CIS CSC v8.1: Latest Changes & Difference with V8.0

December 2022: OU Health, an Oklahoma-based hospital, reported a data breach affecting approximately 3,000 patients after an employee’s laptop was stolen. The breach exposed sensitive information, including treatment details, Social Security Numbers, and insurance data. This incident underscores the critical need for comprehensive security controls to safeguard sensitive data.

One way to ensure that your controls are functioning effectively and adhering to industry standards is by using CIS CSC 8.1 controls. The Centre for Internet Security developed these as a response to losses faced by the U.S. defense but can now be used by any industry. Recently, they have introduced a number of changes to the framework.

But what exactly are these updates? What are major changes and how do they improve seceuriy measure? And what impact does it have on your organization? 

TLDR

• CIS Controls v8.1 refines asset classifications, clarifies safeguard descriptions, and introduces documentation as a new asset type. 
• It aligns security functions with NIST CSF 2.0, strengthening governance and risk management. 
• Some of the glossary terms that underwent changes are Plan, Process, Sensitive data, Administrator accounts, Application. 

What is CIS CSC?

The Center for Internet Security Critical Security Controls, CIS CSC for short, is a set of security best practices and guidelines developed by the Centre for Internet Security. It outlines the key areas where organizations should focus their efforts to mitigate cyber threats and improve their posture. 

CIS CSC v8.1: what does it cover? 

CIS CSC v8.1 is the latest update to its previous version; 8.0. The new version aims to offer a more simplified, better prioritized, and highly prescriptive approach to improve your organization’s security defense program. 

To summarize the changes introduced in this version:

• Clarifies security jargon and key terms used throughout the control descriptions. It has also redefined and improved some of the glossary definitions. 
• Revised the asset clauses and mappings to the CIS safeguards to improve the efficacy of the controls. 
• Clarifies, corrects, and improves the descriptions of minor safeguards to refine the accuracy of the references.
• Aligns the security function mappings to the latest version of NIST Cybersecurity Framework (2.0). 

A quick breakdown of changes to CIS CSC 8.0 

The Centre for Internet Security released CIS Controls version 8.1 as a part of their continued effort to evolve and improve the controls. Let’s break down some of the changes we summarised before.

The governance function 

A key change in this update is the introduction of a ‘Governance’ function aligned with NIST CSF 2.0. This addition aims to help users identify the policies, procedures, and processes needed to build a security program aligned with enterprise goals. 

While the previous controls were comprehensive enough to enable enterprises of all sizes to protect and defend their assets adequately, CIS CSC v8.1 governance topics can now be used as recommendations. 

Enterprises can implement these recommendations to enhance the governance functions of their security program. This will help enterprises identify the governing pieces of their security program while collecting evidence that proves compliance. 

CIS Control	CIS Safeguard	Asset Type v8.1	Title
3	3.1	Data	Establish and Maintain a Data Management Process
4	4.1	Documentation	Establish and Maintain a Secure Configuration Process
4	4.2	Documentation	Establish and Maintain a Secure Configuration Process for Network Infrastructure
5	5.6	Users	Centralize Account Management
6	6.1	Documentation	Establish an Access Granting Process
6	6.2	Documentation	Establish an Access Revoking Process
6	6.8	Users	Define and Maintain Role-Based Access Control
7	7.1	Documentation	Establish and Maintain a Vulnerability Management Process
7	7.2	Documentation	Establish and Maintain a Remediation Process
8	8.1	Documentation	Establish and Maintain an Audit Log Management Process
11	11.1	Documentation	Establish and Maintain a Data Recovery Process
12	12.4	Documentation	Establish and Maintain Architecture Diagram(s)
14	14.1	Documentation	Establish and Maintain a Security Awareness Program
15	15.2	Documentation	Establish and Maintain a Service Provider Management Policy
15	15.3	Users	Classify Service Providers
15	15.4	Documentation	Ensure Service Provider Contracts Include Security Requirements
15	15.5	Users	Assess Service Providers
15	15.6	Data	Monitor Service Providers
16	16.1	Documentation	Establish and Maintain a Secure Application Development Process
16	16.2	Documentation	Establish and Maintain a Process to Accept and Address Software Vulnerabilities
16	16.6	Documentation	Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
16	16.13	Software	Conduct Application Penetration Testing
17	17.2	Documentation	Establish and Maintain Contact Information for Reporting Security Incidents
17	17.3	Documentation	Establish and Maintain an Enterprise Process for Reporting Incidents
17	17.4	Documentation	Establish and Maintain an Incident Response Process
18	18.1	Documentation	Establish and Maintain a Penetration Testing Program

Glossary expansion 

Some of the glossary terms were updated in CIS CSC v8.1. The updated definition as per CIS are:

Plan

A plan implements policies and may include groups of policies, processes, and procedures.

