CIS Critical Security Controls Version 8

Want to learn more about the CIS Controls? Check out our video below.

CIS Controls v8 was enhanced to keep up with modern systems and software. Movement to cloud-based computing, virtualization, mobility, outsourcing, work from home, and changing attacker tactics prompted the update and supports an enterprise’s security as they move to both fully cloud and hybrid environments.

Our design principles included:

• Offense Informs Defense
  • CIS Controls are selected, dropped, and prioritized based on data and on specific knowledge of attacker behavior and how to stop it.
• Focus
  • Help defenders identify the most critical things they need to do to stop the most important attacks.
  • Avoid being tempted to solve every security problem — avoid adding “good things to do” or “things you could do.”
• Feasible
  • All individual CIS Safeguards must be specific and practical to implement.
• Measurable
  • All CIS Controls, especially for Implementation Group 1, must be measurable.
  • Simplify or remove ambiguous language to avoid inconsistent interpretation.
  • Some Safeguards may have a threshold.
• Align
  • Create and demonstrate “peaceful co-existence” with other governance, regulatory, process management schemes, framework, and structures.
  • Cooperate with and point to existing, independent standards and security recommendations where they exist (e.g., National Institute of Standards and Technology® (NIST®), Cloud Security Alliance (CSA), Software Assurance Forum for Excellence in Code (SAFECode), MITRE ATT&CK®, and Open Web Application Security Project® (OWASP®)).

When you download v8, you will receive:

• PDF
• Excel
• Change Log
• Implementation Groups

Controls v8 is available in these translations:

• Italian
• Japanese
• Portuguese

Have Questions? We're here to help. Go to Controls FAQs.