Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
Knowledge Center

CIS Controls Overview

What the CIS Controls are, the three Implementation Groups, and why IG1 is the practical starting point for most small-to-midsize organizations.

5 min read

Where NIST CSF gives you a vocabulary and structure for a security program (see NIST Cybersecurity Framework Overview), the CIS Controls tell you specifically what to do — a prioritized, prescriptive list of technical safeguards maintained by the Center for Internet Security. This article covers what the CIS Controls are, the three Implementation Groups that scale them to an organization's size and risk, and why the first group specifically is the right starting point for most small-to-midsize businesses.

What the CIS Controls are

The CIS Controls (Critical Security Controls) are a set of 18 prioritized safeguards covering areas like asset inventory, access control, malware defense, data protection, and incident response. The key difference from NIST CSF is specificity: NIST CSF's "Protect" function is an organizing category; a CIS Control under that same conceptual umbrella tells you, concretely, to maintain an inventory of authorized software and remove or block unauthorized software. That prescriptiveness is what makes CIS Controls immediately actionable for a technical team, even for organizations that also use NIST CSF to structure the broader program.

The three Implementation Groups

Not every organization needs to implement all 18 controls at full depth simultaneously. CIS organizes the controls into three Implementation Groups (IGs), each building on the one before it, scaled to organizational risk and capability.

CIS Controls Implementation Groups
GroupWho It's ForWhat It Adds
IG1Every organization, regardless of size or sectorEssential cyber hygiene — the baseline safeguards that address the most common, opportunistic attacks.
IG2Organizations with dedicated IT or security staff managing more complex environmentsBuilds on IG1 with more sophisticated, resource-intensive safeguards for organizations handling more sensitive data or maintaining more complex infrastructure.
IG3Organizations facing sophisticated threats or holding high-value, high-sensitivity dataAdds advanced safeguards aimed at reducing the impact of targeted attacks by sophisticated adversaries.
CIS Controls v8 — Password Requirements at a Glance1IG1

Essential cyber hygiene — a baseline appropriate for every organization.

2IG2

Builds on IG1 for organizations with dedicated IT/security staff handling more sensitive data.

3IG3

Builds on IG1 and IG2 for organizations facing sophisticated attacks or high-value targeting.

See the CIS Controls v8 documentation for the full safeguard list within each Implementation Group.

Why IG1 is the practical starting point

For most small-to-midsize organizations, IG1 is not a watered-down version of "real" security — it's the specific set of safeguards CIS designed to address the attacks that actually happen most often against organizations of this size: opportunistic phishing, unpatched known vulnerabilities, weak or reused credentials, and unmanaged assets nobody remembered were internet-facing. An organization with a genuinely solid IG1 baseline is meaningfully more resilient than one that has selectively implemented a few IG2 or IG3 controls while leaving basic hygiene gaps. IG1 is also achievable without a dedicated security team, which makes it the right first target for organizations working with IT KORR's Managed IT Services rather than an in-house security function.

Representative IG1 controls

A few IG1 safeguards illustrate what "essential hygiene" actually means in practice:

  • Asset inventory — maintaining an accurate, current inventory of all enterprise assets (devices, not just users) so nothing is running unmanaged or unpatched simply because nobody knew it existed.
  • Secure configuration — establishing and maintaining secure configuration baselines for devices and software rather than relying on manufacturer defaults, which are optimized for ease of setup, not security.
  • Access control management — ensuring accounts and access rights are granted, reviewed, and revoked deliberately rather than accumulating indefinitely — see Privileged Identity Management and Privileged Access for how this specifically applies to elevated accounts.
  • Malware defenses — deploying and maintaining anti-malware software across all managed endpoints, kept current rather than installed once and forgotten.
  • Data recovery — maintaining tested, working backups, since a recoverable organization survives a ransomware event that an unprepared one does not.

None of these are exotic; the difficulty is almost always sustaining them consistently over time rather than implementing them once.

Common mistakes

  • Attempting IG2 or IG3 controls before IG1 is solid. A sophisticated detection capability doesn't compensate for missing asset inventory or unpatched systems — attackers exploit the gap that exists, not the one that's hardest to find.
  • Treating IG1 as a checkbox exercise rather than a sustained baseline. A control implemented once during a project and never revisited (an inventory that goes stale, backups that stop being tested) degrades back toward the risk it was meant to close.
  • Assuming IG1 is "basic" and therefore optional for a mature organization. IG1 remains the foundation IG2 and IG3 build on; skipping it to jump to more advanced controls leaves the most commonly exploited gaps open.
  • Confusing CIS Controls with a certification. Like NIST CSF, there is no formal CIS Controls certification — it's a self-assessed technical baseline, though it maps well to requirements auditors for other frameworks will ask about directly.

FAQ

Do we need to implement all 18 controls at IG1 before doing anything else? Ideally yes, at least at a baseline level — IG1 is designed as a coherent set, and partial implementation leaves predictable gaps. In practice, organizations often prioritize asset inventory, access control, and data recovery first, since gaps there tend to have the most severe consequences.

How does CIS Controls relate to NIST CSF? They're complementary, not competing — NIST CSF organizes a program at the function level (Identify, Protect, Detect, Respond, Recover, Govern); CIS Controls provide the prescriptive technical detail underneath several of those functions, particularly Protect and Identify. See NIST Cybersecurity Framework Overview.

Is CIS Controls required by any regulation? Not directly by name, but IG1 in particular overlaps heavily with the technical expectations of HIPAA's Security Rule, PCI DSS, and typical cyber insurance questionnaires, making it a practical way to satisfy a large share of those requirements at once.

Operational Support

Need help implementing these findings?

IT KORR can coordinate DNS configuration, email authentication setup, and Microsoft 365 governance alignment. We work with your current providers — no migration required.

No commitment required — we respond within one business day.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT