Version 7.1 – A new way to look at the CIS Critical Security Controls

The CIS Critical Security Controls are internationally-recognized for bringing together expert insight about threats, business technology, and defensive options. They provide an effective, coherent, and simpler way to manage an organization’s security improvement program. But in our experience, organizations of every size and complexity still need more help to get started.  Many organizations are working with varying resources, expertise, and risk exposure. In security, one size rarely fits all.

Introducing Implementation Groups

Version 7.1 of the CIS Controls completely revamps how organizations should prioritize their cybersecurity activities with the introduction of Implementation Groups (IGs). The IGs provide a simple and accessible way to help organizations classify themselves as belonging to one of these IGs to focus their security resources, expertise, and risk exposure while leveraging the value of the CIS Controls program, community, complementary tools, and working aids.

To develop the IGs, we first took a “horizontal” look across all of the CIS Controls and identified a core set of defenses that organizations with limited resources and limited risk exposure should focus on. We call these accessible and high-value Sub-Controls IG1. These provide effective security value with technology and processes that are generally already available, while providing a basis for more tailored and sophisticated action if warranted.

Building upon IG1, we then identified an additional set of Sub-Controls for organizations with more resources and expertise, but also greater risk exposure. This is IG2. Finally, the rest of the Sub-Controls make up IG3. Watch the video to learn more: