The Center for Internet Security (CIS) and CREST, an international information security certification body, have joined forces to launch the CIS Controls Accreditation program. The initiative aims to provide organizations with a way to demonstrate that their cybersecurity practices align with the best practice guidance outlined in the CIS Critical Security Controls (CIS Controls). These controls are a set of globally recognized best practices designed to enhance an enterprise’s cybersecurity posture. The CIS Controls Accreditation program is the first of its kind to combine the CIS Controls with a program that offers accredited consulting services.
In recent months, CREST has been actively working to promote cybersecurity in developing countries. They recently announced a 50% discount for small businesses based in lower income countries, with the goal of reducing inequality in access to cyber defenses. This discount applies to membership and accreditation fees across all disciplines. Additionally, in April, CREST published a guide on enhancing cyber resilience in the financial sector in developing countries. The guide emphasized the need for multi-party cyber resilience testing and provided advice for governing authorities.
The CIS Controls Accreditation is designed to provide CIS SecureSuite Members and CREST members with a way to demonstrate their implementation of security best practices. The program offers a “stamp of approval” at the organizational level, reassuring customers that they are doing business with a reputable and reliable CIS Controls assessment organization. The cost of the accreditation is $1,500 USD for members and $2,500 USD for non-members.
Tom Brennan, the executive director of CREST Americas Region, highlights the importance of being able to effectively manage and analyze data from various devices and systems in today’s cybersecurity landscape. He believes that the combination of the CIS Controls and CREST accreditations offers an accelerated path for members to meet risk and compliance requirements while also enabling continuous monitoring of their security posture.
Curtis Dukes, the CIS executive VP and general manager of Security Best Practices, believes that the new accreditation is a significant step towards securing enterprises against current and emerging threats. He emphasizes the importance of organizations implementing the CIS Controls to reduce risk, meet compliance requirements, allocate resources effectively, and address multiple security domains.
The new accreditation has been well-received by the IT industry, according to Kevin Curran, an IEEE senior member and professor of cybersecurity at Ulster University. He praises the CIS Controls for their ability to help companies prioritize resources, meet compliance requirements, and effectively manage risk in today’s dynamic threat landscape.
While the CIS Controls Accreditation is a welcome addition to the cybersecurity industry, some experts believe that it has a narrow technical focus. They argue that it is essential for organizations to complement technical controls with robust processes and procedures to ensure comprehensive security. Despite this concern, the accreditation program represents a significant step forward in the ongoing effort to enhance cybersecurity practices and protect organizations from evolving threats.