Guide to Implementation Groups (IG): CIS Critical Security Controls v8.1

In a world faced with varying degrees of cyber attacks, implementing a cybersecurity framework can be a logical, but daunting, task. An enterprise needs a way to prioritize the implementation of security controls. For those using or wanting to use the CIS Critical Security Controls (CIS Controls) in their cybersecurity journeys, the Center for Internet Security^® (CIS^®) has developed Implementation Groups (IGs) — divided into IG1, IG2, and IG3 — to help prioritize the implementation of the CIS Controls. IGs are based on several factors — size and/or complexity, data types, resources and technology, threat types, and risk. Each IG identifies a set of CIS Safeguards that the enterprise should implement.

So where does an enterprise start? Every enterprise should begin with IG1, as it represents a minimum standard of information security that is the on-ramp to implementation of the CIS Controls. Referred to as "essential cyber hygiene," IG1 provides effective security value with technology and processes that are generally already available while providing a basis for more tailored and sophisticated action, if warranted. Once IG1 has been implemented, enterprises can move to CIS Safeguards in IG2 and IG3 based on the factors mentioned above. Keep in mind that CIS Safeguard implementation is not a one-time activity. Instead, it is an iterative approach to protecting an enterprise from cyber threats. Remember — environments change, threats change, and business objectives change.

These IGs provide a simple and accessible way to help enterprises of different classes focus their efforts on a specific set of best practices that will maximize the value (i.e., protection) when it comes to defending against cyber attacks. This brings us to a question. Which IG does your enterprise leverage? Download our guide to efficiently and less subjectively determine your IG.