Earlier this year, I wrote about what’s new in Version 8 of the Center for Internet Security’s Critical Security Controls (CIS Controls). An international consortium of security professionals first created the CIS Controls back in 2008. Since then, the security community has continued to update the CIS Controls to keep pace with the evolution of technology ecosystems and emerging threat vectors—all the way to Version 8 and the 18 Controls contained therein. Those security measures are as follows:

  • CIS Control 15: Service Provider Management
  • CIS Control 16: Application Software Security
  • CIS Control 17: Incident Response Management
  • CIS Control 18: Penetration Testing

By implementing those Controls and their associated Safeguards (formerly Sub-Controls), organizations can build a solid foundation onto which they can layer additional security and compliance controls. But this raises an important question. Are organizations under an obligation to comply with the CIS Controls? How do the CIS Controls relate to compliance?

Connecting CIS Controls and Compliance

Not to be confused with regulations such as PCI DSS and HIPAA or frameworks such as the NIST Cybersecurity Framework, compliance with CIS Controls is not enforced within audits. However, the CIS Controls function as the building blocks of nearly all major compliance frameworks, mapping to NIST (Read more...)