The following table provides the mapping between the Microsoft cloud security benchmark (MCSB) v2 (preview) controls and CIS Controls v8.1. For the full security guidance, implementation details, and Azure-specific recommendations for each control, see the linked control domain articles.
For mappings to other frameworks (NIST SP 800-53 r5, PCI-DSS v4, NIST CSF v2.0, ISO 27001:2022, and SOC 2), see the individual control articles or the controls to Azure Policy mapping.
Network Security
| MCSB Control |
Control Name |
CIS Controls v8.1 |
| NS-1 |
Establish network segmentation boundaries |
12.1, 12.2, 12.6 |
| NS-2 |
Secure cloud native services with network controls |
12.4, 12.7 |
| NS-3 |
Deploy firewall at the edge of enterprise network |
9.2, 9.3, 13.1 |
| NS-4 |
Deploy intrusion detection/intrusion prevention systems (IDS/IPS) |
13.2, 13.6, 13.7 |
| NS-5 |
Deploy DDOS protection |
13.3 |
| NS-6 |
Deploy web application firewall |
13.2, 13.9 |
| NS-7 |
Manage network security centrally and effectively |
4.1, 4.2, 12.4, 13.6 |
| NS-8 |
Detect and disable insecure services and protocols |
4.8, 9.3, 13.4 |
| NS-9 |
Connect on-premises or cloud network privately |
12.8, 13.8 |
| NS-10 |
Ensure Domain Name System (DNS) security |
8.5, 13.6, 13.8 |
Identity Management
| MCSB Control |
Control Name |
CIS Controls v8.1 |
| IM-1 |
Centralize identity and authentication while ensuring isolation |
6.7, 12.5, 16.1 |
| IM-2 |
Protect identity and authentication systems |
5.4, 6.3, 6.5, 8.2 |
| IM-3 |
Manage application identities securely and automatically |
6.7, 12.5, 16.1, 16.9 |
| IM-4 |
Authenticate server and services |
3.10, 9.2, 13.3 |
| IM-5 |
Use single sign-on (SSO) for application access |
6.3, 6.5, 12.5 |
| IM-6 |
Use strong authentication controls |
6.3, 6.4, 6.5 |
| IM-7 |
Restrict resource access based on conditions |
3.3, 6.4, 6.8, 13.5 |
| IM-8 |
Restrict the exposure of credentials and secrets |
16.9, 16.10, 16.12 |
Privileged Access
| MCSB Control |
Control Name |
CIS Controls v8.1 |
| PA-1 |
Separate and limit highly privileged/administrative users |
5.4, 6.7, 6.8 |
| PA-2 |
Avoid standing access for user accounts and permissions |
5.4, 6.8 |
| PA-3 |
Manage lifecycle of identities and entitlements |
5.1, 5.2, 5.3, 6.1 |
| PA-4 |
Review and reconcile user access regularly |
5.3, 5.4, 6.2 |
| PA-5 |
Set up emergency access |
5.4, 6.5, 17.9 |
| PA-6 |
Use privileged access solution |
4.1, 5.4, 6.3, 6.4 |
| PA-7 |
Follow just enough administration (least privilege) principle |
3.3, 5.4, 6.1, 6.8 |
| PA-8 |
Determine access process for cloud provider support |
5.4, 6.8, 8.2, 8.11 |
Data Protection
| MCSB Control |
Control Name |
CIS Controls v8.1 |
| DP-1 |
Discover, classify, and label sensitive data |
3.2, 3.7, 3.13 |
| DP-2 |
Monitor anomalies and threats targeting sensitive data |
3.13 |
| DP-3 |
Encrypt sensitive data in transit |
3.10 |
| DP-4 |
Enable data at rest encryption by default |
3.11 |
| DP-5 |
Use customer-managed key option in data at rest encryption when required |
3.11 |
| DP-6 |
Use a secure key management process |
N/A |
| DP-7 |
Use a secure certificate management process |
N/A |
| DP-8 |
Ensure security of key and certificate repository |
N/A |
Asset Management
| MCSB Control |
Control Name |
CIS Controls v8.1 |
| AM-1 |
Track asset inventory and their risks |
1.1, 1.2, 1.3, 1.4, 2.1 |
| AM-2 |
Use only approved services |
2.3, 2.7, 4.1 |
| AM-3 |
Ensure security of asset lifecycle management |
4.1, 4.2, 15.1, 15.2 |
| AM-4 |
Limit access to asset management |
5.4, 6.1, 6.7, 6.8 |
| AM-5 |
