STANDARDS & FRAMEWORKS

What's new in CIS Controls V8.1?

Last updated: January 23th, 2025


The release of CIS v8.1 marks an important step forward in the evolution of the Center for Internet Security (CIS) Controls. While it builds on the solid foundation of CIS v8, this version introduces targeted refinements and updates designed to enhance clarity, precision, and practicality without altering the core structure of the framework. Let’s dive into the key updates and what they mean for security practitioners.

Get Started with the CIS Controls v8 Guide for Service Providers

No Structural Overhaul

One of the most reassuring aspects of CIS v8.1 is the absence of major structural changes. Security teams can implement the updates without reworking existing implementations. Key points include:

  • Control ID numbers and implementation groups: These remain unchanged, ensuring continuity for those already using CIS v8
  • Consistency in spirit: The overarching goals and philosophy of CIS Controls are preserved, focusing on actionable, practical guidance

 

Introduction of New Asset Classes

CIS v8.1 acknowledges the evolving nature of cybersecurity by adding a new dimension to asset management:

  • Documentation as a security asset: Recognized as part of the governance function, documentation now holds a formal place in the security ecosystem. This reinforces the importance of well-maintained policies, procedures, and records as integral components of a strong security posture
  • Governance as a distinct function: Aligning with updates in NIST Cybersecurity Framework (CSF) v2.0, safeguards that were previously categorized as "detect" or "recover" are now reclassified as "govern." This change mirrors the growing emphasis on governance as a critical layer of cybersecurity

 

Context, Coexistence, and Consistency

CIS v8.1 addresses the challenge of integrating security frameworks with improvements in:

  • Contextual guidance: New details clarify the intent and application of controls, making them easier to implement effectively
  • Enhanced framework mapping: Refined mappings to other frameworks, particularly NIST CSF v2.0, improve interoperability and make adoption seamless
  • Consistency across safeguards: Updates ensure that language, intent, and implementation are harmonized across all controls

 

Improved Precision

Security practitioners will notice a sharper focus on clarity in CIS v8.1.

  • Refined language: Ambiguous terms and vague instructions have been revised to eliminate confusion
  • Actionable descriptions: Each safeguard includes explicit, step-by-step guidance to facilitate clear and consistent implementation

 

Focus on Practicality

CIS v8.1 places an even greater emphasis on addressing real-world challenges:

  • Security first: While compliance and privacy remain important, the framework’s updates prioritize actionable security measures tailored to diverse organizational needs

 

Crosswalk Enhancements

CIS v8.1 cements its position as a leader in providing comprehensive crosswalks to other standards:

  • Best-in-class framework mapping: The crosswalks in CIS v8.1 exceed those provided by other standards organizations, such as NIST. This feature simplifies adoption for organizations navigating multiple frameworks and regulatory requirements

 

Evolving Cybersecurity with Clarity and Actionability

CIS v8.1 represents a thoughtful evolution of the framework, preserving its foundational principles while refining its clarity, practicality, and alignment with other standards. Notable updates include the integration of governance as a distinct function, the introduction of documentation as a security asset, and enhanced framework mappings. For security practitioners, this means a more actionable, accessible, and effective tool for managing cybersecurity in an ever-changing landscape.

By staying true to its roots while embracing innovation, CIS v8.1 continues to set the standard for practical and robust cybersecurity guidance.

RESOURCES

NIST CSF 2.0 Guide for Service Providers

LEARN MORE
WEB GUIDE

Teambuilding 101: Ingredients of a Security Team

LEARN MORE
BLOG

Why Vulnerability Management Comes Before Penetration Testing

LEARN MORE

Explore Resources

What your company needs to deliver cybersecurity!

Explore Resources