Remember the CIS 20? It is No More!

The Center for Internet Security has, for years, built a list of recommended controls and sold tools to help you manage that. The controls are very IT centered and don’t really cover governance, but the controls can be a good piece of your information security strategy.

For as long as I can remember, there were 20 controls in the CIS model. But no more.

A few years ago, in an effort to help people “eat the CIS 20 elephant (one bite at a time)”, the Center came up with “implementation groups”. IGs broke the 20 controls down into 3 groups – IG 1, 2 and 3. Each group builds on the one below it.

But now version 8 of the CIS 20 has been released and 20 is now only 18.

But even with just 18 controls, there are a total of 153 “safeguards”. There are still 3 implementation groups.

If you are looking for a security framework and NIST or CMMC doesn’t fit your business, maybe the CIS 20, err, CIS 18 may be a part of your overall strategy. You will have to add pieces to it like governance and privacy, but as a core, it covers a lot.

One important thing to understand – while the Center for Internet Security is a non-profit, you cannot use their stuff, even internally, for free. For a small company, the license fee is about $3,700 a year. For a large company, it can go up to $15,000+ a year. The NIST cybersecurity and privacy frameworks are free. The CMMC framework is free, but if you want to become certified, that costs money.

No matter which framework you use, you likely will need help getting there and that help, of course, is not free either.

Credit: Help Net Security

by