CIS Controls Version 8

The Center of Internet Security (CIS) in coordination with the SANS Institute and through a consortium of security experts, U.S. agencies such as the NSA, coordinated the CIS Controls Version 8 (formerly known as “Critical Security Controls” or CSC) to help simplify and prioritize list of controls that would have the greatest impact to an organization in improving risk posture against cyber threats.

Most of the security controls are also mapped back to NIST 800-53 standard (we’ll review later) and is meant to complement existing standards already in place.

A complete list of the CIS Controls v8 is listed below:

  1. Inventory and Control of Enterprise Assets
  2. Inventory and Control of Software Assets
  3. Data Protection
  4. Secure Configuration of Enterprise Assets and Software*
  5. Account Management
  6. Access Control Management*
  7. Continuous Vulnerability Management
  8. Audit Log Management
  9. Email Web Browser and Protections
  10. Malware Defenses
  11. Data Recovery
  12. Network Infrastructure Management
  13. Network Monitoring and Defense
  14. Security Awareness and Skills Training
  15. Service Provider Management
  16. Application Software Security
  17. Incident Response Management
  18. Penetration Testing

Also, SANS has provided a nice comparison of what has changed between versions 7 and 8 of the CIS controls.

As noted in bold above (*), Secure Configuration of Enterprise Assets and Software (4) replaces two other CIS version 7 CIS controls (‘Secure Configuration’ and ‘Secure Configuration of Network Devices’). Also, Access Control Management (6) now replaces former CIS version 7 controls ‘Control of Admin Privileges’ and ‘Controlled Access Based on Need to Know.’

Related Articles