CIS Controls

What are the CIS Critical Security Controls

The CIS Critical Security Controls (CIS Controls) are a set of internationally recognised guidelines designed to help organisations improve their cybersecurity posture. The CIS Controls cover 20 critical areas of focus, including inventory and control of hardware and software assets, continuous vulnerability management, and secure configuration of network devices. By implementing the CIS Controls, organisations can enhance their cybersecurity resilience and protect against a wide range of cyber threats. These controls are widely used in various industries and can be adapted to suit the specific needs of an organisation.

Using CIS cybersecurity controls within your organisation

Embracing CIS cybersecurity controls within your organisation offers a multitude of invaluable benefits that bolster your overall cybersecurity resilience. These controls, meticulously curated by cybersecurity experts, provide a comprehensive and adaptable framework designed to address the ever-evolving threat landscape. By integrating the CIS Controls, you establish a robust line of defence, helping to mitigate vulnerabilities, safeguard critical data, and protect against a wide array of cyber threats.

A structured approach to cyber security

The structured approach of CIS controls aids in streamlining security measures, ensuring consistent and effective protection across various operational facets. Moreover, the implementation of these controls fosters enhanced visibility into your cybersecurity posture, enabling proactive threat detection and rapid response. Ultimately, embracing CIS cybersecurity controls empowers your organisation to stay ahead of adversaries, build stakeholder trust, and maintain the integrity of your digital assets.

The CIS Controls are divided into three main categories: Basic, Foundational, and Organisational. Each control within these categories plays a crucial role in enhancing your organisation’s cybersecurity posture by addressing specific aspects of risk management, threat detection, incident response, and overall resilience. These controls offer a structured and adaptable approach, allowing you to prioritise and implement measures that align with your organisation’s unique operational environment and risk profile.

Basic CIS security controls

Basic CIS security controls are the essential first steps to improving cybersecurity, forming a foundational framework that addresses fundamental vulnerabilities, enhances threat detection capabilities, and establishes a solid groundwork for a more comprehensive and resilient defence strategy.

Foundational CIS security controls

Foundational CIS security controls are considered the best practices for establishing a strong cybersecurity foundation, and serve as the cornerstone of a robust cybersecurity strategy, encompassing a set of vital measures designed to fortify an organisation’s digital infrastructure. By implementing these foundational controls, organisations establish a resilient baseline of protection, mitigating common threats and minimising potential avenues of exploitation.

Organisational CIS security controls

The Organisational controls help organisations to manage and sustain their cybersecurity program effectively by providing guidance and strategies that facilitate governance, risk management, continuous improvement, and a proactive culture of security awareness. These controls empower organisations to align cybersecurity efforts with business objectives, establish clear roles and responsibilities, develop incident response plans, and regularly assess and adapt security measures in response to evolving threats.

Examples of some key CIS security controls include:

Control 1: Inventory and Control of Hardware Assets

Ensuring that all hardware is authorised and tracked to prevent unauthorised devices from being added to the network.

Control 6: Maintenance, Monitoring, and Analysis of Audit Logs

Ensuring that all logs are collected and monitored regularly to detect any suspicious activity.

Control 11: Secure Configuration for Network Devices

Such as Firewalls, Routers, and Switches – ensuring that all network devices are securely configured to prevent unauthorised access.

Control 17: Implement a Security Awareness and Training Program

Ensuring that all employees receive regular security training to reduce the risk of human error and prevent social engineering attacks.

How to implement CIS Controls

Implementing the CIS Controls is a strategic process that involves a systematic approach to fortifying your organisation’s cybersecurity posture. Begin by conducting a thorough assessment of your existing security measures and identifying potential vulnerabilities specific to your operational environment. Prioritise the CIS Controls based on your risk profile and available resources. Next, collaborate with a team of cybersecurity experts to tailor these controls to your organisation’s needs, ensuring seamless integration and minimal disruption to daily operations. With their assistance you can develop a comprehensive implementation plan that outlines responsibilities, monitoring mechanisms and regular reviews.

Get help with your organisation's CIS Controls

If you’re looking for support with your CIS security controls, contact our team today. We can provide expert assistance in implementing and optimising your organisation’s CIS Controls to enhance cybersecurity readiness and resilience.

Protecting over 350 businesses for 20 years

What are the latest CIS Controls v8

The Center for Internet Security (CIS) periodically updates its security controls to reflect the evolving threat landscape and emerging technologies. The latest version is the CIS Controls v8, released in March 2021. The CIS Controls v8 comprises 18 high-level security controls that are mapped to specific security activities. Implementing the CIS Controls v8 can help organisations to improve their cyber security posture and reduce their risk of cyber threats. Organisations can also use the CIS Controls as a benchmark to measure their security maturity and identify areas for improvement.

