CIS Critical Security Controls v8 vs CIS 20 Controls – 2021

Share on facebook
Share on twitter
Share on linkedin
Share on email
cis critical security controls

With the changing tech landscape, v8 of CIS critical security controls presents a more consolidated approach that replaced CIS Top 20 released a while ago.

What do CIS controls stand for?

CIS controls stand for Center for Internet Security Controls (previously known as the SANS Top 20 Critical Security Controls) is the best practices guidelines to combat cyber criminals malicious actions and attack vectors wandering inside the Internet sphere. Initially, it was designed by the global cyber defenders, leaders and experts of the security industry. They are based on real-world scenarios for effective risk management and get updated regularly with the attack trends, critical security vulnerabilities and human errors.

Center for Internet Security

Center for Internet Security

The CIS Controls (formerly known as Critical Security Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. CIS is a non-profit organisation that develops cyber defense hygiene and best practices to make cybersphere secure and resilient.

The CIS critical security controls do not ensure immunity to cyber attacks, but it considerably affects the security controls through standard tuning of measures and cyber protection layers. CIS controls are not the necessary standard to follow, nor it competes with anyone; it is an effort to create a safe cyber realm against the security weaknesses of every business.

On May 18, 2021, the CIS has launched the new version of CIS control named- CIS v8 at the global RSA conference. Implementing CIS critical security controls into the business and IT strategy can significantly impact organisational growth as well as helps to protect from common yet most occurring cyber attacks, boosting cyber defense.

What are the CIS top 20 controls?

The outdated version v7 of Center for Internet Security (CIS) controls addressed the 20 controls with detailed account to the organisation to implement them for the robust and solid cyber defense of their assets and enterprises.

CIS 20 Controls

Version 7.1 was released April 4, 2019, that included the following CIS 20 controls:

CIS top 20 Critical Security Controls

Control 1: Inventory and Control of Hardware Assets

Control 2: Inventory and Control of Software Assets

Control 3: Continuous Vulnerability Management

Control 4: Controlled Use of Administrative Privileges

Control 5: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Control 6: Maintenance, Monitoring, and Analysis of Audit Logs

Control 7: Email and Web Browser Protections

Control 8: Malware Defenses

Control 9: Limitation and Control of Network Ports, Protocols, and Services

Control 10: Data Recovery Capabilities

Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

Control 12: Boundary Defense

Control 13: Data Protection

Control 14: Controlled Access Based on the Need to Know

Control 15: Wireless Access Control

Control 16: Account Monitoring and Control

Control 17: Implement a Security Awareness and Training Program

Control 18: Application Software Security

Control 19: Incident Response and Management

Control 20: Penetration Tests and Red Team Exercises

What are the latest CIS v8 controls?

CIS controls v8 strengthen the list by activities rather than classifying by who manages the devices. Physical boundaries, devices and discrete islands of security implementation are of lesser importance with the changing tech landscape. These elements have been reflected in the version 8 release.

CSC 1: Inventory and Control of Enterprise Assets

What is it?

The very first CIS critical security control requires the appropriate management and inventory of all assets associated with the enterprise. This includes end-user hardware devices, network appliances, IoT devices, servers, systems, portable devices, etc. connected to the infrastructure either physically, virtually or remotely as well as those present in the cloud environment. 

Attackers are always geared up to break into the organisation’s network and assets to create cyber damage. The accurate inventory is required to keep track of all assets records and issues to monitor, protect, and prevent unauthorised access to enterprise assets or networks.

Why is it required?

Without updated inventory and constant monitoring, it is a massive challenge for an enterprise to track suspicious behaviour, access, and traffic coming to them. An inventory record is also necessary to look out for vulnerability and releasing patches updates.

What are the relevant areas, tools or procedures?

Assets discovery tools

-Regular monitoring and audit

CSC 2: Inventory and Control of Software Asset

What is it?

Like the first CIS control, this control requires active management such as the operating systems and installed applications on the network, servers, systems, etc.

Why is it required?

For robust security, it is important to keep print and analyse the software asset to ensure no unauthorised software can be installed or executed on the enterprise network. Organisations need to trace software assets and have a mechanism that can prevent unauthorised software execution.

What are the relevant tools and procedures?

-Regular monitoring and audit

-SIEM solutions


CSC 3: Data Protection

What is it?

This control mandates the organisation to implement security measures to develop technical competencies to identify, classify, retain, dispose, and securely handle the data.

 Why is it important?

Data is the most integral and critical asset of any enterprise and needs to be protected at any cost. Leaked data can not only penalize the organisation but also plays a significant role in losing customer or users’ trust.

What are the relevant tools and procedures?

-United Kingdom GDPR compliance regulations

-Data tracking tools

CSC 4: Secure Configurations of enterprise assets and software

What is it?

