Thanks to our volunteer community, the CIS Critical Security Controls (CIS Controls)

continue to grow in influence and impact across a world-wide community of adopters, Critical Security Controls v8
vendors, and supporters. What started over ten years ago as a simple grassroots activity to
help enterprises focus on the most important steps to defend themselves against real-world
cyber-attacks has become a world-wide movement. 01 Inventory and Control of Enterprise Assets
Version 8 is the most effective, best-researched version of the Controls. We addressed

02 Inventory and Control of Software Assets

emerging technologies, new business and operational challenges (such as work from
home), and done more work than ever to study attacks and translate that into prioritized

Welcome to actions. At the same time, we simplified the document by combining like activities and using
consistent language.
03 Data Protection
Version 8 of the We’ve also matured our ability to bring data, rigor and transparency to our recommendations
to give you confidence in our work, created cross-mappings to numerous other security
frameworks and recommendations, and worked closely with the marketplace to ensure that
04 Secure Configuration of Enterprise Assets
CIS Critical you are supported with high-quality tools and other resources to help you measure your
CIS Controls implementation.
and Software
Security Controls Thanks to everyone for making v8 great!
Phyllis Lee
05 Account Management
06 Access Control Management
07 Continuous Vulnerability Management
08 Audit Log Management
09 Email and Web Browser Protection
10 Malware Defenses
11 Data Recovery
12 Network Infrastructure Management
13 Network Monitoring and Defense
14 Security Awareness and Skills Training
15 Service Provider Management
16 Applications Software Security
17 Incident Response Management
18 Penetration Testing
 SANS Security Frameworks and CIS Controls Training Courses It’s not just about the list...
SEC566: Implementing and Auditing Security Frameworks & Controls
We listened to your questions and responded with guidance for implementing the CIS Controls, showing compliance against other frameworks
and tools to measure your Controls implementation. It’s not just about a list of best cybersecurity practices—it’s about the ecosystem around the
Controls to help all enterprises, regardless of size, successfully implement a cybersecurity program.
5 30
CPEs
Laptop
Required
Building and Auditing Critical Security Controls
Day Program
Cybersecurity attacks are increasing and The Center for Internet Security (CIS) Critical SEC566 will enable you to master the
evolving so rapidly that it is more difficult Controls are specific security controls that specific and proven techniques and tools

GCCC than ever to prevent and defend against

them. Does your organization have an
CISOs, CIOs, IGs, systems administrators, and
information security personnel can use to
needed to implement and audit Version 8
of the CIS Controls as documented by the
Tools
GIAC Critical Controls Certification
effective method in place to detect, thwart, manage and measure the effectiveness of their Center for Internet Security (CIS), as well as
giac.org/gccc
and monitor external and internal threats to defenses. They are designed to complement those defined by NIST SP 800-171 and the CIS CSAT Pro CONTROLS SELF ASSESSMENT TOOL CIS Community Defense Model Navigating an Ocean of Cyber Frameworks
THIS COURSE WILL PREPARE YOU TO:
prevent security breaches? existing standards, frameworks, and compliance Cybersecurity Maturity Model Certification Helps teams track and document their Identifies the security value of CIS Authoritative and vetted cross-mappings
• Apply a security framework based on actual threats In addition to defending their information
schemes by prioritizing the most critical threat (CMMC). Students will learn how to merge progress in implementing the CIS Controls. Safeguards against specific attacks identified from our security best practices applied
and highest payoff defenses, while providing a these various standards into a cohesive
that is measurable, scalable, and reliable in stopping
systems, many organizations have to comply Progress can be compared to industry by open data sources, and described using to well-known target frameworks
known attacks and protecting organizations’ important common baseline for action against risks that strategy to defend their organization and
information and systems with a number of cybersecurity standards
we all face. comply with industry standards. averages. the MITRE ATT&CK Framework. or standards. For current versions
and requirements as a prerequisite for
• Understand the importance of each control and how it
and information on mappings, go to
is compromised if ignored, and explain the defensive doing business. Dozens of cybersecurity As threats and attack surfaces change and SANS’ in-depth, hands-on training will CIS RAM RISK ASSESSMENT METHOD
goals that result in quick wins and increased visibility of
standards exist throughout the world and evolve, an organization’s security should as well. teach security practitioners to understand www.cisecurity.org/controls/v8/
networks and systems A method and tool to let enterprises of
most organizations must comply with To enable your organization to stay on top of not only how to stop a threat, but why
• Identify and utilize tools that implement controls
through automation more than one such standard. Is your this ever-changing threat scenario, SANS has the threat exists, and how to ensure that varying security capabilities navigate the
• Learn how to create a scoring tool for measuring the organization prepared to comply and remain designed a comprehensive course on how to security measures deployed today will balance between implementing security
effectiveness of each control in compliance? implement the CIS Critical Controls, a prioritized, be effective against the next generation controls, risks, and organizational needs.
• Employ specific metrics to establish a baseline and risk-based approach to security. Designed by of threats. SEC566 shows security
In February of 2016, then California Attorney
measure the effectiveness of security controls
• Understand how the Critical Controls map to standards General, Vice President Kamala Harris
private and public sector experts from around professionals how to implement the CIS Controls Assessment Specification
the world, the CIS Critical Controls are the controls in an existing network through Identifies specific tests for Safeguards
such as NIST 800-53, ISO 27002, the Australian Top 35, stated that “the 20 controls in the Center for
and more best way to block known attacks and mitigate cost-effective automation. For auditors,
Internet Security’s Critical Security Controls
CIOs, and risk officers, this course is the
that can be automated, and provides a
• Audit each of the Critical Security Controls, with damage from successful attacks. They have
specific, proven templates, checklists, and scripts
identify a minimum level of information specification for vendors to implement them.
been adopted by international governments, best way to understand how you will
provided to facilitate the audit process security that all organizations that collect or
the U.S. Department of Homeland Security, measure whether the Controls and other
maintain personal information should meet.
state governments, universities, and numerous standards are effectively implemented. CIS Controls Navigator
The failure to implement all the Controls
NOTICE TO STUDENTS private firms. Online tool to compare CIS Safeguards with
The CIS released version 8 of the Controls in May 2021. that apply to an organization’s environment
This course content is updated to reflect the changes in constitutes a lack of reasonable security.” recommendations found in other security
the CIS Controls, as well as the most recent versions of frameworks.
the NIST SP 800-171 and the Cybersecurity Maturity Model “The course overall was excellent! I do feel like I can put together a plan to begin
Certification (CMMC).
implementing these controls at our organization right away! I have a feeling I will CIS WorkBench
be referencing these books often. We most definitely will be having at least one CIS collaboration platform for volunteers and
person from my team attending this class next year.”
CIS staff to share ideas, develop content, and
—Sarah Kroeplien, Acuity
learn from each other.

