JP

TOP
Service & Solution
News & Blog
About Us
Contact Us
Service & Solution

News & Blog

CIS Controls v8: Key Updates and 18 Essential Measures

2025.02.13

NRI Secure Blog

Agenda

    CIS Controls v8: Key Updates and 18 Essential Measures

    The CIS Controls v8 (Center for Internet Security Controls) plays a crucial role in strengthening the cybersecurity posture of businesses and organizations. In an era where cyberattacks and data breaches are increasingly common, CIS Controls systematically organizes security measures and provides clear guidance on the critical actions organizations must take to protect themselves. This article will focus on the key updates in CIS Controls v8, providing an overview of its framework, the reasons behind the revisions, and an in-depth explanation of its 18 specific controls.

    What Are CIS Controls?

    Overview of CIS Controls

    CIS Controls is a framework that offers best practices for managing cybersecurity risks and defending organizations against attacks. Designed to enhance an organization’s defensive capabilities, it identifies threats and vulnerabilities and provides prioritized recommendations for addressing them. By implementing these controls, organizations can protect themselves against cyberattacks while ensuring business continuity. As cyber threats grow more diverse and sophisticated, the importance of CIS Controls continues to rise.

    Understanding IGs (Implementation Groups) as a Measure of Priority

    The CIS Controls go beyond simply listing security measures by incorporating "Implementation Groups" (IGs) as a framework to guide organizations in implementing controls in a prioritized order that suits their needs. These IGs are designed to align with an organization's security maturity level and are categorized into IG1, IG2, and IG3.

    • IG1: These represent the most fundamental measures aimed at establishing basic security. They are the essential steps that organizations with minimal security should prioritize first.
    • IG2: Designed for organizations with moderate maturity, focusing on enhancing their overall security posture.
    • IG3: Comprises advanced measures for organizations already achieving a high-security maturity level.

    This structure enables organizations to implement security controls in a logical, step-by-step manner based on their current maturity level, allowing for the gradual strengthening of their security defenses.

     

    Gradual Security Maturity Enhancement

    Key Changes from CIS Controls v7 to v8

    Background and Purpose of the Revision

    The update from CIS Controls v7 to v8 was implemented to address the evolving cybersecurity landscape. With the widespread adoption of remote work and increased reliance on cloud services, the environment surrounding cybersecurity is continually advancing. These changes have introduced new risks that traditional measures cannot fully mitigate. To tackle these challenges, CIS introduced several significant changes in v8.

    Key Revision Highlights

    Reorganization of Safeguards

    The safeguards, previously divided into 20 items in v7, have been streamlined into 18 items in v8. This restructuring prioritizes systematic and practical implementation based on the importance and difficulty of each measure. For instance, administrator privileges and user account management have been consolidated, enhancing the effectiveness of access control measures. This reorganization improves the consistency of safeguards and simplifies the management of complex security processes.

    Introduction of Service Provider Management

    As the security of cloud services and outsourced providers becomes increasingly critical, v8 introduces a new safeguard: 15. Service Provider Management. This safeguard focuses on monitoring and ensuring that external service providers meet security standards, addressing an area of growing importance in today’s interconnected IT ecosystems.

    New Safeguards for Data Protection

    Recognizing the risks of data breaches and theft, v8 adds new safeguards related to data protection. These updates require organizations to strengthen measures to protect sensitive information and prevent data leakage, ensuring compliance with evolving data security expectations.

    Visualizing the Evolution of CIS Controls

    Overview of the 18 CIS Controls v8 Measures

    CIS Controls v8 provides 18 essential measures to strengthen an organization's security posture. Below is a brief explanation of each control:

    1. Inventory and Management of Organizational Information Assets

    Identify and maintain an up-to-date inventory of devices connected to the network to prevent oversight and security risks, thereby reducing the potential for unauthorized access.

    2. Inventory and Management of Software Assets

    Track installed software and remove unnecessary or vulnerable applications to mitigate risks effectively.

    3. Data Protection

    Identify critical data and implement encryption and access controls to prevent data breaches.

    4. Secure Configuration of Information Assets and Software

    Apply standardized security settings and eliminate inadequate default configurations to thwart potential attacks.

    5. Account Management

    Monitor account usage and enforce multi-factor authentication (MFA) to prevent unauthorized access.

    6. Access Control Management

    Limit user and system access rights to the minimum necessary, safeguarding resources against unauthorized access.

    7. Continuous Vulnerability Management

    Conduct regular vulnerability scans and apply patches to keep systems current and minimize attack risks.

    8. Audit Log Management

    Collect and retain appropriate audit logs to prepare for security incidents and investigations.

    9. Email and Web Browser Protections

    Configure secure settings to minimize risks from phishing attacks and malware distribution.

    10. Malware Defense

    Use antivirus and Endpoint Detection and Response (EDR) solutions to prevent malware infections.

    11. Data Recovery

    Establish regular backups and rapid recovery processes to mitigate data loss and enhance resilience against ransomware.

    12. Network Infrastructure Management

    Monitor network traffic for suspicious activity and respond promptly to potential threats.

    13. Network Monitoring and Defense

    Continuously monitor security events in real time to detect and address attacks early.

    14. Security Awareness and Skill Training

    Provide regular security training to employees to reduce human error and internal threats.

    15. Service Provider Management

    Monitor and manage the security standards of third-party cloud services and vendors.

    16. Application Software Security

    Ensure secure development and operation of applications to minimize vulnerabilities.

    17. Supply Chain Management

    Strengthen security across the supply chain to mitigate the impact of third-party vulnerabilities on your organization.

    18. Preparation for Cyberattack Response

    Develop and maintain effective response measures to ensure business continuity during cyberattacks.

    Key Takeaways

    CIS Controls v8 is a framework that has undergone significant updates to address the challenges of modern cybersecurity. It places a stronger emphasis on mitigating new risks such as those associated with cloud environments, supply chain security, and data protection. By adopting this framework and implementing security measures in a phased approach, organizations can establish a more robust security posture.

    NRI Secure Blog

    If you have any questions, please don’t hesitate to contact us at info@nri-secure.com

    Related Articles

    A Guide to U.S. Cybersecurity Laws and Compliance
    7 Key Supply Chain Security Best Practices 7 Key Supply Chain Security Best Practices

    7 Key Supply Chain Security Best Practices

    The Strategic Benefits of Cybersecurity Compliance

    How to Build a Proactive Vulnerability Management Strategy
    X facebook linked-in hatena bookmark

    Contact Us