The fourth CIS control addresses the enterprise assets and software that contribute to the infrastructure foundation such as network devices, hardware or software firewalls, routers, switches and other devices protection with secure configuration. It emphasises hardening the assets with relevant security computations.

Why is it important?

Often enterprises utilise the products in their environment with the default configuration that comes by the manufacturers. Open ports, default admin and account passwords are the elements that attract attackers to compromise the assets with little effort.

What are the relevant tools and procedures?

-Following security standards for secure configuration

CSC 5: Account Management

What is it?

With this control, organisations are expected to have policies to manage accounts. It includes keeping track of account activity, account creation, etc.

Why is it required?

Unmanaged and open accounts are like a green signal for cyber criminals to hack. The enterprises need to execute processes and tools to manage the authorisation of credentials. Besides this, they must assign the relevant access to users, services and administrative accounts.

What are relevant tools and procedures?

-Implement multi-factor authentication

-Deploy policy for account lifecycle

CSC 6: Access Control Management

What is it?

Apart from account management, this control emphasis having relevant measurements such as the least privilege rule on user access rights in order to maintain employees or user access as well as reduce the attack surface

Why is it required?

the enterprises must ensure the right technology and processes are in place to create, assign, manage and revoke access credentials for enterprise assets and software and privileges for a user, administrator and service accounts in order to keep track of how users are utilising their privileged access. Minimising the internal attack surface is necessary because you never know which user misuses the access rights. In addition, access controls limit the attacker’s access in case he gets successful in compromising any user account.

What are the relevant tools and procedures?

-Implement access control mechanisms such as RBAC, ABAC, etc.

 CSC 7: Continuous Vulnerability Management

What is it?

Continuous vulnerability management means implementing necessary security controls that help organisations in managing information security threats promptly according to the vulnerability severity. With this control, CIS directs the enterprise to have relevant security technologies and processes that facilitate them in detecting, scanning and prioritising the information security weaknesses.

Why is it required?

The organisation needs to continuously look for vulnerabilities on all enterprise systems and technologies operating within the internal and external environment to timely patch and remediate them. The unpatched vulnerability allows the attacker to penetrate the network and infrastructure, which can have multiple and consequential effects.

What are relevant tools and procedures?

-SEIM solution

-Regular vulnerability assessment

CSC 8: Audit Log Management

What is it?

Similar to vulnerability management, auditing the log and managing them is necessary for CIS control. This requires having an appropriate log surveillance environment in place to encounter suspicious behaviour.

Why is it required?

Auditing the logs plays an important role for enterprises in keeping track of system logs and collecting all alerts to review the records to detect malicious traffic that could signify a security attack.

What are relevant roles and procedures?


-SEIM solution

CSC 9: Email and Web Browser Protections

What is it?

This control directs to enhance the email and web-browsers security in order to reduce the attack surface and risks.

Why is it required?

Insecure web browsers and emails render multiple opportunities for cyber criminals by tricking the user through social engineering, phishing emails. Organisations need to have appropriate mechanisms or solutions to filter out suspicious emails and web traffic.

What are relevant tools and procedures?

-Use an updated browser

-Implement domain-based authentication, DMARC policy

CSC 10: Malware Defense

What is it?

This CIS control address the enterprises to have a defence mechanism to prevent the spread of malware or any other related harmful thing. This includes malware defences to scan, prevent and detect the malicious software while upgrading the defences where applicable.

Why is it required?

Attackers often target the network to steal information through malware and malicious attachment, links, etc. The enterprise needs to execute a mechanism to defend against malware.

What are relevant security tools and procedures?

-Install anti-malware, anti-virus and anti-spyware

-Deploy Intrusion detection system (IDS)

CSC 11: Data Recovery

What is it?

This control mandates the organisations to have proven methodologies for data recovery processes to avoid data loss in case of mishaps or cyber incidents.

Why is it required?

All enterprises, regardless of their size, with the CIS control no. 11, need data recovery practices. Having a proven data recovery plan can minimise downtime and boost up their data restoration process.

What are tools and procedures?

-Implement a backup mechanism

Discuss your concerns today

CSC 12: Network Infrastructure Management

What is it?

It refers to effectively manage the complete suite of hardware and software resources that builds the network infrastructure foundation and is responsible for communication, operation and connectivity.

Why is it required?

No infrastructure is immune to cyber threats. Companies need to implement and keep track of their network devices, access point and related infrastructure end-point to identify vulnerabilities earlier. It is essential to refrain the attackers from exploiting vulnerabilities and gaining access through insecure or flawed network services, ports and access points.

What are the tools and procedures?

-Packet loss supervision tool

-Network assessment

-Network availability tool

CSC 13: Network Monitoring and Defense

What is it?

This control relatively requires the organisation to maintain the network and keep track of all events and activity over the network to protect the organisation’s network against site threats and data breaches.

Why is it required?

