TL;DR
This paper critically evaluates CIS Controls, questioning their practical viability and comparing them with alternatives like ISO, NIST, and PCI, emphasizing the need for more scientific scrutiny and supporting materials.
Contribution
It provides a critical assessment of CIS Controls, analyzing their assumptions, validity, and comparing them with other standards, highlighting gaps and the need for further research.
Findings
CIS Controls are popular but lack extensive scientific validation.
There are viable alternative standards like ISO, NIST, and PCI.
More empirical research and material are needed to validate CIS Controls.
Abstract
CIS Controls is a set of 20 controls and 171 sub-controls that were created with an idea of having a list of something to implement so that organizations can increase their security. While good in theory, it is a big question of how viable this approach is in practice, and does it really help. There is only a minor number of critical views of CIS Controls and since CIS Controls are marketed by two very influential organizations they are very popular. Yet, there are alternatives published by ISO, NIST and even PCI consortium. In this paper we critically assess CIS Controls, assumptions on which they are based as well as validity of approach and claims made in its favor. The conclusion is that scientific community should be more active regarding this topic, but also that more material is necessary. This is something that CIS and SANS should support if they want to make CIS Controls viable…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.