Use only approved applications in virtual machine |
2.3, 2.5, 2.6, 10.5 |
Logging and Threat Detection
| MCSB Control |
Control Name |
CIS Controls v8.1 |
| LT-1 |
Enable threat detection capabilities |
8.11, 13.1, 13.2 |
| LT-2 |
Enable threat detection for identity and access management |
6.2, 8.5, 8.11 |
| LT-3 |
Enable logging for security investigation |
8.2, 8.3, 8.5, 8.12 |
| LT-4 |
Enable network logging for security investigation |
8.2, 8.5, 8.6, 8.11, 13.6 |
| LT-5 |
Centralize security log management and analysis |
8.9, 8.11, 13.1, 13.3, 13.4, 17.1 |
| LT-6 |
Configure log storage retention |
8.3, 8.10 |
| LT-7 |
Use approved time synchronization sources |
8.4 |
Incident Response
| MCSB Control |
Control Name |
CIS Controls v8.1 |
| IR-1 |
Preparation - update incident response plan and handling process |
17.1, 17.2, 17.3 |
| IR-2 |
Preparation - setup incident notification |
17.4, 17.5 |
| IR-3 |
Detection and analysis - create incidents based on high-quality alerts |
8.11, 13.1, 13.2, 17.4 |
| IR-4 |
Detection and analysis - investigate an incident |
8.2, 8.5, 8.11, 13.2, 17.4 |
| IR-5 |
Detection and analysis - prioritize incidents |
1.1, 1.2, 17.4, 17.5 |
| IR-6 |
Containment, eradication and recovery - automate the incident handling |
17.4, 17.6, 17.7 |
| IR-7 |
Post-incident activity - conduct lessons learned and retain evidence |
8.3, 17.8, 17.9 |
Posture and Vulnerability Management
| MCSB Control |
Control Name |
CIS Controls v8.1 |
| PV-1 |
Define and establish secure configurations |
4.1, 4.2 |
| PV-2 |
Audit and enforce secure configurations |
4.1, 4.2, 4.7 |
| PV-3 |
Define and establish secure configurations for compute resources |
4.1, 4.8, 18.3 |
| PV-4 |
Audit and enforce secure configurations for compute resources |
4.1, 4.2, 4.7, 18.5 |
| PV-5 |
Perform vulnerability assessments |
7.1, 7.2, 7.5, 7.7 |
| PV-6 |
Rapidly and automatically remediate vulnerabilities |
7.2, 7.3, 7.4, 7.5, 7.7 |
| PV-7 |
Conduct regular red team operations |
15.1, 18.1, 18.2, 18.3, 18.5 |
Endpoint Security
| MCSB Control |
Control Name |
CIS Controls v8.1 |
| ES-1 |
Use Endpoint Detection and Response (EDR) |
8.5, 8.11, 13.2, 13.10 |
| ES-2 |
Use modern anti-malware software |
10.1, 10.2, 10.5, 10.7 |
| ES-3 |
Ensure anti-malware software and signatures are updated |
10.3, 7.2 |
Backup and Recovery
| MCSB Control |
Control Name |
CIS Controls v8.1 |
| BR-1 |
Ensure regular automated backups |
11.1, 11.2, 11.3 |
| BR-2 |
Protect backup and recovery data |
11.3, 11.5, 3.11 |
| BR-3 |
Monitor backups |
8.2, 8.11, 11.2 |
| BR-4 |
Regularly test backup |
11.4, 11.5 |
DevOps Security
| MCSB Control |
Control Name |
CIS Controls v8.1 |
| DS-1 |
Conduct threat modeling |
14.2, 14.3 |
| DS-2 |
Secure the software supply chain |
16.1, 16.2, 16.11 |
| DS-3 |
Secure the DevOps infrastructure |
4.1, 4.7, 6.1, 6.5 |
| DS-4 |
Integrate Static Application Security Testing (SAST) |
16.3, 16.6 |
| DS-5 |
Integrate Dynamic Application Security Testing (DAST) |
16.7, 16.8 |
| DS-6 |
Secure the workload lifecycle |
4.1, 7.3, 7.4 |
| DS-7 |
Implement DevOps logging and monitoring |
8.2, 8.5, 8.11 |
Artificial Intelligence Security
| MCSB Control |
Control Name |
CIS Controls v8.1 |
| AI-1 |
Ensure use of approved models |
16.7 |
| AI-2 |
Implement multi-layered content filtering |
8.3, 13.2 |
| AI-3 |
Adopt safety meta-prompts |
18.5 |
| AI-4 |
Apply least privilege for agent functions |
5.4, 6.8 |
| AI-5 |
Ensure human-in-the-loop |
6.7, 8.11 |
| AI-6 |
Establish monitoring and detection |
8.5, 13.1 |
| AI-7 |
Perform continuous AI Red Teaming |
15.1, 18.5 |
Related content