1. CSN
  2. All Volumes and Issues
  3. Volume 6, Number 1, 2024
  4. Overview of the Cis Benchmarks Usage for Fulfilling the Requirements From International Standard ISO/IEC 27001:2022

Overview of the Cis Benchmarks Usage for Fulfilling the Requirements From International Standard ISO/IEC 27001:2022

CSN.
2024;
Volume 6, Number 1
: pp. 89 - 98
https://doi.org/10.23939/csn2024.01.089
Authors:
  1. Yevhenii Kurii
  2. Ivan Opirskyy
1
Lviv Polytechnic National University, Information Security Department
2
Lviv Polytechnic National University, Ukraine, Department Information Security

nding to emerging threats through the implementation of recognized standards in the field of information security, such as ISO 27001, was considered. The updated edition of the international standard ISO/IEC 27001 of 2022 and, in particular, the main changes in the structure of controls were analyzed. A detailed analysis of the new security control from Appendix A – A.8.9 – Configuration Management and possible ways of its effective implementation in organizations were carried out.

The use of configuration standards CIS Benchmark from the Center for Internet Security (CIS) is proposed as an effective way to ensure the protection of the organization’s assets and the implementation of the best industry security practices.

As a result of the conducted analysis and research, a clear connection and dependence between the use of the CIS Benchmark and compliance with the requirements of clause A.8.9 – Configuration Management of the ISO/IEC 27001:2022 standard was revealed. The classification of CIS Benchmark is presented and the list of key implementation points is described using the example of server infrastructure.

information security
cybersecurity
information security framework
cybersecurity framework
ISO 27001
Center for Internet Security
critical infrastructure
information asset
configuration management
CIS Benchmark
  1. (2022) ISO/IEC 27001: Information security, cybersecurity and privacy protection – Information security management systems – Requirements. URL: https://www.iso.org/standard/82875.html (Accessed: 15 March 2024).
  2. (2013) ISO/IEC 27001: Information Technology – Security Techniques – Information Security Management Systems – Requirements. URL: https://www.iso.org/standard/54534.html (Accessed: 15 March 2024).
  3. Susukailo V., Opirsky I., Yaremko O. (2022). Methodology of ISMS Establishment Against Modern Cybersecurity Threats. In: Klymash M., Beshley M., Luntovskyy A. (eds.) Future Intent-Based Networking. Lecture Notes in Electrical Engineering, vol. 831. Springer, Cham. DOI: 10.1007/978-3-030-92435-5_15
  4. Kurii Y., Opirskyy I. (2021). Analysis and Comparison of the NIST SP 800-53 and ISO/IEC 27001:2013. Paper presented at the CEUR Workshop Proceedings, 3288, 21–32.
  5. (2022) ISO/IEC 27002: Information security, cybersecurity and privacy protection – Information security controls. URL: https://www.iso.org/standard/75652.html (Accessed: 15 March 2024).
  6. Alrehili Afnan A., Alhazmi Omar. (2024). ISO/IEC 27001 Standard: Analytical and Comparative Overview. In: Advances in Data-Driven Computing and Intelligent Systems. DOI: 10.1007/978-981-99-9524-0_12
  7. Which ISO standards are the most popular – Analysis of ISO 2019 survey. [Елекронний ресурс]. Resource Access Mode: https://advisera.com/articles/which-iso-standards-are-the-most-popular-a... (Accessed: 15 March 2024).
  8. Kurii Y., Opirskyy I., Bortnik L. ISO/IEC 27001:2022 – Analysis оf Changes аnd Compliance Features оf The New Version Of The Standard // Materials of IXth International Scientific and Technical Conference Information Prot- ection аnd Information Systems Security, May 25–26, 2023. Lviv, Ukraine, pp. 15–17, ISBN 978- 966-941-829-6 Resource Access Mode: https://ir.lib.vntu.edu.ua/bitstream/handle/123456789/37567/127406.pdf?s... (Accessed: 16 March 2024).
  9. What Are The ISO 27001 Changes In 2022. [Елекронний ресурс]. Resource Access Mode: https://bestpractice.biz/what-are-the-iso-27001-changes-in-2022/ (Accessed: 15 March 2024).
  10. ISO 27002:2022, Control 8.9 – Configuration Management. [Елекронний ресурс]. Resource Access Mode: https://www.isms.online/iso-27002/control-8-9-configuration-management/ (Accessed: 15 March 2024).
  11. CIS Critical Security Controls Version 8 [Елекронний ресурс]. Resource Access Mode: https://www.cisecurity.org/controls/v8 (Accessed: 15 March 2024).
  12. CIS Controls v8 Mapping to ISO/IEC 27001:2022. [Елекронний ресурс]. Resource Access Mode: https://www. cisecurity.org/insights/white-papers/cis-controls-v8-mapping-to-iso-iec-27001-2022 (Accessed: 15 March 2024).
  13. What are CIS Benchmarks? [Елекронний ресурс]. Resource Access Mode: https://aws.amazon.com/what- is/cis-benchmarks/#:~:text=CIS%20Benchmarks%20from%20the%20Center,and%20manage%20their%20cybersecurity%20defenses (Accessed: 15 March 2024).
  14. CIS Benchmarks Community [Елекронний ресурс]. Resource Access Mode: https://www.cisecurity. org/communities/benchmarks (Accessed: 15 March 2024).
  15. CIS Benchmarks List [Елекронний ресурс]. Resource Access Mode: https://www.cisecurity.org/cis-benchmarks (Accessed: 15 March 2024).
  16. What is CIS Compliance?(and How to Apply CIS Benchmarks) [Елекронний ресурс]. Resource Access Mode: https://www.algosec.com/resources/cis-compliance/ (Accessed: 15 March 2024).