ETSI publishes Critical Security Controls for Effective Cyber Defence as Technical Reports

Sophia Antipolis, 3 October 2018

The ETSI technical committee CYBER has updated its five-part international compendium of Technical Reports to protect networks from cyber-attacks: the “Critical Security Controls for Effective Cyber Defence” are based on the CIS Controls® and related materials.

The Reports use the CIS Controls v7 recommendations to describe the prioritized set of actions that collectively form a defence-in-depth set of best practices that mitigate the most common attacks against systems and networks.

Building a strong cyber defence for an enterprise is increasingly challenging. Access exists to an extraordinary array of security tools and technology, security standards, and countless other guidance and recommendations. But all of this technology, information, and oversight has become a veritable "Fog of More": competing options, priorities, opinions, and claims that can paralyze or distract an enterprise from vital action. Therefore, we are honored that ETSI recognized the importance of the CIS Controls’ prioritized “do first” advice to improve global cyber defence by taking this action,” said Tony Sager, CIS Senior Vice President and Chief Evangelist.

ETSI’s expertise on security is a well-known asset among cybersecurity stakeholders and TC CYBER recognizes the benefits brought by the Critical Security Controls to enhance the cybersecurity posture of industry, administrations and end users,” says Alex Leadbeater, chairman of the ETSI Technical Committee CYBER, “The ETSI Technical Reports reflect the combined knowledge of actual attacks and effective defences of experts from every part of the cyber security ecosystem.” This ensures that the CIS Controls are an effective and specific set of technical measures available to detect, prevent, respond, and mitigate damage from the most common to the most advanced of those attacks. These ETSI Reports were updated with the recent releases of both CIS Controls v7 and related materials to enable network providers to respond to the latest cyber security threats and meet new requirements such as General Data Protection Regulation (GDPR) compliance and cloud data centre hardening.

TR 103 305-1 addresses “The Critical Security Controls”. It captures and describes the prioritized set of actions that collectively form a defence-in-depth set of best practices that mitigate the most common attacks against systems and networks. TR 103 305-2, on measurement and auditing, is an evolving repository for measurement and effectiveness tests of Critical Security Control implementations. Because of their rapidly scaling importance and need for defensive measures, the mobile device and Internet of Things (IoT) sectors are treated in TR 103 305-3 on Service Sector Implementations. TR 103 305-4 deals with Facilitation Mechanisms and provides a placeholder for reference information for several especially useful mechanisms: Hardened Images, Mappings and Compliance, Guide for Small- and Medium-Sized Enterprises, and Risk Assessment Method. TR 103 305-5, on privacy enhancement, includes a privacy impact assessment and use of the Controls to help meet provisions of the EU General Data Protection Regulation (GDPR).

About CIS
CIS® (Center for Internet Security, Inc.) is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats. The CIS Controls and CIS BenchmarksTM are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continuously refined and verified by a volunteer, global community of experienced IT professionals. Our CIS Hardened ImagesTM are virtual machine emulations preconfigured to provide secure, on-demand, and scalable computing environments in the cloud. CIS is home to both the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the go-to resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities, and the Elections Infrastructure Information Sharing and Analysis CenterTM (EI-ISACTM), which supports the cybersecurity needs of U.S. State, Local and Territorial elections offices. To learn more, visit or follow us on Twitter: @CISecurity.

Barbara Ware

About ETSI
ETSI provides members with an open and inclusive environment to support the timely development, ratification and testing of globally applicable standards for ICT-enabled systems, applications and services across all sectors of industry and society. We are a not-for-profit body with more than 800 member organizations worldwide, drawn from 66 countries and five continents. Members comprise a diversified pool of large and small private companies, research entities, academia, government and public organizations. ETSI is one of only three bodies officially recognized by the EU as a European Standards Organization (ESO). For more information please visit: or follow us on Twitter @ETSI_Standards

Claire Boyer
Mob: +33 (0)6 87 60 84 40