The CIS v8 standard was developed in 2008 by an international, grass-roots consortium, named the Center for Internet Security, which brought together companies, government agencies, institutions, and individuals from every part of the IT ecosystem (cyber analysts, vulnerability-finders, solution providers, users, consultants, policy-makers, executives, academia, auditors, etc.) who banded together to create, adopt, and support the CIS Controls. 

The controls are a set of recommended actions that organizations can use to defend against more pervasive attacks in the threat landscape. They were designed to help organizations rapidly define a starting point for their defenses, allowing them to focus their resources on actions with immediate and high-value payoff. They can then turn their focus to additional risk issues that are unique to their business or mission. 

CIS Controls are supported by numerous security solution vendors, integrators, and consultants, such as Rapid7, Softbank and Tenable. Some users of the CIS Controls include: the Federal Reserve Bank of Richmond; Corden Pharma; Boeing; Citizens Property Insurance; Butler Health System; University of Massachusetts; the states of Idaho, Colorado, and Arizona; the cities of Oklahoma, Portland, and San Diego; and many others. 

To help organizations prioritize the implementation of CIS Controls, the Center for Internet Security identified three implementation groups. They are based on the risk profile and resources an enterprise has available to them to implement the CIS Controls.  

• IG1—An enterprise is typically small to medium-sized with limited IT and cybersecurity expertise to dedicate towards protecting IT assets and personnel. It contains 56 safeguards. 
• IG2— is comprised of 74 additional safeguards and builds upon the 56 Safeguards identified in IG1. An IG2 enterprise employs individuals who are responsible for managing and protecting IT infrastructure.  
• IG3— is comprised of an additional 23 safeguards. It builds upon the Safeguards identified in IG1 and IG2 for a total of 153 safeguards. Safeguards selected for IG3 must abate targeted attacks from sophisticated cybercriminals and reduce the impact of zero-day attacks. 

CIS v8 is an excellent option for organizations looking to secure IT configurations that limit vulnerabilities which could lead to ransomware and other cyber threats. It’s ideal for entities that may not be regulated by other standards. It’s also a good option for companies looking to augment IT security in tandem with their existing compliance standards. 

If you’re interested in implementing CIS v8, Compliance Manager GRC allows you to use all your current IT security tools, software, and systems to meet the requirements…while you maintain compliance with any other IT requirements, regardless of source.  

The built-in Standard Management Template allows you to quickly determine if you can “check the boxes” for every requirement, identifies the gaps, and automatically prepares all the documents you need to meet CIS v8 compliance. 

To learn how Compliance Manager GRC can help with any or all your compliance needs, request a demo today.