You are here

Client Alert: CIS Releases Critical Security Controls Version 7

In March 2018, the Center for Internet Security (CIS) released Version 7 of their Critical Security Controls (CSCs), formerly known as the SANS Top 20. This version was updated to reflect the changes in the cybersecurity attack landscape. This updated version also includes several new sub-controls within each of the twenty control areas, as well as an update to the prioritization of existing controls. If you are not familiar with the CIS CSCs, this control framework was developed by a team representing many public and private organizations. To ensure the framework was as practical as possible, any proposed control was required to show a real-world attack that the control would mitigate.

The CIS CSCs are commonly used for developing metrics to report to senior management and the Board. Version 7 includes an update to the Measures and Metrics document that is focused on simplifying this measurement and reporting process. There is now one measurement for every sub-control. These measurements work on a six point scale, providing an easy way to visualize control implementation and performance. If you are looking to increase the value in periodic security reporting, we strongly recommend you take a look at these CIS Measures and Metrics for guidance.

Additional Resources:
CIS Controls Download
CIS Controls Measures and Metrics for Version 7

For more information on this topic, contact Sean D. Goodwin, CCSP, CISA, CISSP, GCIH, GSEC, PCIP, QSA, IT Assurance Senior Consultant, at 617-261-8139 or