Where NIST CSF gives you a vocabulary and structure for a security program (see NIST Cybersecurity Framework Overview), the CIS Controls tell you specifically what to do — a prioritized, prescriptive list of technical safeguards maintained by the Center for Internet Security. This article covers what the CIS Controls are, the three Implementation Groups that scale them to an organization's size and risk, and why the first group specifically is the right starting point for most small-to-midsize businesses.
What the CIS Controls are
The CIS Controls (Critical Security Controls) are a set of 18 prioritized safeguards covering areas like asset inventory, access control, malware defense, data protection, and incident response. The key difference from NIST CSF is specificity: NIST CSF's "Protect" function is an organizing category; a CIS Control under that same conceptual umbrella tells you, concretely, to maintain an inventory of authorized software and remove or block unauthorized software. That prescriptiveness is what makes CIS Controls immediately actionable for a technical team, even for organizations that also use NIST CSF to structure the broader program.
The three Implementation Groups
Not every organization needs to implement all 18 controls at full depth simultaneously. CIS organizes the controls into three Implementation Groups (IGs), each building on the one before it, scaled to organizational risk and capability.
| Group | Who It's For | What It Adds |
|---|---|---|
| IG1 | Every organization, regardless of size or sector | Essential cyber hygiene — the baseline safeguards that address the most common, opportunistic attacks. |
| IG2 | Organizations with dedicated IT or security staff managing more complex environments | Builds on IG1 with more sophisticated, resource-intensive safeguards for organizations handling more sensitive data or maintaining more complex infrastructure. |
| IG3 | Organizations facing sophisticated threats or holding high-value, high-sensitivity data | Adds advanced safeguards aimed at reducing the impact of targeted attacks by sophisticated adversaries. |
Why IG1 is the practical starting point
For most small-to-midsize organizations, IG1 is not a watered-down version of "real" security — it's the specific set of safeguards CIS designed to address the attacks that actually happen most often against organizations of this size: opportunistic phishing, unpatched known vulnerabilities, weak or reused credentials, and unmanaged assets nobody remembered were internet-facing. An organization with a genuinely solid IG1 baseline is meaningfully more resilient than one that has selectively implemented a few IG2 or IG3 controls while leaving basic hygiene gaps. IG1 is also achievable without a dedicated security team, which makes it the right first target for organizations working with IT KORR's Managed IT Services rather than an in-house security function.
Representative IG1 controls
A few IG1 safeguards illustrate what "essential hygiene" actually means in practice:
- Asset inventory — maintaining an accurate, current inventory of all enterprise assets (devices, not just users) so nothing is running unmanaged or unpatched simply because nobody knew it existed.
- Secure configuration — establishing and maintaining secure configuration baselines for devices and software rather than relying on manufacturer defaults, which are optimized for ease of setup, not security.
- Access control management — ensuring accounts and access rights are granted, reviewed, and revoked deliberately rather than accumulating indefinitely — see Privileged Identity Management and Privileged Access for how this specifically applies to elevated accounts.
- Malware defenses — deploying and maintaining anti-malware software across all managed endpoints, kept current rather than installed once and forgotten.
- Data recovery — maintaining tested, working backups, since a recoverable organization survives a ransomware event that an unprepared one does not.
None of these are exotic; the difficulty is almost always sustaining them consistently over time rather than implementing them once.
Common mistakes
- Attempting IG2 or IG3 controls before IG1 is solid. A sophisticated detection capability doesn't compensate for missing asset inventory or unpatched systems — attackers exploit the gap that exists, not the one that's hardest to find.
- Treating IG1 as a checkbox exercise rather than a sustained baseline. A control implemented once during a project and never revisited (an inventory that goes stale, backups that stop being tested) degrades back toward the risk it was meant to close.
- Assuming IG1 is "basic" and therefore optional for a mature organization. IG1 remains the foundation IG2 and IG3 build on; skipping it to jump to more advanced controls leaves the most commonly exploited gaps open.
- Confusing CIS Controls with a certification. Like NIST CSF, there is no formal CIS Controls certification — it's a self-assessed technical baseline, though it maps well to requirements auditors for other frameworks will ask about directly.
FAQ
Do we need to implement all 18 controls at IG1 before doing anything else? Ideally yes, at least at a baseline level — IG1 is designed as a coherent set, and partial implementation leaves predictable gaps. In practice, organizations often prioritize asset inventory, access control, and data recovery first, since gaps there tend to have the most severe consequences.
How does CIS Controls relate to NIST CSF? They're complementary, not competing — NIST CSF organizes a program at the function level (Identify, Protect, Detect, Respond, Recover, Govern); CIS Controls provide the prescriptive technical detail underneath several of those functions, particularly Protect and Identify. See NIST Cybersecurity Framework Overview.
Is CIS Controls required by any regulation? Not directly by name, but IG1 in particular overlaps heavily with the technical expectations of HIPAA's Security Rule, PCI DSS, and typical cyber insurance questionnaires, making it a practical way to satisfy a large share of those requirements at once.
Related reading
- NIST Cybersecurity Framework Overview
- Compliance Fundamentals
- Privileged Identity Management and Privileged Access
- Enterprise Infrastructure Fundamentals — asset inventory and secure configuration, the foundation of IG1
- Download: CIS Controls Checklist