get the xls spreadsheet here:

https://securitycompliance.thinkific.com/courses/cis-control-maps

Hey guys, this is Bruce and welcome to a convo course podcast. And today I want to talk about one thing in particular, and that is the CIS and how it maps to the ISO 27,000. And one, if you didn't know, both of these are security compliance frameworks that are used in the public sector and private sector, as well as international organizations.

So pretty much a little slice of everybody use. One are the two of these particular security frameworks. CIS is typically used for the private sector. That means like retail stores or banking or community centers or those kind of organizations that are private Lee own organization. And sometimes nonprofits.

I'll also say that in having worked in the public sector from time to time, we'll actually use CIS controls as well. It, just depends on what kind of what we're doing. Like we use the CIS benchmarks. I've seen those used within the government within like department of defense, cuz it's just a great tool to use.

And if you're interested in finding this, just go to Google or being or Yahoo or your favorite search engine and just type in CIS controls and. Right now you have a mapping from the CIS controls version 7.1 to ISEL 27,001. Now right now, CIS controls are on version eight. I'm not, I don't think that one's out yet, but right now we are focusing on.

Version 7.1, but we will revisit this once we get version eight. Okay. So that being said, I sell 27,001 is an international standard for information security management. And they both, do the same thing. It's for an organization to have a guidance on how to actually. Proceed as far as securing their entire network, not even just the software and hardware devices that are connected to the network, but also things like physical security, maintenance.

All aspects of protecting the actual security of the system. Whether it's outside of the system whether who's touching the system who has access to the system, all those things let's start from the top. So what we're gonna do is just focus on the main security controls, like CIS control, one that is inventory and control of hardware assets.

And you'll see that the IO 27,001 has something similar in and it's called a.eight.one.one. So inventory of assets, right? They kind of group 'em all together. They don't break 'em apart in individual things for ISO 27,001. Whereas I CIS controls, they break it up into do different things. CIS control one is hardware.

Whereas CIS two is inventory of security controls. I inventory of security sorry, inventory and control of software assets. That is not broken apart by ISO 27,001. They keep those together as a dot eight, do one.one. Let's keep going here. We're gonna go to the next control, which is CIS control three, which is vulnerability management, continuous vulnerability management, every single security compliance.

Framework does have some sort of vulnerability management, our continuous monitoring and vulnerability management they're hand in hand. And this one is no different, so I sold 27,001, let me see let's see if they have it here. They have more of a risk rating response. That's continuously done.

management of technical vulnerabilities. Yeah. So they have a dot 12, do six.one that matches to CIS control three, 3.7, to be precise. Let's go on, keep moving here to CIS control four. And that covers controlled use of administrative privileges. And that's really important because you don't wanna give your admin accounts to everyone.

That's one. One of the things that some organizations do is they'll just give admin rights to everyone, anyone who needs it, they'll just put it on individual laptops and think it's okay. And it's really not okay. Because if you have an administrative privilege on that system, you can pretty much do what you want with that particular system.

And it might even allow you to escalate privileges on other systems. So you gotta be really careful with that. So that's why you have CIS control for. Controlled use of admin privileges and let's see what ISO 27,001 has. So ISO 27,001 does have this and they've broken it into parts and have it as password management systems as a dot nine dot four dot three.

They also have managed privileged access rights. There you go right there. So that matches directly to CIS four controlled use. Admin privileges. Let's keep it high. So far, I've gone through a bio, probably about 50 different controls. If you break it into the sub controls, it's probably 50. We just hit, but we'll just keep it high level and just focus on the main security controls.

Now let's move on to CIS five and this one deals with secure. Secure configuration and hardware software. This means like whenever you have a, laptop, a hard a laptop, a workstation, a server, there's a hardening process. Meaning we're gonna take this system and we're gonna make sure it doesn't have default passwords.

Make sure it has it's locked down. The WiFi's not just open and, attaching to anything. Maybe the wifi is off. We have some sort of secure configuration that we put on all hardware and software for mobile devices, laptop. Workstations and servers. This is a common, this is a, best practice. That's using most security frameworks.

