Synced 16 Jun 2026 15:24 UTC Account
← Home
CIS Critical Security Controls v8 · Controls 2 & 7

Inventory & continuous vulnerability management for the CIS Controls

Control 2 wants an inventory of your software assets; Control 7 wants continuous vulnerability management — a documented process, automated patching and regular scanning. IsItPatched delivers both from an SBOM — a component inventory, known and actively-exploited CVEs, risk ranking, the minimum safe version, end-of-life tracking and exportable evidence.

Scan your SBOM → Monitor your components Export CIS pack →

1046 actively-exploited CVEs across 613 tracked products right now

Built for every Implementation Group

IG1 — essential hygiene

Small teams getting the basics right. Inventory your software and stay on top of the vulnerabilities that matter, free.

IG2 / IG3 — maturing programs

Add risk-ranked, known-exploited-first prioritisation and exportable evidence across a larger component estate.

Security teams & assessors

Hand a clean software inventory, risk-ranked vulnerabilities and a remediation record as Control 2 / 7 evidence.

CIS Controls → what IsItPatched gives you

Software asset inventory (Control 2)

Scan a CycloneDX/SPDX SBOM for a per-component inventory of third-party and open-source software.

Scan an SBOM →

Identify & rank vulnerabilities (7.5/7.6)

Each component's CVEs identified and ranked by actively-exploited (CISA KEV) and high-EPSS status.

See actively-exploited CVEs →

Remediate & patch (7.3/7.4)

The minimum safe version and a critical-first queue support your patch-management process.

Open your dashboard →

End-of-life & evidence

End-of-life tracking flags unsupported software; export a risk register and VEX as evidence.

End-of-life calendar →

Export your evidence — today, free

  • Per-component vulnerability scan of your CycloneDX / SPDX SBOM (matched against OSV)
  • CycloneDX VEX document (exploitability + remediation per component)
  • Software risk register (CSV / print-to-PDF) citing the exact versions you run
  • A prioritised, known-exploited-first patch queue — your Control 7 remediation record

Sign in (free, no password) to sync your component stack and generate these from your dashboard.

Build your evidence →

Straight with you: the CIS Controls span 18 areas — inventory, data protection, access control, logging, incident response and more. IsItPatched is an informational tool (NVD · CISA KEV · OSV · endoflife.date) that helps with the software-inventory (Control 2) and continuous-vulnerability-management (Control 7) safeguards specifically. It is not an assessment and not legal advice. Disclaimer.

CIS Controls — frequently asked

What are the CIS Controls?

The CIS Critical Security Controls (v8.1) are a prioritised set of 18 safeguards published by the Center for Internet Security. Two map directly onto software vulnerabilities: Control 2 (Inventory and Control of Software Assets) and Control 7 (Continuous Vulnerability Management) — which calls for a documented process, automated patch management for operating systems and applications, and regular vulnerability scanning.

How does IsItPatched help with the CIS Controls?

It delivers Control 2 and Control 7 from an SBOM: inventory your third-party software components, identify and risk-rank their known and actively-exploited (CISA KEV) vulnerabilities, see the minimum safe version for remediation, track end-of-life, and export a risk register / VEX as evidence for your Implementation Group.

Does IsItPatched make us CIS-compliant?

No. The CIS Controls span 18 areas — inventory, data protection, access control, logging, incident response and more. IsItPatched helps with the software-inventory (Control 2) and continuous-vulnerability-management (Control 7) safeguards specifically. It is informational, built on public data — not an assessment and not legal advice.

Subject to more than one regime? See all our compliance editions →