[Updated June 9, 2023]
What are CIS Controls?
On May 18, 2021, the Center for Internet Security (CIS) launched version 8 of its controls at RSA Conference 2021. The CIS Controls (formerly known as Critical Security Controls) are a recommended set of prioritized cyber defense best practices. They provide specific and actionable ways to protect against today's most pervasive and dangerous attacks. SANS provides CIS Controls v8 training, research, and certification.
Here's a Glimpse at the Notable Changes to CIS Controls v8
Updated to Keep up with the Ever-Changing Cyber Ecosystem
With v8, CIS enhanced its Controls to address modern threats to systems and software. Increases in cloud-based computing, virtualization, mobility, outsourcing, work-from-home, and changes in attack tactics prompted the update. CIS Controls address security of enterprises as they increasingly move to cloud and hybrid environments and utilize mobile technology.
Implementation Groups
CIS Control Safeguards have been segmented into implementation groups (IGs), IG1, IG2, and IG3. IG1 defines basic cyber hygiene and is the minimum standard of enterprise information security. IG1 is a set of 56 Safeguards that every enterprise should implement to guard against the most common attacks. IG2 builds upon IG1, while IG3 is composed of all controls and Safeguards.
Consistent and Simplified
Each Safeguard provides a single, focused task (when possible), details measurable actions, and defines metrics. The Safeguards are written in plain English to avoid misinterpretation.
Task-Based Focus
A role-based controls focus is a thing of the past. Version 8 combines and consolidates the CIS Controls by activity, rather than by who manages the devices. Physical devices, fixed boundaries, and discrete islands of security implementation are less important; as reflected in version 8’s revised terminology and Safeguard groupings, resulting in reducing the number of Controls from 20 to 18.
We Simplified the Name to “CIS Controls”
Formerly called SANS Critical Security Controls (SANS Top 20), then “CIS Critical Security Controls,” the consolidated Controls are now officially called the “CIS Controls.” And while SANS transferred maintaining and improving the controls list to CIS in 2015, SANS continues to be a member of the CIS Controls editorial board.
Leverages Other Best Practice Guidance
The updated CIS Controls work in concert with and point to existing independent standards and security recommendations when available. CIS controls map to more than a dozen industry standard frameworks, including SOC2, HIPAA, MITRE ATT&CK, NIST, PCI DSS, and more. CIS provides a Controls Self Assessment Tool (CIS CSAT) to help organizations assess, track, and prioritize implementation of their CIS controls.
Version 8 is a Change to the Entire Controls Ecosystem
Whether you use the CIS Controls or another control framework to guide your security improvement program, it is critical to understand that a controls list is simply the starting point. With the release of version 8, CIS has also added new tools and guides to the CIS Controls ecosystem to help organizations:
- Implement, track, measure, and assess controls.
- Prioritize controls based on evolving threats.
- Justify investment in CIS Controls implementation.
- Implement CIS Controls best practices for mobile devices and applications.
- Apply CIS Controls best practices to cloud environments.
- Comply with multiple frameworks by providing a map of regulatory frameworks.
Version 8 of the CIS Controls provides backwards compatibility with previous versions and a migration path for users of prior versions to move to v8.
Training & Certification
The SANS Training and GIAC Certification focused on the CIS Controls, each has undergoing major updates to be in line with the new CIS Controls v8. Learn more about them here:
- SEC566: Implementing and Auditing Security Frameworks and Controls
- GCCC: GIAC Critical Controls Certification
Additional Resources
What's New with the CIS Controls v8?, Randy Marchany
Measuring Risk Using the Open, Collective Risk Model (CRM) , James Tarala, June 10, SANS webcast
