Call for Feedback – CIS Controls Implementation Classes
The CIS Controls™ are a prioritized set of actions that collectively form a defense-in-depth set of cybersecurity best practices. Together, they mitigate the most common attacks against systems and networks. There are 20 CIS Controls and 171 sub-controls. For organizations starting their journey in cybersecurity, it may not be possible to address each component of the CIS Controls in the near term.
Proposal: Implementation Classes
CIS is proposing a concept called Implementation Classes to assist organizations in their prioritization efforts. Implementation Classes are meant to provide a realistic and achievable starting point for organizations to begin using the CIS Controls. This approach encourages organizations to classify themselves as belonging to one of three risk profile classes based on three separate attributes:
- Sensitivity of data residing within the organization
- Level of technical expertise of staff or individuals on contract
- Availability of resources dedicated to cybersecurity activities
Each Implementation Class contains a subset of the CIS Controls that the community has broadly assessed to be reasonable for an organization with a similar risk profile. The classes represent a horizontal cut across the CIS Controls tailored to that type of enterprise. Accordingly, an organization implementing the sub-controls defined for their Implementation Class is moving toward a standard duty of care. This duty of care is described in the CIS Risk Assessment Method (CIS RAM).
While this approach provides guidance for prioritizing your CIS Controls implementation, it does not replace your organization’s need to understand its own risk posture. Organizations should conduct their own duty of care analysis. Implementation of the CIS Controls should be based on what is appropriate and reasonable given the resources, mission, and risks. The intention of Implementation Classes is to help organizations focus their efforts based on the resources they have available. They also help integrate CIS Controls into any pre-existing risk management process.
Implementation Classes are:
- A perspective on providing more tailored guidance for organizations of different capabilities and resources
- Built and maintained by the community, just like the CIS Controls
- A starting point from which organizations should strive and grow
Implementation Classes are not:
- A replacement for risk analysis and process of due care
- A maximum bar of things of an organization of your size can achieve
- A replacement of the higher level prioritization of the CIS Controls
We want your help
From Oct. 15 – Nov. 9, 2018, the CIS Controls team is soliciting community feedback on the classification of the sub-controls based on those classes. Who should participate? We welcome input from cybersecurity and information assurance experts, risk analysts, security engineers, threat hunting specialists, developers, incident response managers, solutions architects, red team leaders, and more.
How to participate
There are two ways to provide input on the CIS Controls Implementation Classes:
Login to CIS WorkBench and navigate to the CIS Controls Version 7 Development Community, where you’ll find helpful documentation and be able to join discussion forums on each sub-control.
Click the download button below to get helpful documentation which will inform your feedback. After reviewing it, you can email your comments to us at firstname.lastname@example.org.
At this time, we’re envisioning adding Implementation Classes as a minor release which will be captured as CIS Controls 7.1. We look forward to everyone’s feedback and once again thank you for your support.