CIS Controls Policy Template Availability

Owned by Amanda McGown, created
Last updated: Oct 20, 2023 by Parami Swenson
2 min read

Product Name

CIS Controls

Product Version

v8

Date

Feb 15, 2023

Problem

 

I require further background information on the CIS Information Security Policy Templates.

Solution

CIS assembled a working group of policy experts to develop information security policy templates. These templates cater exclusively to IG1 Safeguards. As such, IG2 and IG3 Safeguards are not addressed. Not every Control has a dedicated Policy Template since some Controls were amalgamated to produce fewer policies. Specifically:

  • Controls #5 and #6 have been merged into a single policy template named "Account and Credential Management."

  • Controls #9 and #12 are encompassed in the Control #4 policy template titled "Secure Configuration Management."

  • Controls #13, #16, and #18 lack policies because they do not have IG1 Safeguards.

 

We also devised an "Acceptable Use Policy Template." While it doesn't map to IG1, the Working Group believed it was a fundamental policy that CIS should develop. Additionally, be aware that the MS ISAC offers a distinct policy suite centered on the NIST Cybersecurity Framework, named "NIST Cybersecurity Framework Policy Template Guide."


All policies are available in Microsoft Word format and are designed to be concise and adaptable documents usable by a non-technical audience. Enterprises are urged to tailor these templates to their requirements. These policies include guidance for further refinement in their initial sections. Nonetheless, these templates won't suffice for a complete policy suite. Companies will necessitate other policies to meet broader technology governance demands, which fall outside the scope of the CIS Controls. Also, the policies within a given template aren't isolated; many integrate pertinent CIS Safeguards from various CIS Controls. For example, as mentioned above, the Secure Configuration Management Policy Template mainly pertains to CIS Control 4 but also aids companies in achieving numerous other Controls simultaneously.


The real merit of these policy templates is their alignment with CIS Controls v8, enabling enterprises to address the Safeguards in IG1. In the future, there might be expansions to cover the Safeguards of Implementation Group 2 (IG2) and Implementation Group 3 (IG3). While there's no ongoing effort to craft IG2 and IG3 policy suites—presuming larger organizations have in-house policy development and legal acumen.

 

The CIS Controls Team welcomes feedback. If demand is sufficient, additional templates may be developed

To see all available published Policy Templates and current draft Policy Templates please join the ::CIS Controls - Policy Templates WorkBench Community and navigate to the Files rubric to view and download templates.

For more information related to the CIS v8 Controls, please see the https://www.cisecurity.org/controls/v8

Keywords; controls IG1 Implementation Group Policy Templates

Content by Label

Copyright © 2023

Center for Internet Security®