CIS Critical Security Controls v8 vs CIS 20 Controls – 2021

Critical Security Controls 768x292 1

With the changing tech landscape, v8 of CIS critical security controls presents a more consolidated approach that replaced CIS Top 20 released a while ago. This topic explores CIS 20 vs CIS 18 controls and what each of the controls is and why are these required. The newer release is known under various names such as CIS top 20 v8, CSC v8, CIS 8 controls.

What do CIS controls stand for?

CIS CSC v8 300x225 1

CIS controls stand for Center for Internet Security Controls (previously known as the SANS Top 20 Critical Security Controls) is the best practices guidelines to combat cybercriminals malicious actions and attack vectors wandering inside the Internet sphere.

Initially, it was designed by the global cyber defenders, leaders and experts of the security industry. They are based on real-world scenarios for effective risk management and regularly update the attack trends, critical security vulnerabilities and human errors.

Center for Internet Security

The CIS Controls (formerly known as Critical Security Controls) are a recommended set of cyber defence actions that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. CIS is a non-profit organisation developing cyber defence hygiene and best practices to secure and resilient cybersphere.

The CIS critical security controls do not ensure immunity to cyberattacks, but they considerably affect the security controls through standard measures and cyber protection layers. CIS controls are not the necessary standard to follow, nor does it compete with anyone; it is an effort to create a safe cyber realm against the security weaknesses of every business.

On May 18, 2021, the CIS launched the new version of CIS control named- CIS v8 at the global RSA conference. Implementing CIS critical security controls into the business and IT strategy can significantly impact organisational growth as well as helps to protect from common yet most occurring cyberattacks, boosting cyber defence.

Center for Internet Security

What are the latest CIS controls v8?

CIS controls v8 strengthen the list by activities rather than classifying who manages the devices. Physical boundaries, devices and discrete islands of security implementation are less critical with the changing tech landscape, and these elements have been reflected in the CIS essential controls of security v8 release.

cis top 20 v8 1024x576 1

CSC 1: Inventory and Control of Enterprise Assets

What is it?

The first CIS critical security control requires the appropriate management and inventory of all assets associated with the enterprise. This includes end-user hardware devices, network appliances, IoT devices, servers, systems, portable devices, etc., connected to the infrastructure either physically, virtually or remotely and those present in the cloud environment.

Attackers are always geared up to break into the organisation’s network and assets to create cyber damage. The accurate inventory is required to keep track of all assets records and issues to monitor, protect, and prevent unauthorised access to enterprise assets or networks.

Why is it required?

Without updated inventory and constant monitoring, it is a massive challenge for an enterprise to track suspicious behaviour, access, and traffic coming to them. An inventory record is also necessary for vulnerability and releases patches updates.

What are the relevant areas, tools or procedures?

Assets discovery tools

-Regular monitoring and audit

CSC 2: Inventory and Control of Software Asset

What is it?

Like the first CIS control, this control requires active management such as the operating systems and installed applications on the network, servers, systems, etc.

Why is it required?

For robust security, it is vital to keep print and analyse the software asset to ensure no unauthorised software can be installed or executed on the enterprise network. Organisations need to trace software assets and have a mechanism to prevent unauthorised software execution.

What are the relevant tools and procedures?

-Regular monitoring and audit

-SIEM solutions


CSC 3: Data Protection

What is it?

This control mandates the organisation implement security measures to develop technical competencies to identify, classify, retain, dispose, and securely handle the data.

Why is it important?

Data is the most integral and critical asset of any enterprise and needs to be protected at any cost. Leaked data can penalise the organisation and play a significant role in losing customers or users’ trust.

What are the relevant tools and procedures?

-United Kingdom GDPR compliance regulations

-Data tracking tools

CSC 4: Secure Configurations of enterprise assets and software

What is it?

The fourth CIS control addresses the enterprise assets and software contributing to the infrastructure foundation. These include network devices, hardware or software firewalls, routers, switches and other devices protection with secure configuration. It emphasises hardening the assets with relevant security computations.

Why is it important?

Often enterprises utilise the products in their environment with the default configuration that comes by the manufacturers. Open ports, default admin and account passwords are the elements that attract attackers to compromise the assets with little effort.

What are the relevant tools and procedures?

-Following security standards for secure configuration

CSC 5: Account Management

What is it?

With this control, organisations are expected to have policies to manage accounts. It includes keeping track of account activity, account creation, etc.

Why is it required?

Unmanaged and open accounts are like a green signal for cybercriminals to hack. The enterprises need to execute processes and tools to manage the authorisation of credentials. Besides this, they must assign the relevant access to users, services and administrative accounts.

What are relevant tools and procedures?

-Implement multi-factor authentication

-Deploy policy for account lifecycle

CSC 6: Access Control Management

What is it?

Apart from account management, this control emphasises having relevant measurements such as the least privilege rule on user access rights to maintain employees or user access as well as reduce the attack surface.

