CIS Introduces V7.1 of CIS Controls Featuring New Implementation Groups

East Greenbush, N.Y.

April 4, 2019

CIS® (Center for Internet Security, Inc.) announces substantial enhancements to the CIS Controls™ in the new Version 7.1 of the CIS Controls. The CIS Controls are internationally-recognized cybersecurity best practices for defense against common threats that have been downloaded more than 150,000 times to date.

CIS Controls V7.1 introduces Implementation Groups (IGs) to the CIS Controls. The IGs are a simple and accessible way to help organizations classify themselves and focus their security resources and expertise while leveraging the value of the CIS Controls.

Through the development of CIS Controls V7.1 and the new Implementation Groups, organizations from around the globe can more easily:

  • Create an effective cybersecurity program on a budget
  • Practice cyber hygiene with limited resources and expertise
  • Prioritize their cybersecurity efforts
  • Implement security best practices, regardless of resources

“As popular as the CIS Controls are, some organizations of every size and complexity still need help to start implementing them. We listened to your feedback, and toward that end, we developed Implementation Groups (IGs) as part of CIS Controls V7.1. This doesn’t change the Sub-Controls or the Controls, but groups the Sub-Controls in a way that helps an organization prioritize and implement them.” said Tony Sager, CIS Senior Vice President and Chief Evangelist. “We also included a detailed methodology to help organizations self-assess which IG they fall within, and some editorial changes requested by our global community of adopters to clarify certain CIS Controls and Sub-Controls.”

Details on the New Implementation Groups

The IGs are self-assessed categories for organizations based on relevant cybersecurity attributes. Each IG identifies which Sub-Controls are reasonable for an organization to implement based on their risk profile and their available resources.

  • To develop the IGs, the CIS Controls team first identified a core set of Sub-Controls that organizations with limited resources, expertise, and risk exposure should focus on. This is IG1, which combines effective security value with technology and processes that are generally already available. IG1 also provides a basis for more tailored and sophisticated action in situations which call for it.
  • The 43 CIS Sub-Controls in IG1 represent “Cyber Hygiene” – the essential protections that must be put into place to defend against common attacks. All organizations, regardless of which IG they are categorized as, should implement the Sub-Controls identified in IG1.
  • Each IG builds upon the previous one. IG2 identifies additional Sub-Controls for organizations with more resources and expertise than those in IG1, but also greater risk exposure. Finally, the rest of the Sub-Controls are included in IG3.Learn more about Implementation Groups here, or download CIS Controls V7.1 now

About CIS

CIS (Center for Internet Security, Inc.) is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats. The CIS Controls and CIS Benchmarks are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continuously refined and verified by a volunteer, global community of experienced IT professionals. Our CIS Hardened Images™ are virtual machine emulations preconfigured to provide secure, on-demand, and scalable computing environments in the cloud. CIS is home to both the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the go-to resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), which supports the cybersecurity needs of U.S. State, Local and Territorial elections offices. To learn more, visit or follow us on Twitter: @CISecurity.