So the ISO 27,001 does have this and they have it broken into two parts ex acceptable use of an asset where you would actually secure that system. And then also secure system engineering principles. Let's keep going to maintenance, monitoring, and analysis of audit. So the reason why audit logs in CIS control six is merged with maintenance is because audit logs are used not only for making sure that the incidents if you find any incidents, you can find them through the audit logs, but also for maintenance because every now and then a system goes down and you could put that in the log.

So it goes directly to a server. So you can, your maintenance people can go in and say, okay, let's look at the logs and see where this thing crash. So CIS six actually covers this and it maps directly to two different security controls in ISO 27,001 mainly event logging and clock synchronization. The reason why clock synchronization is important is because if you need a timestamp for all logs, otherwise if, you see that the system went.

You need to know what time it went down. So the actual clock synchronization is super important to event logs at the, and if the time is off, you don't know when an incident happened. You don't know when the system went down or whatever the log is telling you. All right. Let's keep going to CIS seven, which covers email and web browser.

Protections and these just so you know, these are not that much different from CIS controls eight. This is the same one that's so far, these are all the same ones that are in CIS version eight. So anyway, let's keep going here. We wanna know if this maps to ISO 27,001 and it does. So it goes into susceptible use of assets, just like we seen on the, in the previous section.

And then also it goes to restrictions on. Installations and that's what you have for protecting the email and browser protections. Another thing it has is network controls, making sure that the network traffic isn't going all over the place, making sure that we, making sure that the internal, our internal users are not allowed to go to.

Sites that they're not supposed to go to another one that's broken up into in ISEL 27,001 is control against malware. And that's your anti-virus stuff. E electronic messages that is making sure that you have secure messaging going back and forth, making sure that you don't have like email spoofing, things like that.

So it's broken up into several different parts, but let's keep going here to the next section to C I S eight and that's malware defense. This goes really deep into malware defenses for CIS controls those in everything from centralized management of, manage of anti malware software as, as well as ensuring that anti malware software signatures are updated and things like that.

And we do have this on ISO 27,001 name. And the control against malware is where we would find that in ISO 27,001, but there's several other breakdowns in ISO 27,001 that also link to our malware protection. All right, let's keep going to CIS nine. And this goes to limitations and control of network, ports, protocols, and services.

This is a common best practice that you'll find in this 800 you'll find in all of the different frameworks in some way, shape or form, do cover this on how to actually focus in. And use the, law of least functionality is what it's called the nest 800. But anyway let's, go into this one. So we're talking about associating, active ports and services with two asset inventories.

So we need to know is if port 23 is on which systems are using port 23. And ensuring the next one is ensuring only approved ports and protocols are used are running like what we only use in what we need. And you'll find the same thing in ISO 27,000 in one with security of network services and segregation of networks.

And then also network controls. Let's keep going here and see how we can map the next one, which is C I.  control 10, which is data recovery capabilities. So this one does map to ISO 27,001, namely in information backups that those two map directly to the CIS data recovery. And this is just what you might think is ensuring that you have regular automated backups making sure that you can recover from those backup.

And, making sure that you protect those backups. All right, let's go to the next one. And we don't have that many more to go here. But this should give you an idea of what's in CIS controls and also what's in ISO 27,001 as well. So let's keep going. CIS control 11. So this is secure configuration of net for network devices, such as firewalls routers and switch.

And if I'm not mistaken, this one might be a little bit different in the CIS eight. It's not the same. The content's the same. They just shifted things around a little bit. So this one is, dealing with maintaining a standard for security configurations for network devices. That's their switches.

That's your routers, that's your firewalls and things like that. And let's see if there's a comparable. Control on ISO 27,001. Yeah, we have change management. This is where you would control the actual iOS security on a system and making sure that you have change management. But the, also the another one that they have here on ISO 27,001 is segregation of networks.

That one is lined up with what you have in CIS controls as well. All right. Let's keep going.  C I S 12, and that is boundary defense. Now this is also in N 800. All the stuff that I've read so far is also in missed 800, maybe going forward, we will cover how CIS maps to N 800 because it does it all maps up.

