What's new in CIS Controls V8.1?
Last updated: January 23th, 2025
The release of CIS v8.1 marks an important step forward in the evolution of the Center for Internet Security (CIS) Controls. While it builds on the solid foundation of CIS v8, this version introduces targeted refinements and updates designed to enhance clarity, precision, and practicality without altering the core structure of the framework. Let’s dive into the key updates and what they mean for security practitioners.
No Structural Overhaul
One of the most reassuring aspects of CIS v8.1 is the absence of major structural changes. Security teams can implement the updates without reworking existing implementations. Key points include:
- Control ID numbers and implementation groups: These remain unchanged, ensuring continuity for those already using CIS v8
- Consistency in spirit: The overarching goals and philosophy of CIS Controls are preserved, focusing on actionable, practical guidance
Introduction of New Asset Classes
CIS v8.1 acknowledges the evolving nature of cybersecurity by adding a new dimension to asset management:
- Documentation as a security asset: Recognized as part of the governance function, documentation now holds a formal place in the security ecosystem. This reinforces the importance of well-maintained policies, procedures, and records as integral components of a strong security posture
- Governance as a distinct function: Aligning with updates in NIST Cybersecurity Framework (CSF) v2.0, safeguards that were previously categorized as "detect" or "recover" are now reclassified as "govern." This change mirrors the growing emphasis on governance as a critical layer of cybersecurity
Context, Coexistence, and Consistency
CIS v8.1 addresses the challenge of integrating security frameworks with improvements in:
- Contextual guidance: New details clarify the intent and application of controls, making them easier to implement effectively
- Enhanced framework mapping: Refined mappings to other frameworks, particularly NIST CSF v2.0, improve interoperability and make adoption seamless
- Consistency across safeguards: Updates ensure that language, intent, and implementation are harmonized across all controls
Improved Precision
Security practitioners will notice a sharper focus on clarity in CIS v8.1.
- Refined language: Ambiguous terms and vague instructions have been revised to eliminate confusion
- Actionable descriptions: Each safeguard includes explicit, step-by-step guidance to facilitate clear and consistent implementation
Crosswalk Enhancements
CIS v8.1 cements its position as a leader in providing comprehensive crosswalks to other standards:
- Best-in-class framework mapping: The crosswalks in CIS v8.1 exceed those provided by other standards organizations, such as NIST. This feature simplifies adoption for organizations navigating multiple frameworks and regulatory requirements
Evolving Cybersecurity with Clarity and Actionability
CIS v8.1 represents a thoughtful evolution of the framework, preserving its foundational principles while refining its clarity, practicality, and alignment with other standards. Notable updates include the integration of governance as a distinct function, the introduction of documentation as a security asset, and enhanced framework mappings. For security practitioners, this means a more actionable, accessible, and effective tool for managing cybersecurity in an ever-changing landscape.
By staying true to its roots while embracing innovation, CIS v8.1 continues to set the standard for practical and robust cybersecurity guidance.
Cybersecurity Standards
Understand the key standards, frameworks, and regulations critical for service providers.
Explore Resources
What your company needs to deliver cybersecurity!