The Center for Internet Security (CIS) has released its next revision (Version 7) of the top 20 Critical Security Controls.
The CIS controls are a recommended set of cyber defense actions that provide detailed and actionable ways to thwart the most pervasive cyber attacks. The top 20 CIS controls includes a good list of highly effective defensive actions that can be used to help organizations prioritize the implementation of controls.
A study of the previous release says that if organizations implemented just the first five CIS controls, 85% of cyber attacks could have been prevented. If organizations adopted all 20 controls, nearly 97% of attacks could have been prevented as well.
In the latest version 7, CIS has broken up the list into three main categories: basic, foundational and organizational. CIS also updated the sub-control language to be more clear and precise. CIS outlined the categories below:
- “Basic (CIS Controls 1-6): Key controls which should be implemented in every organization for essential cyber defense readiness.
- Foundational (CIS Controls 7-16): The next step up from basic – these technical best practices provide clear security benefits and are a smart move for any organization to implement.
- Organizational (CIS Controls 17-20): These controls are different in character from 1-16; while they have many technical elements, CIS Controls 17-20 are more focused on people and processes involved in cybersecurity.”
CIS also provided 7 key principles used in enhancing the top 20 controls, to include:
- “Address current attacks, emerging technology, and changing mission/business requirements for IT.”
- “Bring more focus to key topics like authentication, encryptions, and application whitelisting.”
- “Better align with other frameworks” (e.g., mapping to NIST Cybersecurity Framework).
- “Improve the consistency and simplify the wording of each sub-control” (i.e., added one “ask” per sub-control, to help make the CIS controls easier to measure, monitor and implement).
- “Set the foundation for a rapidly growing ‘ecosystem’ of related products and services from both CIS and the marketplace” (e.g., make it easier to understand or import/integrate CIS controls into vendor products or services).
- “Make some structural changes in layout and format” (Make some structural changes in layout and format” (restructured CIS content to be more flexible, relevant and adaptive than before).
- “Reflect the feedback of a world-side community of volunteers, adopters, and supporters.”
Are the CIS Controls a replacement for the other frameworks?
According to CIS, the top 20 controls are not intended as a replacement of existing regulatory or compliance standards/requirements. However, the CIS controls can help map controls to other compliance frameworks (e.g., NIST Cybersecurity Framework, NIST 800-53, ISO 27000 series) and regulations (e.g., PCI DSS, HIPAA, NERC CIP, and FISMA). The CIS Controls can be used as a starting point for action.