And if one, that's why I say in some of my other courses and in my other videos is if one, you know them. There's a little bit of change of terminology. The control names are different, but if one, you know them all, okay. So this one is dealing with boundary defense, and this is maintaining an inventory of what is in your network.

What you need to know what's in your network. And to do this, you do things like scanning. You do things like denying certain communications from going to certain IPS. You have to control your boundary. In depth is used quite a bit with this one, but boundary defense and this one maps directly to network control.

That's in the ISO 27,001. Okay. Let's keep going here. Let's keep keeping it high level. There's a lot of things that we're going over, cuz we want to keep this high level. Okay. N the CIS control, 13 data protection. What does this one deal with? This is maintaining an inventory of sensitive information removing sensitive data or systems not regularly accessed by the organization.

Anything you don't need, we're gonna get rid of it. And making sure the sense of, data's not floating around out there, which is how a lot of data gets.  and ISO 27,001 has addresses this in several different controls. One is classification of information. Another one is network controls, another one's electronic messaging.

And another one is mobile device policies. And there's a few others, but we are gonna keep going. All right. So C I S 14, this one deals with controlled access controlled access. On on the need to know. And so this one is segmenting the network based on sensitivity, enable fi enabling firewall filtering for between VLANs.

And this sounds a lot like PCI compliance. So PCI compliance also maps to the CIS. PCI I'm, talking about PCI DSS, that's protection of credit cards and the credit card industries and retail retailers and hotels use this quite a bit. So they have to actually go through an audit and assessments and stuff for all of their card readers.

So for this one, you have the same thing. ISO 27,001 has segmentation of network. Network control. You can see them, them using the same ones. Theirs is just broken up differently. So they group a lot of, the controls together. Let's keep going here. We don't have that many more to go.

We're on 15 CIS control 15, which is wireless access control. So this one, as you would suspect it, it's disabling access points that are not used if they're not required detecting wireless access points. That are connected to the wired network and, taking an inventory of all your wireless stuff.

And so this is covered in ISO 27,001 in the inventory of assets and the network controls and the acceptable use of AC of, assets. Let's keep going here to the CIS 16. And I think we only have two or three left here, but CIS controls 16. Account monitoring and control. So in, in N 800, And in this 800, you have this one is AC two, a C one C three.

When you're doing account control and account management and things like that, this one is in CIS control 16. So how does this map? Two 27,001. Control. In the inventory of assets, that's where they control it in ISO 27,001. They also cover it in policy on the use of crypto cryptographic controls and control network controls and user registration.

And deregistration so you can see it's just broken up. They're covering the same topics, but it's broken up into different parts. Now let's keep going to CI. Control 17. And I wanna say this is the last one. Let me see. 18, 19 20. Okay. There's only three more left. All right. 17 we'll just quickly go through these implementation of security awareness training.

Self-explanatory you do have the same thing on ISO 27,001. It's literally called information security awareness, education and, training. Same. Okay, so we're gonna go to 18 and 18 is application software security. That's making sure that you're, whenever you're developing software is developed securely and is, establishing secure coding practices.

And you have the same thing over ISO ISO 27001, which is a secure development policy. Whenever you're developing the actual software, you have to develop it securely. Okay. Then we go into 19, which is incident response. This is a big one. This is also in IR in the IR controls, IR 1, 2, 3, and 4 in the NIST 800.

But how does this map over to ISO 27001? They have something called responsibilities and procedures. And they have reporting information, security events, and con contacting authorities. All right. Onto pen testing. So this is CIS control 20. This is penetration testing and red team exercises. And this one, I don't know, this one actually doesn't have a comparable ISO 27001 control, which is.

Very shocking and that pretty much covers all the maps between CIS controls and ISO 27,001. And we also mentioned a couple of N 800 controls and I'll catch you guys on the next podcast.

If you want to download your free copy of the CIS To ISO 27001. Then go ahead and go to https://securitycompliance.thinkific.com/courses/cis-control-maps