CIS Controls v8 Implementation Guide: IG1, IG2, and IG3 for Security Teams

Implementation Groups are not strictly about organization size, though size is correlated. They are about risk profile and security resource capacity.

IG1 organizations have limited IT and cybersecurity expertise on staff, manage a relatively small amount of sensitive data, and face lower-sophistication threats. Small businesses, non-profits, and organizations with minimal compliance obligations typically fall here. The 56 IG1 safeguards are the cyber hygiene baseline: if an organization does not implement IG1, it is exposed to the vast majority of opportunistic attacks that account for most breach volume.

IG2 organizations employ individuals responsible for managing and protecting IT infrastructure, handle sensitive information in multiple areas, and face compliance requirements. Mid-size businesses, healthcare organizations, and regional government agencies typically fall here. IG2 adds controls for incident response, penetration testing, email and web browser defenses, and more granular data recovery.

IG3 organizations have dedicated security teams with specialist expertise, handle highly sensitive data at scale, and face advanced persistent threats, regulatory scrutiny, or high-impact consequences from compromise. Large enterprises, critical infrastructure operators, financial institutions, and defense contractors typically fall here. IG3 adds controls for application layer defenses, network infrastructure management, and advanced security operations.

How to determine your group: Answer these questions: Do you have a dedicated security team or individual? Do you handle sensitive data for customers or regulated data types? Have you had a security incident in the past 24 months? Are you subject to regulatory compliance requirements? Organizations answering yes to two or more should start with IG2 as their target, implementing IG1 safeguards first as the prerequisite. Organizations answering no to all should focus exclusively on IG1 to build the baseline before expanding scope.

The common mistake: Starting with IG2 or IG3 controls before completing IG1. Organizations often buy expensive security tools (SIEM, EDR, advanced vulnerability scanners) before completing basic asset inventory and account management. This produces security theater: sophisticated tools operating without the foundational data they require to function effectively.

The 18 CIS Controls are presented in priority order, with the first six representing the highest-impact foundational controls.

Control 1: Inventory and Control of Enterprise Assets Maintain an accurate inventory of all hardware assets with network access. IG1 safeguards: establish and maintain an enterprise asset inventory (1.1), address unauthorized assets (1.3). Tools: Lansweeper, GLPI, Qualys Asset Management, Microsoft Intune device inventory. You cannot protect assets you do not know exist.

Control 2: Inventory and Control of Software Assets Maintain an inventory of all authorized software. IG1 safeguards: establish a software inventory (2.1), ensure only authorized software is installed (2.3). Tools: Microsoft Intune, Jamf, SCCM, Flexera.

Control 3: Data Protection Develop processes to identify, classify, and protect data. IG1 safeguards: establish a data management process (3.1), configure data access control lists (3.3). Data classification is the prerequisite for meaningful DLP investment.

Control 4: Secure Configuration of Enterprise Assets and Software Establish and maintain secure configurations for all assets. IG1 safeguards: establish and maintain a secure configuration process (4.1), configure automatic session locking on enterprise assets (4.3). CIS Benchmarks provide specific hardening configurations for Windows, Linux, macOS, cloud services, and network devices.

Control 5: Account Management Use processes and tools to assign and manage authorization to credentials. IG1 safeguards: establish and maintain an inventory of accounts (5.1), use unique passwords (5.2), disable dormant accounts (5.3). Identity is the primary attack surface; control 5 addresses the foundational account hygiene that enables everything downstream.

Control 6: Access Control Management Use processes to create, assign, manage, and revoke access credentials. IG1 safeguards: establish an access granting process (6.1), establish an access revoking process (6.2). The offboarding process is the most commonly failed safeguard in this control.

Controls 7-12 (IG1 and IG2 scope): Continuous Vulnerability Management (7), Audit Log Management (8), Email and Web Browser Protections (9), Malware Defenses (10), Data Recovery (11), Network Infrastructure Management (12).

Controls 13-18 (IG2 and IG3 scope): Network Monitoring and Defense (13), Security Awareness and Skills Training (14), Service Provider Management (15), Application Software Security (16), Incident Response Management (17), Penetration Testing (18).

For IG1 implementation, prioritize controls 1 through 6 in sequence. Attempting to implement all 18 controls simultaneously produces partial implementation across all, which is less effective than complete implementation of the foundational six.

A CIS Controls gap assessment evaluates your current implementation of each applicable safeguard and produces a scored remediation backlog. The most efficient method uses the CIS Controls Self-Assessment Tool (CSAT).

Using CIS CSAT: CIS CSAT is a free web-based tool at cisecurity.org that walks through every safeguard with structured questions about current implementation status. For each safeguard, you rate policy (is this defined in a policy?), process (is there a repeatable process?), technology (is a tool in place?), and automation (is this automated or manual?). The tool generates a scored report by control and IG, identifying your highest-gap areas.

