Compliance

Everything you need to know about CIS Controls V8

Explore the comprehensive guide to CIS Controls V8. Get detailed analyses of the latest updates and all 18 controls for robust cybersecurity.


What Is the Center for Internet Security (CIS)?

Founded in 2000 in USA, The Center for Internet Security (CIS) is a nonprofit organization that focuses on enhancing the cybersecurity posture of public and private sector entities.

CIS works to provide a wide range of resources and services aimed at helping organizations improve their cybersecurity measures. Here is a closer look at what the CIS does, this is not exhaustive :

CIS Controls:

CIS Controls are a set of best practices designed to help organizations prioritize their security efforts to defend against known cyber threats.

CIS Benchmarks:

CIS Benchmarks are globally recognized standards for securing IT systems and data against cyber threats. They offer guidance on configuring security options for a wide range of technologies, including operating systems, middleware, and software applications, to a secure state.

SecureSuite Membership:

The SecureSuite Membership offers organizations access to additional resources, including enhanced versions of the CIS Controls and CIS Benchmarks, as well as a community of cybersecurity professionals for collaboration and information sharing.

Certifications:

CIS offers a range of certification solutions, including the CIS Controls Self-Assessment Tool, which helps organizations assess their compliance with the CIS Controls, and the CIS Benchmarks Configuration Certification, which demonstrates that a product or service meets the standards set out in the CIS Benchmarks.

CIS aims to create a safe environment for online activities and protect organizations from cyber threats through collaboration and the provision of critical resources for improving cybersecurity defenses. It's a community-driven approach, wherein input and feedback from the global community are instrumental in the development of CIS resources.

What are CIS Controls V8 ?

CIS Controls version V8 is the latest iteration of a set of security best practices developed by the Center for Internet Security to help organizations improve their cybersecurity posture. Released in May 2021, CIS Controls V8 is structured to align with modern security systems and environments, focusing on the changing tactics of cyber-attacks and the evolving work landscape that includes remote and hybrid work environments. By adopting CIS Controls V8, organizations can build a solid cybersecurity foundation, leveraging a business-centric approach to improve security resilience and preparedness in a rapidly evolving cyber landscape. It's an essential set of tools for organizations seeking to protect against cybersecurity threats while navigating the complexities of modern digital environments.

How is the CIS Controls V8 document structured?

Version 8 of the CIS controls document contains 84 pages structured in several parts:

  • Glossary
  • Acronyms and Abbreviations
  • Introduction, it details the various changes made in this latest version, a presentation of the CIS Controls ecosystem, a presentation of the structuring of controls and implementation groups.
  • The list of the CIS Controls V8 detailed as follows:
    • Overview: A brief description of the intent of the Control and its utility as a defensive action
    • Why is this Control critical: A description of the importance of this Control in blocking, mitigating, or identifying attacks, and an explanation of how attackers actively exploit the absence of this Control
    • Procedures and tools: A more technical description of the processes and technologies that enable implementation and automation of this Control
    • Safeguard descriptions: A table of the specific actions that enterprises should take to implement the Control
  • Appendix (with all the resources and references plus the Controls and Safeguards Index)

How many CIS controls are there ?

There are 18 controls in V8 CIS controls.

What are the notable Changes to CIS Controls v8 ?

Updated for Relevance in the Current Cyber Ecosystem

Last updated in 2018, the CIS controls received a substantial overhaul in 2021 to stay abreast with the rapidly evolving IT sector. This refresh, driven by the uptick in cloud computing, mainstreaming of virtual workspaces, and changing attacker strategies, aims to enhance the security posture of businesses. The modernized set of CIS controls facilitates a secure transition to hybrid and cloud infrastructures, meeting the demands of today's mobile workforce.

Implementation Group

In the CIS Controls update from v7 to v8, we observe a change in the definition of Implementation Groups (IGs). Whereas v7 classified IGs primarily according to the size and cybersecurity capabilities of organizations, v8 takes a more nuanced approach, taking into account the specific context of each organization, including its regulatory requirements and risk appetite.

Implementation Group V7 :

  • IG1: for small businesses and organizations with limited cybersecurity capabilities.
  • IG2: includes IG1 and is for medium-sized companies with moderate cybersecurity capabilities.
  • IG3: includes IG2 and is aimed at large enterprises with substantial and advanced cybersecurity capabilities.