Why is it required?

The enterprises must ensure the right technology and processes are in place to create, assign, manage and revoke access credentials for enterprise assets and software and privileges for a user, administrator and service accounts to keep track of how users are utilising their privileged access. Minimising the internal attack surface is necessary because you never know which user misuses the access rights. In addition, access controls limit the attacker’s access if he successfully compromises any user account.

What are the relevant tools and procedures?

-Implement access control mechanisms such as RBAC, ABAC, etc.

 CSC 7: Continuous Vulnerability Management

What is it?

Continuous vulnerability management means implementing necessary security controls that help organisations manage information security threats promptly according to the vulnerability severity. With this control, CIS directs the enterprise to have relevant security technologies and processes that facilitate them in detecting, scanning and prioritising the information security weaknesses.

Why is it required?

The organisation needs to continuously look for vulnerabilities on all enterprise systems and technologies operating within the internal and external environment to timely patch and remediate them. The unpatched vulnerability allows the attacker to penetrate the network and infrastructure, having multiple and consequential effects.

What are relevant tools and procedures?

-SEIM solution

-Regular vulnerability assessment

CSC 8: Audit Log Management

What is it?

Similar to vulnerability management, auditing the log and managing them is necessary for CIS control. This requires having an appropriate log surveillance environment in place to encounter suspicious behaviour.

Why is it required?

Auditing the logs plays a vital role for enterprises in keeping track of system logs and collecting all alerts to review the records to detect malicious traffic that could signify a security attack.

What are relevant roles and procedures?


-SEIM solution

CSC 9: Email and Web Browser Protections

What is it?

This control directs to enhance the email and web-browsers security to reduce the attack surface and risks.

Why is it required?

Insecure web browsers and emails render multiple opportunities for cybercriminals by tricking the user through social engineering phishing emails. Organisations need to have appropriate mechanisms or solutions to filter out suspicious emails and web traffic.

What are relevant tools and procedures?

-Use an updated browser

-Implement domain-based authentication, DMARC policy

CSC 10: Malware Defense

What is it?

This CIS control address the enterprises to have a defence mechanism to prevent the spread of malware or any other related harmful thing. This includes malware defences to scan, deter and detect the malicious software while upgrading the defences where applicable.

Why is it required?

Attackers often target the network to steal information through malware and malicious attachment, links, etc. The enterprise needs to execute a mechanism to defend against malware.

What are relevant security tools and procedures?

-Install anti-malware, antivirus and anti-spyware

-Deploy Intrusion detection system (IDS)

CSC 11: Data Recovery

What is it?

This control mandates the organisations to have proven methodologies for data recovery processes to avoid data loss in case of mishaps or cyber incidents.

Why is it required?

All enterprises, regardless of their size, with the CIS control no. 11, need data recovery practices. Having a proven data recovery plan can minimise downtime and boost their data restoration process.

What are tools and procedures?

-Implement a backup mechanism

CSC 12: Network Infrastructure Management

What is it?

It refers to effectively managing the complete suite of hardware and software resources that builds the network infrastructure foundation and is responsible for communication, operation and connectivity.

Why is it required?

No infrastructure is immune to cyber threats. Companies need to implement and keep track of their network devices, access point and related infrastructure endpoint to identify vulnerabilities earlier. It is essential to refrain the attackers from exploiting vulnerabilities and gaining access through insecure or flawed network services, ports and access points.

What are the tools and procedures?

-Packet loss supervision tool

-Network assessment

-Network availability tool

CSC 13: Network Monitoring and Defense

What is it?

This control requires the organisation to maintain the network and keep track of all events and activity to protect the organisation’s network against site threats and data breaches.

Why is it required?

The companies need to have an established and operating network monitoring system and an up-to-date defence technology mechanism to combat cyber threats and attack vectors. Through this, they can maintain the security posture across the online, physical, and virtual environments.

What are relevant security tools and procedures?

-Deploy antivirus, anti-malware, anti-spyware

-Intrusion detection system (IDS)

CSC 14: Security Awareness and Skills Training

What is it?

With this control, organisations are bound to involve the human minds in proven security awareness and skillsets to enhance the overall enterprise security posture.

Why is it required?

High-end security products and the system cannot protect the enterprise if they do not have skilled and competent individuals and security awareness to maintain the security culture. The 14th control of CIS v8 focuses on establishing security awareness programs and training to spread security-conscious behaviour among technical and non-technical employees.

What are relevant tools and procedures?

-Staff training with updated security program

CSC 15: Service Provider Management

What is it?

This CIS 15 control requires organisations to actively manage the third-party, vendor and service provider network to prevent threats, supply chain attacks and incidents that can cause massive disruption.

Why is it required?

Cloud technologies are increasing and becoming the need of every business in today’s world of remote work. Often breaches involve the negligence of third-party service providers. Service provider management helps assess and track vendors or cloud service providers engaged with the enterprise’s critical assets or sensitive data.