Process

A set of general tasks and activities to achieve a series of security-related goals. 

Sensitive data

Physical or digital data stored, processed, or managed by the enterprise that must be kept private, accurate, reliable, and available. If released or destroyed in an unauthorized manner, it would cause harm to the enterprise or its customers. These impacts may be due to a data breach or a violation of a policy, contract, or regulation 

Administrator accounts

Accounts for users requiring escalated privileges. The accounts are used for managing aspects of a computer, domain, or the whole enterprise information technology infrastructure. Each administrator account should be assigned to a single user. Common administrator account subtypes include root accounts, local administrator, domain administrator accounts, and network or security appliance administrator accounts.

Application

A program, or a group of programs, running on top of an operating system hosted on an enterprise asset. Example applications include web, database, cloud-based, and mobile. In this document, applications are considered software assets.

Application Programming Interface (API)

A set of rules and interfaces for software components to interact with each other in a standardized way. Depending on how they are defined, APIs often allow applications to communicate and access internal and external resources. 

Internet of Things (IoT)

Devices embedded with sensors, software, and other technologies. These devices may connect, store, and exchange data with other devices and systems. The device’s connection to the internet can be intermittent, non-existent, or persistent. These devices include smart watches and other wearables, printers, smart screens, smart home devices, speakers, industrial control systems, and physical security sensors. 

Library

A shareable pre-compiled codebase to include classes, procedures, scripts, configuration data, and more, used to develop software programs and applications. Libraries are designed to assist both the programmer and the programming language compiler in building and executing software more efficiently.

Log Data

A computer-generated data file that records the events occurring within the enterprise. Operating system, anti-malware detection, application, network, firewall, web server, or access control logs (e.g., electronic locks, alarm system) are some examples of logs.

Mobile devices

Small, enterprise-issued end-user devices with intrinsic wireless capability, such as smartphones and tablets. For this document, mobile devices are a subset of portable devices.

Mobile end-user devices

Glossary name change and definition change, remove from glossary

Network

A group of interconnected devices that exchange data. Enterprises may operate one or more networks that are managed together or independently.

Network Architecture

Refers to how a network is designed, both physically and logically. It defines how a network is organized, including the connections between devices and software as well as the data that is transmitted between them.

Asset clauses and mappings

In CIS Controls v8.1, each Safeguard is linked to an Asset Type, a Security Function, and one or more Implementation Groups to help organizations strengthen their security posture.

The six Security Functions—Identify, Protect, Detect, Respond, Recover, and Govern—serve as a structured approach to cybersecurity, ensuring risks are proactively managed and threats are swiftly addressed.

One of the biggest updates in CIS Controls v8.1 is the refined asset classifications and more precise descriptions of safeguards. Organizations can now categorize assets more effectively across seven key types:

• Devices (e.g., laptops, servers, mobile devices)
• Users (employees, contractors, third parties)
• Applications (software, SaaS platforms, internal tools)
• Data (structured and unstructured information)
• Networks (internal, cloud, hybrid environments)
• Software (operating systems, development tools)
• Documentation (the newest addition—includes security plans, policies, and procedures)

Download the CIS asset mapping 

https://docs.google.com/document/d/1uIRlMrf-w5Cw0bVE9PT9cgIK3w17nTzVo-kMqT9qAH4/edit?tab=t.0

Your all-in-one control expert 

Sprinto automates CIS control requirements by continuously monitoring controls, identifying vulnerabilities, scoring risks, training employees, and detecting non-compliant activities—all in real-time.

With Sprinto, you get:

• A single dashboard with a 360-degree, granular view of risks and controls
• Cross-mapping and reusability of controls across multiple frameworks
• Real-time compliance insights through automated checks and workflows
• Continuous, accurate monitoring of your cloud assets to stay ahead of threats

Why does this matter? Managing CIS compliance manually is time-consuming and error-prone. Sprinto helps you stay proactive, streamline security efforts, and maintain compliance without the heavy lifting.

Want to see how organizations like yours achieved CIS compliance effortlessly? Talk to our experts today!

FAQs

What are the changes in CIS v8.1?

CIS Controls v8.1 introduces refined asset classifications, clearer Safeguard descriptions, and the addition of Documentation as a new asset type, which includes security plans, policies, and procedures. The update also aligns security functions more effectively with risk management strategies to ensure a structured and actionable approach to cybersecurity.

What is the difference between CIS v8 and NIST?

CIS v8 offers a practical, prioritized set of security controls designed for organizations of all sizes to improve their cybersecurity posture quickly. It focuses on implementable safeguards and maps them to NIST, ISO, and PCI DSS. In contrast, NIST frameworks offer broader, risk-based security guidelines primarily for government agencies and highly regulated industries.