Implementation Group V8 :

  • IG1: for organizations that need to reduce the risk of compromise to their systems and data.
  • IG2: for organizations with the additional objective of preventing the spread of compromises and achieving greater cyber resilience.
  • IG3: for organizations that need to implement advanced cybersecurity practices to meet more stringent regulatory or partnership requirements.

Change of the name of the document

The document has been given different names in the various versions written, from SANS Critical Security Controls (SANS Top 20) to CIS Critical Security Controls, and is now called CIS Controls. In addition, what were previously called sub-controls are now called safeguards, of which there are 154 in the new version.

Simplified and More Consistent

Every Safeguard prescribes a solitary, concentrated task (to the extent possible), delineates tangible steps, and establishes defined metrics.

Task-Based Focus Regardless of Who Executes Controls

In the update to version 8 of the CIS Controls, a significant shift has taken place, moving from a role-specific individual-centered approach to one focused on the activities themselves. Previously, security measures were structured around the distinct roles of employees, establishing clear boundaries in information access and control based on each person’s role.

This new approach abandons this strict regimen in favor of a more holistic and integrated view, where the emphasis is on securing processes and activities, rather than the individuals performing them. This transition facilitates more fluid collaboration between different sectors of an organization, promoting a security that is dynamic and adaptable to the ongoing changes in the technological landscape. In doing so, it recognizes a modernized working environment, where physical boundaries and rigid roles are increasingly irrelevant, emphasizing flexibility and resilience in cybersecurity strategies. This change has led to a modification in the number of controls (from 20 controls to 18) and the regrouping of certain controls:

CIS Controls V7 VS CIS Controls V8

Leverages Other Best Practice Guidance

The updated CIS Controls are designed to seamlessly integrate and complement a wide range of existing security standards and recommendations. This facilitates easier compliance with various renowned industry regulatory and normative frameworks, such as ISO 27001, SOC2, HIPAA, MITRE ATT&CK, and NIST, to name just a few.

To illustrate the previous points, here's a 1-minute video summarizing the main changes made to CIS Controls V8:

What are the 18 controls from CIS Version 8 :

In version 8 of the CIS controls, there are 18 controls, as shown below:

18 controls from CIS (4)

Control 1: Inventory and Control of Enterprise Assets

Overview CIS Controls : "Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.”

Number of Safeguard: 5

Control 2: Inventory and Control of Software Assets

Overview CIS Controls : “Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.”

Number of Safeguard: 7

Control 3: Data Protection

Overview CIS Controls : “Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data”

Number of Safeguard: 14

Control 4: Secure Configuration of Enterprise Assets and Software

Overview CIS Controls : “Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).”

Number of Safeguard: 12

Control 5: Account Management

Overview CIS Controls : “Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software”

Number of Safeguard: 5

Control 6: Access Control Management

Overview CIS Controls : “Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.”

Number of Safeguard: 8

Control 7: Continuous Vulnerability Management

Overview CIS Controls : “Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.”

Number of Safeguard: 7

Control 8: Audit Log Management

Overview CIS Controls : “Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.”

Number of Safeguard: 12

Control 9: Email and Web Browser Protections

Overview CIS Controls : “Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.”

Number of Safeguard: 7

Control 10: Malware Defenses

Overview CIS Controls : “Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.”

Number of Safeguard: 7

Control 11: Data Recovery

Overview CIS Controls : “Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.”

Number of Safeguard: 5

Control 12: Network Infrastructure Management

Overview CIS Controls : “Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.”

Number of Safeguard: 8

Control 13: Network Monitoring and Defense

Overview CIS Controls : “Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.”

Number of Safeguard: 11

Control 14: Security Awareness and Skills Training

Overview CIS Controls : “Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.”

Number of Safeguard: 9

Control 15: Service Provider Management

Overview CIS Controls : “Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.”

Number of Safeguard: 7

Control 16: Application Software Security

Overview CIS Controls : “Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.”

Number of Safeguard: 14

Control 17: Incident Response Management

Overview CIS Controls : “Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.”

Number of Safeguard: 9

Control 18: Penetration Testing

Overview CIS Controls : “Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.”

Number of Safeguard: 5

👉Implement the CIS Controls V8 with Trout Software

Get notified about Trout articles

Receive an email when our team releases new content.