(The following is taken from the introduction to the addendum)

After the book was initially published in July 2020, using the CIS Controls® version 7.1, the CIS Controls® underwent a major update to version 8, issued in May 2021. The new version emphasizes the three Implementation Groups, including an expanded Implementation Group 1 (IG1), which applies primarily to small-to-medium businesses (SMBs). Another change in v.8 is now having only 18 primary Controls, rather than 20. In addition, the book only focused on 37 Safeguards; however, IG1 started with 43 Safeguards in v.7.1. In v.8, 11 new Safeguards were added to IG1, while others were revised or merged into other Safeguards. This Addendum will address all of the v.8 IG1 Safeguards, even if the v.7.1 equivalent was not provided explicitly in the book.

This Addendum aims to provide businesses with a guide to take you from v.7.1 into the new v.8 Safeguards while maintaining the categorization structure created in the book. This Addendum will walk you through, chapter-by-chapter, first the changed Safeguards and then the newly added Safeguards within the categories for each chapter. The four chapters that identify key Safeguards will continue to address the same groupings of control measures, as listed below.

  • Chapter 11—Key Safeguards for SMBs (“The Basics”)
  • Chapter 12—Implementing Administrative and Configuration Controls
  • Chapter 13—Implementing User Controls and Training
  • Chapter 14—Implementing Incident and Breach Controls

In addition to the changes to the Safeguards in the CIS Controls, in July 2022, we updated the governance documents associated with the book and made them available at: Version 8 Addendum to Creating a Small Business Cybersecurity Program Control