The “CIS 8” is a cybersecurity framework especially suitable for many Small and Medium Enterprises. The framework finds its origins in the original “SANS Top 20” and “CIS Top 20”, which was changed to “CIS Top 18” in 2021 and is now exclusively maintained by Center for Internet Security (CIS). The CIS Top 18 is an actively managed framework, and the CIS 8 is a subset consisting of the 8 first controls on that the CIS Top 18 and is a set of best practices designed to help organizations implement and monitor their basic cybersecurity defenses.
One may wonder what the value of implementing only 8 out of a list of 18 controls to combat cybersecurity. The answer is that certain organizations may not have the organization, knowledge, or resources to immediately implement the full set of 18 controls. Digital threats are rapidly evolving, and businesses should follow some systematic way to properly implement a protective framework. Among the many frameworks that exist, the CIS 8 standard has proven to be a good and valuable basis for those seeking both efficiency and comprehensiveness in protecting themselves against cyber-attacks.
Implementing The CIS 8 provides an organization with a solid foundation for cybersecurity and addresses a significant number of common vulnerabilities and threats. Therefore, by mastering the first 8 controls, an organization can prevent a large majority of cyber-attacks. The list of controls with a description and examples are shown in the table below.
| CIS Control 1: Inventory and Control of Enterprise Assets | Description: Maintain an updated inventory of all enterprise computer assets, ensuring that only authorized devices access the organization’s environment. Example: Use an asset management tool to automatically detect and catalog all devices that connect to the network and monitor that all software versions and patches are up to date. Unrecognized devices and/or undated assets are to be flagged for review. |
| CIS Control 2: Inventory and Control of Software Assets | Description: Maintain an updated inventory of all software assets, ensuring that only authorized software runs within the organization’s environment. Example: Implement a software whitelist to permit only approved applications to run. Any unauthorized software attempts need to be blocked from executing or alerted. |
| CIS Control 3: Data Protection | Description: Ensure that sensitive data is identified and protected throughout its lifecycle, including during storage, transit, processing and destruction. Example: Limit storage of data containing PII to specified storage areas with appropriate access controls and data encryption. Also, encrypt customer payment data both when it’s stored in databases and when it’s transmitted over the internet. |
| CIS Control 4: Secure Configuration of Enterprise Assets and Software | Description: Establish and enforce security configuration standards for all assets and software to reduce vulnerabilities. Example: Use a configuration management tool to ensure all server operating systems are deployed with a standardized, secure configuration, and any deviations are reported and remediated. |
| CIS Control 5: Account Management | Description: Ensure that user accounts, especially those with special access privileges, are managed securely and efficiently. Example: Implement an automated system to deactivate employee accounts once they leave the organization or move to a different role. |
| CIS Control 6: Access Control Management | Description: Define and enforce what actions users and systems can perform on enterprise assets based on the principle of least privilege. Example: Implement role-based access controls where employees in the finance department have access to financial data but not to human resources data. |
| CIS Control 7: Continuous Vulnerability Management | Description: Continuously acquire, assess, and act on new vulnerability information to avoid exploitable weaknesses. Example: Schedule regular vulnerability scans on the network and patch outdated software versions that are susceptible to known vulnerabilities. Monitor that all findings are remediated in a timely manner. |
| CIS Control 8: Audit Log Management | Description: Collect, manage, and analyze audit logs of events that could impact the organization’s security to ensure timely detection and response. Example: Use a Security Information and Event Management (SIEM) solution to aggregate and correlate logs from various sources, setting up alerts for suspicious activities like multiple failed login attempts. |
There is no official certification audit for the CIS framework as there is for example for the SOC2 framework. SOC2 is often regarded as the gold standard if it comes to audited frameworks. Composed of exhaustive specifications and detailed requirements, SOC2 offers businesses a robust roadmap to ensure data security, availability, processing integrity, confidentiality, and privacy of customer data. However, its intricacy can be daunting for many organizations, particularly small to medium enterprises who may not possess the vast resources required for full SOC2 compliance.
The takeaway
Although CIS 8 has its merits based on the 8 controls, it can, possibly first followed by a step-up to CIS Top 18, play a role for those organizations who have ambitions to implement the SOC2 framework over time. Whether adopted as a cybersecurity framework for the long term, or as a step-up to a more comprehensive framework, CIS 8 is can be an excellent choice for those that wish to be guided by and that wish to be able to demonstrate their organized implementation of controls against cyber threats.
Niko Kluyver