Assessment approach for each safeguard: Evaluate each safeguard on a simple scale:

• Policy exists: 25 points
• Process defined: 25 points
• Technology in place: 25 points
• Automated/continuously monitored: 25 points

A safeguard scoring 100 is fully implemented. A safeguard scoring 25 (policy only, no process or technology) is a significant gap regardless of the policy's quality.

Evidence collection: For each safeguard, document the evidence supporting your rating. Policy evidence: policy documents with version date and approval. Process evidence: runbooks, documented procedures, training records. Technology evidence: tool configuration screenshots, inventory reports, scan results. This documentation serves double duty: it supports CSAT ratings and provides evidence for external audits (SOC 2, ISO 27001, CMMC).

Prioritizing remediation: Rank gaps by: IG relevance (IG1 gaps first, regardless of which control they fall under), exploitability (gaps in controls 1-6 and 10 are most frequently exploited), and implementation cost. A safeguard that can be implemented by changing a Group Policy setting gets priority over one requiring a new tool procurement and deployment cycle.

Mapping gaps to tools: CIS provides a CIS Controls v8 tooling mapping guide that lists commercial and open source tools satisfying each safeguard. Use this to evaluate whether your current tool inventory already satisfies safeguards you rated as not implemented, or whether procurement is required.

Selecting tools aligned to CIS Controls reduces redundant procurement and ensures coverage across the control framework.

Controls 1-2 (Asset and Software Inventory):

• Open source: OCS Inventory, GLPI, Spiceworks
• Commercial: Lansweeper, Axonius, JupiterOne, Qualys CSAM
• Built-in: Microsoft Intune (device and software inventory for managed endpoints), AWS Config (cloud asset inventory)

Control 4 (Secure Configuration):

• CIS Benchmarks: Free hardening configurations for Windows Server, Ubuntu, macOS, Kubernetes, AWS, Azure, GCP, and 100+ others at cisecurity.org/cis-benchmarks
• Assessment tools: OpenSCAP (Linux), Microsoft Security Compliance Toolkit (Windows), CIS-CAT Pro (automated CIS Benchmark assessment)

Controls 5-6 (Account and Access Management):

• Directory services: Microsoft Active Directory, Azure Entra ID, Google Workspace Directory
• PAM: CyberArk, BeyondTrust, Delinea, AWS IAM Identity Center
• MFA: Microsoft Authenticator, Duo, Okta Verify, YubiKey (FIDO2 for phishing resistance)

Control 7 (Vulnerability Management):

• Open source: OpenVAS/Greenbone
• Commercial: Tenable.io, Qualys VMDR, Rapid7 InsightVM
• Cloud-native: AWS Inspector, Microsoft Defender for Cloud, Google Security Command Center

Control 8 (Audit Log Management):

• SIEM: Splunk, Microsoft Sentinel, Elastic SIEM, IBM QRadar
• Log aggregation: Graylog (open source), Sumo Logic, Datadog Security

Control 10 (Malware Defenses):

• Endpoint: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint
• Email: Microsoft Defender for Office 365, Proofpoint, Mimecast

Control 17 (Incident Response):

• IR platforms: Splunk SOAR, Palo Alto XSOAR, Tines
• Documentation: Confluence templates, PagerDuty for on-call management

CIS Controls implementation is an ongoing program, not a one-time project. Measuring and communicating progress requires consistent methodology and a leadership-facing reporting format.

Using CSAT scores as a program metric: CIS CSAT generates a score between 0 and 100 for each control and overall. Use these scores as quarterly program metrics. A useful reporting format for leadership: current IG1 completion percentage, current IG2 completion percentage, top five highest-gap safeguards with remediation status, and quarter-over-quarter score trend. Framing scores as progress percentages rather than absolute numbers emphasizes improvement trajectory.

Maturity level mapping: CIS does not prescribe a formal maturity model, but practitioners typically use the following informal tiers for reporting:

• 0-30: Foundational gaps; significant exposure to common attacks
• 31-60: Basic hygiene in place; exposure to intermediate attacks
• 61-80: Solid IG1-IG2 implementation; addressing targeted threats
• 81-100: Comprehensive implementation; addressing advanced persistent threats

Mapping CIS to other frameworks for compliance efficiency: CIS provides official mappings from CIS Controls v8 to NIST CSF 2.0, NIST SP 800-53 Rev 5, ISO 27001:2022, PCI DSS v4, HIPAA, and CMMC 2.0. These mappings are available free at cisecurity.org. The practical value: if you implement CIS Controls IG1 and IG2, you automatically satisfy a significant portion of PCI DSS, HIPAA, and SOC 2 requirements without running a separate control implementation project for each framework.

Annual reassessment cadence: Conduct a full CSAT reassessment annually or after significant infrastructure changes. Conduct targeted assessments after security incidents to evaluate whether the incident exploited a gap in a specific control area. Use incident postmortems to map root cause to the relevant CIS Control safeguard, creating a direct feedback loop between real-world failures and control prioritization.