The Center for Internet Security (CIS) Controls are a set of best practices and a prioritized set of actions designed to improve an organization’s cyber defense posture and prevent cyberattacks. They offer a concise, actionable framework for preventing, detecting, and responding to cyber threats. 

Over the years, the CIS Controls have been updated to reflect the evolving cybersecurity landscape. The transition from CIS Controls Version 7 to Version 8 marked significant changes, both in structure and in focus, to better address modern cybersecurity challenges. 

This post takes a deeper look at the differences between the two sets of controls as well as the reasons for the overhaul. It then provides a summary of the 18 CIS controls in use today.  

Comparison of the CIS controls

Below is an overview of the key differences between the version 7 and version 8 of the controls:

Reduced the number of controls

One of the most significant changes that occurred was the number of controls used to evaluate a business’ security posture and helps to simplify the process of security in general. 

• Version 7: Featured 20 controls, which were divided into Basic, Foundational, and Organizational categories.
• Version 8: Consolidated to 18 controls, with the aim of simplifying and focusing on key security practices that are relevant across a wide array of technologies and systems.

Aligned with modern distributed technologies

The cloud revolution has changed the way businesses manage their IT assets. In today’s cloud era, companies keep the majority of their data centers offsite in a public cloud.  This significant shift in the way companies work has also brought on security and compliance challenges that need to be addressed.

• Version 7: While comprehensive, it was more aligned with traditional on-premises IT environments.

• Version 8: Explicitly addresses security challenges in modern IT ecosystems, including cloud, mobile, and remote environments. This version’s controls recognize the shift towards a more decentralized approach to IT management and security.

Task-based security emphasis

This change reflects a more activity-based approach rather than one that is based on the person who manages certain devices.  

• Version 7: Categorized controls into Basic, Foundational, and Organizational groups, which prioritized their implementation based on the type of control.
• Version 8: Moves away from this categorization. Instead, it organizes controls around specific activities and outcomes, making it easier for organizations to understand and implement them based on their specific security needs.

Appeals to smaller and medium-sized organizations

Simplifying the language and reducing the number of categories makes the controls easier to understand, and most importantly, to implement by smaller organizations..

• Version 8: Focuses on simplifying the language and reducing redundancy found in Version 7.  This effort aimed to make the controls more accessible and easier to understand for a broader audience, including small and medium-sized organizations.

Alignment with other cybersecurity frameworks

Many companies today must meet many different compliance standards. The new CIS controls map to more than a dozen industry standard frameworks, including SOC2, HIPAA, MITRE ATT&CK, NIST, PCI DSS, and more: 

• Version 8: Enhances alignment and maps with other cybersecurity frameworks and standards, such as NIST’s Cybersecurity Framework (CSF), to facilitate integration and compliance efforts for organizations that need to comply with multiple cybersecurity standards.

 Risk management for third-party service providers

New to version 8 is an emphasis on and strategy for managing service providers inside of your company: 

• Version 8: In a major overhaul, controls were added that specifically help organizations vet, manage and monitor their third-party service providers to ensure they are maintaining the same level of cybersecurity standards as the organization itself. 

Emphasis on data protection

• Version 8: Introduces a stronger emphasis on data protection throughout the controls, reflecting the growing importance of data privacy regulations and the need to secure sensitive information in various forms.

Adaptability and scalability

• Version 8: Designed to be more adaptable and scalable, accommodating a wider range of technologies and operational environments. This version aims to be applicable not only to large enterprises but also to smaller organizations with limited resources.

Prioritization and implementation guidance

• Version 8: Provides updated guidance on prioritizing and implementing controls based on the organization’s specific threat landscape, resources, and cybersecurity maturity level.

Summary of the 18 CIS Controls

The following controls are designed to be implemented in layers or stages, providing a defense-in-depth strategy. This layered approach helps businesses improve their security posture and protect their critical assets from cyberthreats.

Here’s a summary of each of the 18 CIS Controls that were defined in the latest version:

1. Inventory and control of enterprise assets

Identify, manage, and secure all hardware devices connected to the organization’s network to ensure only authorized devices have access.

2. Inventory and control of software assets

Maintain an inventory of software applications and ensure only authorized software is installed and can execute, aiming to prevent unauthorized software from being used.

3. Data protection

Protect sensitive information from unauthorized access and disclosure, including both data at rest and in transit.

4. Secure configuration of enterprise assets and software

Establish secure configurations for all hardware and software assets, and maintain the security of configurations against known vulnerabilities.

5. Account management

Manage the use of accounts, especially by implementing processes for account creation, use, and deletion, ensuring secure and minimal user privileges.

6. Access control management

Implement processes and tools to track, control, and prevent unauthorized access to enterprise assets and information.

7. Continuous vulnerability management

Continuously acquire, assess, and act on new information regarding vulnerabilities in enterprise assets and software to remediate vulnerabilities in a timely manner.

8. Audit log management

Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.

9. Email and web browser protections

Implement controls to minimize the attack surface through the use of web browsers and email systems, which are common vectors for attacks.

10. Malware defenses

Control the installation, spread, and execution of malicious code across enterprise assets, with an emphasis on preventing damage and data loss.

11. Data recovery

Ensure that critical information and system functionality can be rapidly restored after a cybersecurity incident.

12. Network infrastructure management

Establish and maintain network devices securely, minimizing the risk of attackers exploiting the network for attacks.

13. Network monitoring and defense

Continuously monitor network traffic to identify and respond to threats promptly, preventing unauthorized access and data exfiltration.

14. Security awareness and skills training

Provide all workforce members with cybersecurity awareness training and specific training to recognize and prevent attacks.

15. Service provider management

Manage third-party risks and ensure that service providers adhere to the company’s cybersecurity requirements.

16. Application software security

Manage the security life cycle of software applications, from development to deployment, including third-party applications.

17. Incident response and management

Establish and maintain an incident response infrastructure to discover, analyze, and mitigate cybersecurity incidents.

18. Penetration testing

Test the effectiveness of existing security controls using simulated attacks on systems, networks, and applications to identify vulnerabilities.

Version 8 of the CIS Controls reflects a strategic shift towards a more inclusive, adaptable, and modernized approach to cybersecurity, recognizing the evolving nature of technology and the diversification of threats. It aims to provide a more straightforward, actionable set of controls that organizations of all sizes can implement to enhance their cybersecurity posture effectively.

Horn IT can help you get secure and compliant

With Horn IT, you’re choosing a partner dedicated to driving your business forward. From advanced cybersecurity defense to strategic guidance, rapid support, and cost-effective solutions, our comprehensive approach empowers your success. 

The Horn IT team is your team of cybersecurity experts. We can conduct Rapid Security Assessments, and implement all necessary security and compliance remediation measures. 

Contact us today to explore how Horn IT can elevate your business.