Looking for measures and metrics for CIS Critical Controls v8

Problem

Solution

The CIS Controls v7 measures and metrics guide was donated to CIS in the past.  We have developed other more comprehensive options;

For vendors, we have developed the Controls Assessment Specification Model,

CIS Controls Assessment Specification

The CIS Controls provide essential best practices that organizations can implement to improve their cybersecurity posture. In addition to implementing the CIS Controls, it is also important that organizations measure their implementations to ensure that Safeguards are in place and working properly. The purpose of the CIS Controls Assessment Specification (CAS) is to provide a common understanding of what should be measured in order to verify that CIS Safeguards are properly implemented. The hope is that those developing related tools will then build these measures into their tools so that the CIS Controls are measured in a uniform way.

Note that the focus of CAS is on “what to measure” rather than “how to measure”. With the goal of being platform agnostic, a conscious effort was made to avoid addressing the “how to measure” in writing CAS, leaving those platform specific details to specific implementations of these measures. Tool developers will determine the “hows” that are appropriate for their tools and use cases.

For adopters, we have developed the Controls Self Assessment Tools (CIS CSAT Hosted and CIS CSAT Pro)

https://www.cisecurity.org/controls/cis-controls-self-assessment-tool-cis-csat/

The CIS Controls^® Self Assessment Tools, also known as CIS CSAT, enables organizations to assess and track their implementation of the CIS Controls for Versions 8 and 7.1. The CIS Controls are a prioritized set of consensus-developed security best practices used by organizations around the world to defend against cyber threats.

Related Content