The companies need to have an established and operating network monitoring system along with an up-to-date defence technology mechanism to combat the cyber threat and attack vectors. Through this, they can maintain the security posture all across the online, physical and virtual environment.

What are relevant security tools and procedures?

-Deploy antivirus, anti-malware, anti-spyware

-Intrusion detection system (IDS)

CSC 14: Security Awareness and Skills Training

What is it?

With this control, organisations are bound to involve the human minds in proven security awareness and skillsets to enhance the overall enterprise security posture.

Why is it required?

High-end security products and the system cannot protect the enterprise if they do not have skilled and competent individuals and security awareness to maintain the security culture. The 14th control of CIS v8 focuses on establishing security awareness programs and training to spread security-conscious behaviour among technical and non-technical employees.

What are relevant tools and procedures?

-Staff training with updated security program

CSC 15: Service Provider Management

What is it?

This CIS 15 control requires organisation to actively manage the third-party, vendor and service provider network to prevent threats, supply chain attacks and incidents that can cause massive disruption.

Why is it required?

Cloud technologies are increasing and becoming the need of every business in today’s world of remote work. Often breaches involve the negligence of third-party service providers. Service provider management helps assess and track vendors or cloud service providers who are engaged with the enterprise’s critical assets or sensitive data.

What are the relevant tools and procedures?

– Third-party risk assessment

– Compromise assessment before merger and acquisition 

CSC 16: Application Software Security

What is it?

This control addresses the need for security consideration for in-house developed or acquired application software.

Why is it required?

Whether the application is developed in-house, hosted or acquired, the companies need to handle the security life cycle in the software to detect and prevent risk. In addition, doing the necessary test and check on the application security health help minimise the threats and patch them promptly.

What are the relevant tools and procedures?

-Secure coding practices

– Static and dynamic testing

-Secure SDLC

CIS Control 17: Incident Response and Management

What is it?

This control refers to having a developed and implemented incident recovery and management infrastructure to efficiently detect, respond to attack.

Why is it required?

A prepared incident response program with defined policies, procedures, roles, and communication facilitate detection and rapidly management of the security incidents to counter the attack with minimum downtime.

What are the relevant tools and procedures?

-Separately documented and outlined a plan for incident handling, recovery and reporting.

CIS Control 18: Penetration Testing

What is it?

CIS control no 18 is all about directing companies to assure assets and enterprise resiliency by testing the infrastructure, network, a system with attacker tactics to understand how they can be breaches.

Why is it required?

Conducting penetration testing is critical to verify the effectiveness, the organisation must simulate the web threats through penetration testing with the attacker perspective to identify vulnerable endpoints and potential weaknesses.

What are relevant tools and procedures?

-Appropriate white-box, grey-box or black-box penetration testing methodologies

Why are there 18 CIS controls not 20?

The updated CIS controls have enhanced the previous 20 controls relative to modern solutions and technologies by incorporating new rules with emerging IT and security industry adaptation such as cloud computing, virtualisation, outsourcing, remote working, etc.

In the new version, the controls are combined according to the activities and attack techniques. Thus, the controls are simplified from 20 to 18 in relevance with cloud, hybrid and activities-based environments.

Discuss your concerns today

What are CIS sub controls?

The CIS controls serve security best practices and guidelines to all levels of enterprises to assist them in protecting their critical assets with proven methodologies. The CIS critical security controls are categories into three sub controls on the basis of assets types, functionality and security necessities. 

What are cis sub controls

The sub controls are classified into three implementation groups, which are listed below.


This sub-control includes the simple and basic control implementation to improve the organisation assets security.


As the name suggests, this sub-control works as a baseline and contain advanced security guidance to improve the overall organisational security posture


These controls have guidance on making or changing the organisational policies to help businesses improve and maintain cyber security hygiene in accordance with the evolving cyber landscape.

Who uses CIS controls?

The critical CIS security controls are currently referred to and adopted by many legal, regulatory bodies, policymakers, and frameworks. As stated earlier, the Center for Internet Security controls is a set of prioritised cyber defence recommendations for every size of enterprises, including startups to fortune 500, to reduce the attack surface and prevent cyber criminals from gaining access or breaching the companies. 

It is used by thousands of global organisations, including Boeing, Citizen Property Insurance, Federal Reserve Bank of Richmond and all businesses. Various state government agencies and cities have incorporated the CIS controls, such as Arizona, Idaho, Colorado, Portland, San Diego, etc.

In addition to it, security services consultants and vendors like Rapid 7, Tenable supports the CIS controls and educational institutes like the University of Massachusetts have implemented CIS controls into their security processes.

Today’s businesses and online actions demand protection against invasion, and it is only possible if security is considered proper hygiene rather than an elite lifestyle. As a cyber security service provider and consultant, we take it as our responsibility to provide you with in-depth defence services to help your business grow without the fear of cyber attacks.

Get in touch with us to schedule your CIS compliance assessment or discuss your primary security concerns.