In 2021, the Center for Information Security (CIS) introduce version 8 of their Critical Security Controls. This update built upon the previous version 7 controls in order to keep up with evolving technology, evolving threats and even the evolving workplace. It also reduced the number of critical security controls from 20 to 18.
Unfortunately, with this update, the CIS also changed their licensing model for how businesses can interact with these controls. As an entity using these controls to protect your business, you are able to download and use these controls just fine, however, if you are using the CIS Controls as a vendor, you are now required to enroll in the CIS SecureSuite Product Vendor program. For an organization the size of SimpleRisk, that would end up costing us around $20k USD per year. While numerous customers and prospects have expressed interest in using these controls, to date, none have been able to sponsor the costs involved. But don't worry...there's still a number of ways for your organization to use these controls in SimpleRisk.
OPTION #1 - The version 7 CIS Critical Security Controls did not have the same licensing requirements that the version 8 controls have. Because of this, we are able to provide this older set of controls in SimpleRisk as a one-click installer. This is a feature of the content catalog created with our Import-Export Extra. With this feature enabled, you can simply go to Configure -> Content and click on "Install" next to where it says "CIS Critical Security Controls v7". This will install the actual verbiage from those controls and create a new framework for them under the Governance section of SimpleRisk.
OPTION #2 - While we would love nothing more to simply give you a one-click installer for the CIS Critical Security Controls v8, similar to what we do for the v7 controls, their licensing will not allow us to do so. It does not, however, preclude you from creating the controls in SimpleRisk, yourself. Simply go to Governance -> Define Control Frameworks and then click the "+" button to create the new framework. Then, go to the "Controls" tab and use the "+" button there to add your new controls. This functionality is available in our free and open source SimpleRisk Core offering.
Option #3 - Since the CIS Critical Security Controls comes as a spreadsheet, you can make a few simple modifications to it in order to use our Import-Export Extra to pull it in as a framework in the SimpleRisk platform. You will want to create one row for each of the controls and add a column in front of each of them for "Framework Name" so that you have a framework to programmatically map them to. Once you have the spreadsheet ready to go, you can go to Configure -> Import / Export and then select "Import Controls" from the dropdown list. SimpleRisk's Director of Customer Success, Dorian Arthur, wrote The Risk Import Guide for SimpleRisk, which covers how the Import-Export functionality works in more detail. With this in mind, while the actual CIS Critical Security controls can be used with SimpleRisk, we typically advise customers to go with the fourth and final option.
OPTION #4 - Over the last few years, SimpleRisk has developed a strong partnership with an organization called ComplianceForge. These guys have created what they call the Secure Controls Framework (SCF), a freely downloadable spreadsheet which maps over 1000 security and privacy related controls across 190 different frameworks, with version 8 of the CIS Critical Security Controls being one of them. I cover many of the reasons why using a common controls framework is superior in my blog post on The Massive Benefits of Using a Common Control Framework with your GRC Program, so I won't get into the details here, but SimpleRisk has taken this a step further and built the ComplianceForge SCF into our platform as a freely downloadable Extra for all registered SimpleRisk instances. Once downloaded and activated, simply go to the "Configure" menu, followed by "Extras" and select "Yes" in the row for the ComplianceForge SCF Extra. From there, you can select "CIS CSC v8.0" or any other desired framework (NIST, COSO, COBIT, GDPR, etc) from the disabled list on the left and click the right arrow to add it to the enabled list on the right.
This will map all of the ComplianceForge SCF controls to the appropriate CIS Critical Security controls that essentially say the same thing and you can use this to map and verify compliance against the Critical Security Controls standard, with the added benefit of being able to also see how these controls map to many other frameworks your organization may be required to adhere to.
Another major benefit of utilizing the ComplianceForge SCF, especially if your organization is just getting started on security, is that SimpleRisk resells the ComplianceForge Digital Security Program (DSP), a series of documents providing the policies, guidelines, standards and control objectives around the SCF, as well as the Cybersecurity Standardized Operating Procedures (CSOP), the recommended operating procedures for the SCF controls. At all of $10,500 for the bundle, it's an extremely cost-effective way to jump start your security program.
If you'd like to experience for yourself how the CIS Critical Security Controls works within SimpleRisk and the Secure Controls Framework (SCF), consider signing up for our free 30 day trial. We look forward to working with you!
