CIS Controls Implementation Groups

Implementation Groups (IGs) are the recommended guidance to prioritize implementation of the CIS Controls. In an effort to assist enterprises of every size, IGs are divided into three groups. They are based on the risk profile and resources an enterprise has available to them to implement the CIS Controls.

Each IG identifies a set of Safeguards (previously referred to as CIS Sub-Controls), that they need to implement. There is a total of 153 Safeguards in CIS Controls v8.

Every enterprise should start with IG1. IG1 is defined as “basic cyber hygiene,” the foundational set of cyber defense Safeguards that every enterprise should apply to guard against the most common attacks.

IG2 builds upon IG1, and IG3 is comprised of all the Controls and Safeguards.

Below is a list of the CIS Controls in v8, and how many Safeguards in each are applicable to each Implementation Group.