CIS Critical Security Controls Version 7 – What’s Old, What’s New

Today marks the release of CIS Critical Security Controls (CIS Controls) Version 7, the newest iteration of these 20 important cybersecurity recommendations. The CIS Controls are a prioritized set of actions any organization can follow to improve their cybersecurity posture.
Download all CIS Controls (PDF & Excel)

Cybersecurity + Community

Version 7 of the CIS Controls was developed over the last year to align with the latest cyber threat data and reflect today’s current threat environment. We recognize that the cybersecurity world is constantly shifting and reacting to new threats and vulnerabilities, which often results in chaos and confusion about which steps to take in order to  harden systems and data.

In order to cut through the confusion, we collaborated on CIS Controls V7 with a global community of cybersecurity experts – leaders in academia, industry, and government – to secure input from volunteers at every level. Our public call for comment on Version 7 from January 24 – February 7, 2018 included feedback from a community of over 300 individuals dedicated to improving cybersecurity for all. The CIS Controls best practices are developed using a consensus approach involving discussion groups, forums, and community feedback.

Learn more about the CIS Controls.



Key Principles

The development of CIS Controls V7 was guided by 7 key principles which helped ensure a more robust end result

  1. Address current attacks, emerging technology, and changing mission/business requirements for IT: As part of our fundamental promise, the CIS Controls have been updated and re-ordered to reflect both the availability of new cybersecurity tools and changes in the current threat landscape that all organizations are facing.
  2. Bring more focus to key topics like authentication, encryptions, and application whitelisting: Guidance for each of these major security topics is covered in detail by CIS Controls V7 in a clearer, stronger, and more consistent fashion across the entire CIS Controls.
  3. Better align with other frameworks: With mapping to NIST Cybersecurity Framework, it’s never been easier to function in a multi-framework world.
  4. Improve the consistency and simplify the wording of each sub-control – one “ask” per sub-control: The community worked tirelessly to clarify and simplify each CIS Control, making it easier for users to follow along. By eliminating multiple tasks within a single sub-control, the CIS Controls are easier to measure, monitor, and implement.
  5. Set the foundation for a rapidly growing “ecosystem” of related products ad services from both CIS and the marketplace:  We have much more documented experience with adopters and vendors since Version 6; for V7 we make it easier for everyone to understand, track, import, integrate the CIS Controls into products, services, and corporate decision-making.
  6. Make some structural changes in layout and format:  To help keep the Controls relevant and adaptive to various different organizations, we’ve restructured our content to be more flexible than before.
  7. Reflect the feedback of a world-side community of volunteers, adopters, and supporters:  We are only as strong as the amazing volunteers that supports us and we hope to continue to provide a means of gathering and harnessing the global cybersecurity community for the benefit of everyone.

By following these 7 key principles, the CIS Controls have become a more flexible, measurable, and helpful resource for any business or organization looking to secure its systems and data.

Version 7 – What’s Old, What’s New

CIS Controls V7 keeps the same 20 controls that businesses and organizations around the world already depend upon to stay secure; however, the ordering has been updated to reflect the current threat landscape. We’ve also updated the sub-controls to be more clear and precise, implementing a single “ask” per sub-control.

CIS Controls V7 separates the controls into three distinct categories: basic, foundational, and organizational.

  • Basic (CIS Controls 1-6): Key controls which should be implemented in every organization for essential cyber defense readiness.
  • Foundational (CIS Controls 7-16): The next step up from basic – these technical best practices provide clear security benefits and are a smart move for any organization to implement.
  • Organizational (CIS Controls 17-20): These controls are different in character from 1-16; while they have many technical elements, CIS Controls 17-20 are more focused on people and processes involved in cybersecurity.

CIS Controls V7 Matrix

A Resource for All

The CIS Controls are a free cybersecurity best practices resource for any organization to download and implement. They provide clear, prioritized guidance to help organizations tackle the most pervasive cybersecurity threats.
Download all CIS Controls (PDF & Excel)