Version 7.1 – A new way to look at the CIS Critical Security Controls

The CIS Critical Security Controls are internationally-recognized for bringing together expert insight about threats, business technology, and defensive options. They provide an effective, coherent, and simpler way to manage an organization’s security improvement program. But in our experience, organizations of every size and complexity still need more help to get started.  Many organizations are working with varying resources, expertise, and risk exposure. In security, one size rarely fits all.

Introducing Implementation Groups

Version 7.1 of the CIS Controls completely revamps how organizations should prioritize their cybersecurity activities with the introduction of Implementation Groups (IGs). The IGs provide a simple and accessible way to help organizations classify themselves as belonging to one of these IGs to focus their security resources, expertise, and risk exposure while leveraging the value of the CIS Controls program, community, complementary tools, and working aids.

To develop the IGs, we first took a “horizontal” look across all of the CIS Controls and identified a core set of defenses that organizations with limited resources and limited risk exposure should focus on. We call these accessible and high-value Sub-Controls IG1. These provide effective security value with technology and processes that are generally already available, while providing a basis for more tailored and sophisticated action if warranted.

Building upon IG1, we then identified an additional set of Sub-Controls for organizations with more resources and expertise, but also greater risk exposure. This is IG2. Finally, the rest of the Sub-Controls make up IG3. Watch the video to learn more:

Security for every organization

From their previous life as the SANS Top 20 to the growth and development of V7.1, the CIS Controls have always provided best practices for organizations to defend their cyber assets. The development of Implementation Groups helps businesses from around the world:

  • Create cybersecurity programs on a budget
  • Implement best practices regardless of cyber expertise
  • Defend systems and data with limited resources
  • Bolster their organization’s security no matter how complex

The CIS Controls V7.1 will be released later this year. In the meantime, you can read case studies, download white papers, and learn more on our website: