The Center for Internet Security (CIS) has long been respected for it’s framework of critical security controls. Released in 2008, it’s purpose was to provide a prioritized set of security best practices to combat against cyber threats. This first version was known as the SANS Critical Controls Top 20. Over the years the Controls are evaluated and updated in order to keep up with evolving cyber threats. A major update occurred with version 7.1 when implementation groups were introduced. This gave adopters a new way to prioritize the Controls. Known as IGs (IG1, IG2, IG3), the groups offer a more focused approach and make implementation easier for organizations. Following the strategies in IG1 is viewed as essential and basic cybersecurity.
In 2021, CIS offered a new version of the Controls. Version 8 cut the number of controls from 20 to 18 and introduced CIS Safeguards. Safeguards in each Control will outline specific actions that need to be taken in order to protect the asset. Whereas the previous versions of the CIS Critical Controls focused on device defenses, Version 8 shifted the focus to more data-centric strategies.
CIS version 8.1 was adopted in June 2024. A Governance security function has been added. It is believed that effective governance is essential for organizations to truly achieve their goals in their cybersecurity practices. Some other updates include realigning the NIST CSF 2.0 security function mappings, updated glossary with enhanced descriptions and revised mapping for the CIS Safeguards.
Our Cybersecurity Team’s cybersecurity assessments are based on these controls, NIST guidelines and security best practices. Our members can request more information on the assessment by emailing security@more.net.
Resources:
The Ongoing Evolution of the CIS Critical Security Controls
Tackling the New CIS Controls