CIS v8 is a set of cybersecurity standards from the Center for Internet Security. This framework is older and more prescriptive than NIST CSF. According to CIS, the CIS V8 controls are “mapped to and referenced by multiple legal, regulatory, and policy frameworks.”
The goal of the CIS framework is to help your organization identify and respond to cyber threats. There are 18 controls in CIS v8, compared to 20 that were in CIS v7. The 18 CIS v8 controls cover:
- Inventory and Control of Enterprise Assets
- Inventory and Control of Software Assets
- Data Protection
- Secure Configuration of Enterprise Assets and Software
- Account Management
- Access Control Management
- Continuous Vulnerability Management
- Audit Log Management
- Email and Web Browser Protections
- Malware Defenses
- Data Recovery
- Network Infrastructure Management
- Network Monitoring and Defense
- Security Awareness and Skills Training
- Service Provider Management
- Application Software Security
- Incident Response Management
- Penetration Testing
Your organization has some leeway in how it applies these security controls within a flexible framework. There are three implementation groups (IG) outlined in CS (Cloud Security) V8. Each implementation group is based on an organizational risk profile and available resources to implement the CIS Controls.
Within each implementation group, there are a series of safeguards. These safeguards were previously called CIS sub-controls. There are 153 safeguards in v8.
CIS recommends every organization begin with implementation group 1, which it considers to be essential cyber hygiene. These practices can be used as a foundation for your cybersecurity program. From implementation group 1, your organization can then build on IG 2 and then IG 3 to mature your cybersecurity posture.