Identify: Develop an organizational understanding to manage cybersecurity risk to It includes a core set of five cybersecurity functions that present industry standards and guidelines for all levels of an organization. Unlike CIS, the NIST framework is intended as a gap-analysis tool based on the organization’s target operational state. The NIST CSF Version 1.0 was created in 2014 in response to the US government’s call for a voluntary framework to establish a “prioritized, flexible, repeatable, performance-based and cost-effective approach to managing cyberthreats.” Version 1.1 was released in 2018 and includes additional guidance and clarification. This includes an extensive interview and documentation process that will yield a detailed gap analysis and roadmap for hardening your defenses in accordance with the CIS controls. There are 23 additional safeguards included in IG3.įor customers who need a detailed analysis of each control, Raxis recommends our Enterprise CIS 18 Analysis. IG3 is aimed at organizations that employ IT security experts and is designed to help them secure sensitive data and lessen the impact of cyberattacks. IG2 is designed to help organizations that manage multiple IT departments, with varying degrees of risk, cope with increased operational complexity. There are 56 additional safeguards in this group. Think of this as the minimum standard, designed to help companies with limited cybersecurity expertise thwart general, non-targeted attacks. IG1 includes the base-level security controls every enterprise-level organization should have in place.
The 18 CIS controls each include three categories of sub-controls, called implementation groups, that increase in complexity based on the maturity of the organization’s cyber defenses. It is designed to measure an organization’s level of maturity as compared to a set of recommended standards. CIS 18Īs the name suggests, the CIS 18 is a list of 18 primary security controls organized by activity. Let’s start with CIS 18 as we’re asked about that one most often. That said, it’s important to understand exactly what these frameworks are and how they help improve your cybersecurity posture. Our team has vast experience with both CIS 18 (formerly SANS Top 20 or CIS 20) and NIST CSF v1.1 requirements, and we can develop a scope of work based on either.
Regardless of the reason, the question we get most often is which standard is best for the company. Other times, they simply want to have a better internal understanding of their overall security posture and gaps. Depending on their industry and/or company size, Raxis customers are sometimes required to assess the maturity of their cybersecurity using these tools.