Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world

About Us Leadership Principles Testimonials


secure your organization
Secure Your Organization

secure specific platforms
Secure Specific Platforms

cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments

View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities

CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers




filter by topic
Filter by Topic

View All Resources  
CIS Logo Show Search Expand Menu

V7.1 Introduces Implementation Groups to the CIS Critical Security Controls™

The CIS Critical Security Controls are internationally-recognized cybersecurity best practices for defense against common threats.  They are a consensus-developed resource that brings together expert insight about cyber threats, business technology, and security. The CIS Controls are used by organizations with varying resources and risk exposure to build an effective cyber defense program. In our experience, however, organizations of every size and complexity still need more help to get started. To help, we developed the CIS Controls V7.1.

What’s new in V7.1:

  • Implementation Groups (IGs) - a new prioritization for the CIS Controls, at the Sub-Control level.
  • A detailed methodology to help organizations assess which IG they fall within.
  • Edits requested by the global community that clarify certain CIS Controls and Sub-Controls.

A new way to look at the CIS Controls

The IGs are self-assessed categories for organizations based on relevant cybersecurity attributes. Each IG identifies which CIS Controls, at the Sub-Control level, are reasonable for an organization with a similar risk profile and resources to implement. The IGs are a simple and accessible way to help organizations classify themselves and focus their security resources and expertise while leveraging the value of the CIS Controls best practices

To develop the IGs, we first identified a core set of Sub-Controls that organizations with limited resources, expertise, and risk exposure should focus on. This is IG1, which combines effective security value with technology and processes that are generally already available. IG1 also provides a basis for more tailored and sophisticated action in situations which call for it.

The CIS Sub-Controls in IG1 represent “Cyber Hygiene” – the essential protections that must be put into place to defend against common attacks. All organizations, regardless of which IG they are categorized as, would complete the Sub-Controls identified in IG1.

Each IG builds upon the previous one. IG2 identifies additional Sub-Controls for organizations with more resources and expertise than those in IG1, but also greater risk exposure. Finally, the rest of the Sub-Controls are included in IG3.


Cyber hygiene and beyond

Through the development of CIS Controls V7.1 and the Implementation Groups, businesses from around the world can more easily:

  • Create an effective cybersecurity program on a budget
  • Practice cyber hygiene with limited resources and expertise
  • Prioritize their cybersecurity efforts

To get started, download the CIS Controls V7.1 and identify your organization’s IG. Once you’ve determined which IG is appropriate, you can focus on implementing the CIS Sub-Controls within that IG. You’ll be off to a great start defending your assets in cyberspace.

The CIS Controls V7.1 are also mapped to NIST Cybersecurity Framework (CSF), making them a valuable on-ramp to your team's cyber defense program.

Arrow Download CIS Controls V7.1 Mapping to NIST CSF