What are the relevant tools and procedures?

– Third-party risk assessment

– Compromise assessment before merger and acquisition

CSC 16: Application Software Security

What is it?

This control addresses the need for security consideration for in-house developed or acquired application software.

Why is it required?

Whether the application is developed in-house, hosted or acquired, the companies need to handle the security life cycle in the software to detect and prevent risk. In addition, doing the necessary test and checking on the application security health help minimise the threats and patch them promptly.

What are the relevant tools and procedures?

-Secure coding practices

– Static and dynamic testing

-Secure SDLC

CIS Control 17: Incident Response and Management

What is it?

This control refers to having a developed and implemented incident recovery and management infrastructure to efficiently detect attacks.

Why is it required?

A prepared incident response program with defined policies, procedures, roles, and communication facilitate detection and rapidly management of the security incidents to counter the attack with minimum downtime.

What are the relevant tools and procedures?

-Separately documented and outlined a plan for incident handling, recovery and reporting.

CIS Control 18: Penetration Testing

What is it?

CIS control no 18 is all about directing companies to assure assets and enterprise resiliency by testing the infrastructure, network, a system with attacker tactics to understand how they can be breaches.

Why is it required?

Conducting penetration testing is critical to verify the effectiveness; the organisation must simulate the web threats through penetration testing with the attacker perspective to identify vulnerable endpoints and potential weaknesses.

What are relevant tools and procedures?

-Appropriate white-box, grey-box or black-box penetration testing methodologies

Why are there 18 CIS controls, not 20?

The updated CIS controls have enhanced the previous 20 controls relative to modern solutions and technologies by incorporating new rules with emerging IT and security industry adaptation such as cloud computing, virtualisation, outsourcing, remote working, etc.

The controls are combined according to the activities and attack techniques in the new version. Thus, the rules are simplified from 20 to 18 in relevance with cloud, hybrid and activities-based environments.

What are the CIS top 20 controls?

The outdated version v7 of Center for Internet Security (CIS) controls addressed the 20 controls with detailed account to the organisation to implement them for the robust and solid cyber defence of their assets and enterprises.

CIS 20 Controls 

Version 7.1 was released April 4, 2019, that included the following CIS 20 controls:

CIS top 20 Critical Security Controls

Control 1: Inventory and Control of Hardware Assets

Control 2: Inventory and Control of Software Assets

Control 3: Continuous Vulnerability Management

Control 4: Controlled Use of Administrative Privileges

Control 5: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Control 6: Maintenance, Monitoring, and Analysis of Audit Logs

Control 7: Email and Web Browser Protections

Control 8: Malware Defenses

Control 9: Limitation and Control of Network Ports, Protocols, and Services

Control 10: Data Recovery Capabilities

Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

Control 12: Boundary Defense

Control 13: Data Protection

Control 14: Controlled Access Based on the Need to Know

Control 15: Wireless Access Control

Control 16: Account Monitoring and Control

Control 17: Implement a Security Awareness and Training Program

Control 18: Application Software Security

Control 19: Incident Response and Management

Control 20: Penetration Tests and Red Team Exercises

What are CIS sub controls?

The CIS controls serve security best practices and guidelines to all enterprises to assist them in protecting their critical assets with proven methodologies. The CIS essential controls of security are categorised into three sub controls based on assets types, functionality and security necessities.

What are cis sub controls

The sub controls are classified into three implementation groups listed below.


This sub-control includes the simple and basic control implementation to improve the organisation assets security.


As the name suggests, this sub-control works as a baseline and contain advanced security guidance to improve the overall organisational security posture.


These controls have guidance on making or changing the organisational policies to help businesses improve and maintain cyber security hygiene by the evolving cyber landscape.

Who uses CIS controls?

The critical CIS security controls are referred to and adopted by many legal, regulatory bodies, policymakers, and frameworks. As stated earlier, the Center for Internet Security controls is a set of prioritised cyber defence recommendations for enterprises, including startups to fortune 500, to reduce the attack surface and prevent cybercriminals from gaining access or breaching the companies.

It is used by thousands of global organisations, including Boeing, Citizen Property Insurance, Federal Reserve Bank of Richmond and all businesses. Various US state government agencies and cities have incorporated the CIS controls, such as Arizona, Idaho, Colorado, Portland, San Diego, etc.

In addition to it, security services consultants and vendors like Rapid 7, Tenable supports the CIS controls and educational institutes like the University of Massachusetts have implemented CIS controls into their security processes.

Today’s businesses and online actions demand protection against invasion, and it is only possible if security is considered proper hygiene rather than an elite lifestyle. As a cyber security service provider and consultant, we take it as our responsibility to provide you with in-depth defence services to help your business grow without the fear of cyberattacks.

Get in touch with us to schedule your CIS compliance assessment or discuss your primary security concerns.

Article Contents

Sharing is caring! Use these widgets to share this post
Scroll to Top