New CIS Controls V7 released

The Center for Internet Security (CIS) has released its next revision (Version 7) of the top 20 Critical Security Controls. 

The CIS controls are a recommended set of cyber defense actions that provide detailed and actionable ways to thwart the most pervasive cyber attacks. The top 20 CIS controls includes a good list of highly effective defensive actions that can be used to help organizations prioritize the implementation of controls. 

A study of the previous release says that if organizations implemented just the first five CIS controls, 85% of cyber attacks could have been prevented. If organizations adopted all 20 controls, nearly 97% of attacks could have been prevented as well. 

CIS categories

In the latest version 7, CIS has broken up the list into three main categories: basic, foundational and organizational. CIS also updated the sub-control language to be more clear and precise. CIS outlined the categories below: 

  • “Basic (CIS Controls 1-6): Key controls which should be implemented in every organization for essential cyber defense readiness.
  • Foundational (CIS Controls 7-16): The next step up from basic – these technical best practices provide clear security benefits and are a smart move for any organization to implement.
  • Organizational (CIS Controls 17-20): These controls are different in character from 1-16; while they have many technical elements, CIS Controls 17-20 are more focused on people and processes involved in cybersecurity.”

Key Principles

CIS also provided 7 key principles used in enhancing the top 20 controls, to include: 

  1. “Address current attacks, emerging technology, and changing mission/business requirements for IT.”
  2. “Bring more focus to key topics like authentication, encryptions, and application whitelisting.”
  3. “Better align with other frameworks” (e.g., mapping to NIST Cybersecurity Framework).
  4. “Improve the consistency and simplify the wording of each sub-control” (i.e., added one “ask” per sub-control, to help make the CIS controls easier to measure, monitor and implement). 
  5. “Set the foundation for a rapidly growing ‘ecosystem’ of related products and services from both CIS and the marketplace” (e.g., make it easier to understand or import/integrate CIS controls into vendor products or services).
  6. “Make some structural changes in layout and format” (Make some structural changes in layout and format” (restructured CIS content to be more flexible, relevant and adaptive than before).
  7. “Reflect the feedback of a world-side community of volunteers, adopters, and supporters.”

Are the CIS Controls a replacement for the other frameworks?

According to CIS, the top 20 controls are not intended as a replacement of existing regulatory or compliance standards/requirements. However, the CIS controls can help map controls to other compliance frameworks (e.g., NIST Cybersecurity Framework, NIST 800-53, ISO 27000 series) and regulations (e.g., PCI DSS, HIPAA, NERC CIP, and FISMA). The CIS Controls can be used as a starting point for action.

See the CIS summary of what’s changed in the latest version and also CIS Controls FAQs. The SANS Institute also offers a number of good security classes on implementing the CIS Controls. 

Leave a Reply

Your email address will not be published. Required fields are marked *