What was changed in CIS controls version 8 release

CIS Controls version 8 is the latest release of the CIS Controls framework. The new version includes several updates and enhancements to the previous version, which was released in 2018. One significant change in version 8 is the reorganisation of the controls into three implementation groups based on risk and maturity level. The new implementation groups aim to provide organisations with more flexibility in implementing the controls based on their specific needs and risk levels.

Streamlining of CIS framework controls

Another major change is the reduction of controls, bringing the total to 18. Since complexity often obstructs security, the new controls aim to streamline focus on areas such as cloud security, supply chain risk management, and incident response. Additionally, version 8 includes updated guidance on implementing the controls and aligning them with other security frameworks such as NIST and ISO 27001. Overall, CIS Controls version 8 provides organisations with a more comprehensive and adaptable framework for improving their security posture.

Change from CIS Critical Security Controls to ‘CIS Controls’

The transition from ‘CIS Critical Security Controls’ to the simplified nomenclature of ‘CIS Controls’ signifies a strategic evolution in the approach to cybersecurity. This name change reflects a broader recognition of the controls’ comprehensive nature, emphasising their role as a holistic framework encompassing both fundamental and advanced security measures. The term ‘CIS Controls’ captures the essence of a multifaceted strategy designed to mitigate risks, detect threats, and respond effectively to an ever-changing cyber landscape. This transition not only streamlines communication but also underscores the significance of these controls in establishing a robust defence posture for organisations.

Using the CIS Critical Security Controls for effective cyber security

Implementing CIS Critical Security Controls can be an effective way for organisations to enhance their cyber security posture. CIS Controls are a set of guidelines that outline a prioritised approach to securing computer systems and networks. By following these controls, organisations can reduce the risk of cyber attacks and data breaches.

CIS controls implementation involves a step-by-step approach to addressing the most critical security risks facing an organisation. These controls are regularly updated to reflect changes in the threat landscape and to incorporate new technologies. The latest version of CIS Controls, version 8, includes enhancements such as expanded coverage of cloud environments and updates to address emerging threats.

CIS controls implementation

To effectively implement CIS cyber security controls, organisations should start by performing a thorough risk assessment to identify their most significant security risks. Once identified, controls should be prioritised based on the risk they mitigate and implemented accordingly. It is also crucial to ensure that controls are continually monitored and updated to ensure ongoing effectiveness.

By implementing CIS Critical Security Controls, organisations can better protect their assets, including sensitive data and intellectual property, from cyber threats. This can help to safeguard their reputation, reduce the risk of financial losses due to data breaches or cyber attacks, and comply with industry regulations and standards.

SPEAK TO AN EXPERT

Official partners and certified by trusted organisations

CIS controls explained

In the realm of cybersecurity, our toolkit brims with an assortment of security tools, technologies, training, certifications, standards, and practices. This array, supplemented by vulnerability databases, security controls, benchmarks, and recommendations, equips us to navigate a complex landscape. To comprehend evolving threats, we’ve welcomed innovations like security ratings, third-party assessments, data leak detection, and the NIST Cybersecurity Framework. Amid this, we’re surrounded by regulatory obligations like GDPR, LGPD, CCPA, FISMA, CPS 234, GLBA, PCI DSS, and PIPEDA, necessitating robust third-party risk management, vendor oversight, and sound risk assessment methodologies.

Despite this wealth of resources, the sheer volume of technology, information, and oversight introduces a multitude of options, priorities, and opinions, potentially diverting attention from the ultimate goal: fortifying defences and minimising vulnerabilities. As businesses grow, dependencies expand, threats mutate, and consumer expectations escalate, the significance of robust cybersecurity amplifies.

In this landscape, the CIS Controls emerge as a guiding compass, offering insights into critical risk management areas, optimal defensive strategies, risk program maturity tracking, attack analysis, tool selection, and alignment with regulatory frameworks. With the CIS Controls, we navigate these complexities, channeling our efforts towards closing attack vectors and reducing vulnerabilities, safeguarding our digital landscapes in an ever-evolving ecosystem.

Leveraging CIS framework controls

Leveraging CIS framework controls empowers organisations with a structured approach to fortifying their cybersecurity defences. These controls offer a systematic blueprint for addressing a spectrum of cyber risks, from basic security measures to more advanced strategies. By implementing CIS Framework Controls, organisations establish a comprehensive framework that not only identifies vulnerabilities but also guides the adoption of effective countermeasures.

This proactive stance allows businesses to detect threats early, respond swiftly, and maintain the integrity of their digital operations. With CIS framework controls as a guiding force, organisations can confidently navigate the intricate cybersecurity landscape, adapting and evolving their defence strategies to stay ahead of emerging threats and ensure a resilient digital environment.