of Standards and Technology, is a voluntary, risk-based, outcome-oriented framework. It does not hand you a checklist of products to buy, it describes the security outcomes an organization should achieve and gives you a shared vocabulary to talk about risk with executives, customers, and regulators.
The current edition, CSF 2.0 (released February 2024), is built on six core Functions:
- Govern, new in 2.0; establishes and monitors the organization's cybersecurity risk strategy, roles, and policy.
- Identify, understand assets, data, suppliers, and risks.
- Protect, safeguards to limit or contain the impact of events.
- Detect, find and analyze possible attacks and compromises.
- Respond, take action on a detected incident.
- Recover, restore assets and operations after an incident.
The earlier version, CSF 1.1 (2018), had five Functions; Govern was added in 2.0 to put leadership accountability and risk governance at the center of the framework.
CIS Controls: the prioritized checklist
The CIS Controls, published by the Center for Internet Security, are the opposite end of the spectrum: prescriptive and prioritized. The current version, CIS Controls v8.1 (released June 2024), defines 18 Controls broken into 153 Safeguards, concrete actions like maintaining a hardware/software inventory, using MFA, and managing administrative privileges.
What makes CIS practical is its Implementation Groups, which prioritize the safeguards by an organization's resources and risk profile:
- IG1, essential cyber hygiene; the baseline every organization should meet.
- IG2, for organizations managing more sensitive data and complexity.
- IG3, for mature organizations facing sophisticated, targeted threats.
Note: version 8 consolidated the older 20 Controls (v7) down to 18, reorganizing them around activities rather than who manages the asset.
| Criterion | NIST CSF 2.0 | CIS Controls v8.1 |
|---|---|---|
| Publisher | NIST (U.S. government agency) | Center for Internet Security (nonprofit) |
| Type | Strategic, outcome-oriented framework | Prescriptive, prioritized safeguards |
| Answers | What outcomes to achieve | How to achieve them, in priority order |
| Structure | 6 Functions (Govern, Identify, Protect, Detect, Respond, Recover) | 18 Controls, 153 Safeguards |
| Prioritization | Tiers & Profiles (relative to your risk) | Implementation Groups IG1 / IG2 / IG3 |
| Best used as | The map and common language | The implementation checklist |
How to use them together
These two are explicitly designed to be complementary, and CIS publishes mappings between the CIS Controls and NIST CSF. A practical workflow:
- Adopt NIST CSF as the structure for your security program and reporting, it's the language auditors, insurers, and boards understand.
- Start implementing with CIS Controls IG1, essential cyber hygiene that addresses the most common attacks and satisfies a large share of CSF's Protect and Detect outcomes.
- Use the CIS-to-CSF mapping to show coverage: each safeguard you implement can be traced to the CSF outcome it supports, which is exactly what questionnaires and assessments want to see.
Turn the framework into a finished checklist
Frameworks tell you what good looks like. Strondex checklists tell you exactly what to do in your own environment, control by control, the same essential-hygiene safeguards CIS IG1 and NIST CSF both call for, mapped to Microsoft 365, AWS, and Azure.
Frequently asked questions
Is NIST CSF or CIS Controls better?
They aren't competitors. NIST CSF is the strategic framework (what outcomes to reach); the CIS Controls are the prescriptive checklist (how to reach them). Use CSF for direction and CIS to do the work.
How many functions does NIST CSF 2.0 have?
Six: Govern, Identify, Protect, Detect, Respond, Recover. Govern was added in CSF 2.0 (February 2024); version 1.1 had five.
How many CIS Controls are there?
CIS Controls v8.1 has 18 Controls and 153 Safeguards, organized into Implementation Groups IG1, IG2, and IG3.
Do CIS Controls map to NIST CSF?
Yes. CIS publishes mappings so the safeguards you implement can be tied back to CSF outcomes. They're built to work together.
Sources
- NIST, Cybersecurity Framework (CSF 2.0): nist.gov/cyberframework
- Center for Internet Security, CIS Controls v8.1: cisecurity.org/controls/v8-1
This article is general educational content, not legal or compliance advice. Refer to the official NIST and CIS publications for authoritative detail.