SEC440: CIS Critical Controls:

A Practical Introduction
2 Day Course | 12 CPEs | Laptop Required
CIS Controls Version 8 (and all prior versions) calls out secure The CIS Benchmarks include more than 100 configuration
Introduction to Critical Security Controls configuration of enterprise assets and software as an essential part guidelines across 25+ vendor product families. Benchmarks for top
Cybersecurity attacks are increasing and evolving so rapidly that it is more difficult than of any cyber defense program. We believe in the value of this activity technologies are updated within 90 days of the vendor release date.
so strongly that we founded the company on this idea over 20 years CIS Benchmarks are consumable in different forms. For example,
Version 8
ever to prevent and defend against them. Does your organization have an effective method
in place to detect, thwart, and monitor external and internal threats to prevent security
ago! We are the world’s largest independent producer of consensus- CIS Hardened Images, virtual machine images configured to the CIS
breaches? Does your organization need an on-ramp to implementing a prioritized list of
based configuration guides, bringing together experts from all across Benchmarks, are available in the major cloud solution marketplaces.

of the CIS Critical

technical protections?
the industry and the world to create, share, and support this essential We provide mappings to the CIS Controls and MITRE ATT&CK
In February of 2016, then California Attorney General, Vice President Kamala Harris
recommended that “The 20 controls in the Center for Internet Security’s Critical Security security content—the CIS Benchmarks. Framework. We also provide CIS STIG Benchmarks.

Security Controls Controls identify a minimum level of information security that all organizations that collect
or maintain personal information should meet. The failure to implement all the Controls that
apply to an organization’s environment constitutes a lack of reasonable security.”
SANS has designed SEC440 as an introduction to the CIS Critical Controls, in order to
AND provide students with an understanding of the underpinnings of a prioritized, risk-based We are proud to have collaborated on
approach to security. The technical and procedural controls explained in the CIS Controls CIS Controls v8 with these fellow nonprofits,
SANS Security Frameworks and were proposed, debated and consolidated by various private and public sector experts from
around the world. Previous versions of the CIS Controls were prioritized with the first six CIS
Critical Controls labeled as “cyber hygiene” and now the CIS Controls are now organized into
who serve the common good by developing
and sharing essential cybersecurity

CIS Controls Training Courses Implementation Groups for prioritization purposes.

The Controls are an effective security framework because they are based on actual attacks
best practices. The Cloud Security Alliance participated on the Controls
v8 team, making sure that it reflected the best available
SAFECode brought their expertise to lead the drafting of
CIS Control #16, Application Software Security. They issued
launched regularly against networks. Priority is given to Controls that (1) mitigate known For all of us, “collaborate” information on cloud security. We also mapped CIS Controls a companion SAFECode document “Application Software
v8 Safeguards with CSA’s Cloud Controls Matrix. Security and the CIS Controls,” to provide amplifying
For Cyber Leaders of Today and Tomorrow
attacks (2) address a wide variety of attacks, and (3) identify and stop attackers early in the
compromise cycle.
is a verb, not a bumper guidance on this foundational topic.

The course introduces security and compliance professionals to approaches for

sticker. https://cloudsecurityalliance.org/ https://safecode.org/
implementing the controls in an existing network through cost-effective automation. For
auditors, CIOs, and risk officers, the course is the best way to understand how you will
sans.org/cybersecurity-leadership measure whether the Controls are effectively implemented.

sans.org/cybersecurity-leadership
“SEC440 is a great course that immerses the auditor with Special thanks
critical controls—provides focus on what really matters.”
—Louis Guion, Mohawk Industries
to our industry
@secleadership SANS Security Leadership partners:
AUTHORS OF BOTH COURSES: James Tarala & Kelli K. Tarala of Enclave Security | enclavesecurity.com
MGTPS_CISCC_v1.3_0521