Recently, the Center for Internet Security (CIS) released Version 7 of its CIS Controls. CIS V7 represents the newest iteration of its 20 critical security recommendations for all organizations.
These requirements are typically viewed as industry best practices due to the reputation and credibility of CIS, and they serve as an excellent baseline for any security program. Here’s what you need to know about CIS V7, and how it applies to your organization.
What is CIS V7?
Collectively, the 20 high-level controls in CIS V7 are organized into fundamental, easy-to-organize, actionable recommendations. They serve as a basic framework that can be used in any cybersecurity program. According to CIS,
“Version 7 of the CIS Controls was developed over the last year to align with the latest cyber threat data and reflect today’s current threat environment. We recognize that the cybersecurity world is constantly shifting and reacting to new threats and vulnerabilities, which often results in chaos and confusion about which steps to take to harden systems and data. To cut through the confusion, we collaborated on CIS Controls V7 with a global community of cybersecurity experts – leaders in academia, industry, and government – to secure input from volunteers at every level. Our public call for comment on Version 7 from January 24 – February 7, 2018, included feedback from a community of over 300 individuals dedicated to improving cybersecurity for all. The CIS Controls best practices are developed using a consensus approach involving discussion groups, forums, and community feedback.”
Contrary to popular belief, CIS V7 is not an entirely new list of recommendations. This version maintains the same 20 controls companies around the world already rely on for security. The updates come in the form of ordering and overhauled sub-controls, which have been altered for enhanced precision. CIS V7 divides controls into three categories: organizational, foundational, and basic, as you can see below in the CIS graphic:
The Key Principles of CIS V7
The CIS team developed V7 by focusing on seven guiding principles, which help ensure comprehensive security. They are as follows:
Address current attacks. This principle requires organizations to focus on emerging technology and to address any shifting mission or business requirements that relate to IT. This is one of the principles that informed the re-ordering of CIS principles and was born from an attempt to address both new cybersecurity tools and changes to the security landscape.
Focus on critical topics, including authentication. Key topics include encryption and whitelisting of applications. CIS V7 provides comprehensive guidance for each of these important security topics.
Align with other frameworks. NIST Cybersecurity Framework mapping makes it easier than ever for teams to thrive, despite multi-framework environments.
Improve the consistency and wording of sub-controls. CIS V7 recommends limiting wording to one “ask” per sub-control. This makes it easier for users to adhere to the system and ensures CIS Controls are simple to measure, monitor, and implement.
Set the foundation. Establishing the foundation for related products and services from the marketplace and CIS is essential. CIS has gained experience with vendors and adopters since they released Version 6. In V7, CIS seeks to streamline the efforts behind corporate decision-making.
Make structural changes in layout and format. To help controls remain adaptive and relevant, CIS has built in more flexibility.
Reflect feedback. According to CIS, “We are only as strong as the amazing volunteers that support us, and we hope to continue to provide a means of gathering and harnessing the global cybersecurity community for the benefit of everyone.”
The new version of CIS doesn't have to be a pain. In fact, it's considered a preferred program due to the simplicity of the 20 controls. With each new version, CIS Controls remain a valuable cybersecurity resource for organizations who want to limit risks and focus on more robust cybersecurity. To learn more about CIS V7, download our compliance guide.
Need Help Organizing your CIS V7 Program?
Apptega provides software that can help you build, manage and report your cybersecurity program based on CIS v7 or 12+ other standards. Apptega helps to simplify the complexity of CIS v7, eliminate spreadsheets and help you document and report on your organization’s change and configuration management as part of its overall plan. Plus, with Apptega's Harmony you can see how your CIS v7 controls overlap other frameworks you are required to follow like ISO 27001, SOC 2, PCI, NIST, HIPAA, GDPR, CCPA and more.
Contact us today to set up your free trial environment.