CIS Implementation Groups (IGs)

CIS Implementation Groups (IGs) are self-assessed categories designed to help enterprises prioritize the adoption of the The 18 CIS Critical Security Controls. Introduced in Version 7.1 and refined in the CIS Critical Security Controls v8 Overview, these groups provide tailored, horizontal guidance across all controls based on an organization's size, risk profile, and available resources.

Historical Context and Purpose

Historically, the CIS Controls were ordered sequentially. Enterprises were advised to focus on a subset of the first six controls, which were collectively referred to as "cyber hygiene." However, this approach proved too simplistic. Organizations—especially small businesses—often struggled with complex early safeguards and subsequently never implemented critical later controls, such as establishing backup strategies for ransomware recovery.

To solve this, CIS introduced Implementation Groups to provide a more holistic, horizontal prioritization strategy. Rather than completing all safeguards of Control 1 before moving to Control 2, organizations implement a specific subset of safeguards across all controls that matches their operational capabilities.

The Cumulative Structure

Implementation Groups are cumulative, meaning each group builds upon the foundation of the previous one. An organization aiming for IG2 compliance must first implement all IG1 safeguards.

IG1: Essential Cyber Hygiene

IG1 represents the foundational set of cyber defense safeguards that every enterprise should apply to guard against the most common, non-targeted attacks.

• Target Audience: Small to medium-sized enterprises (SMEs) with limited IT and cybersecurity expertise. This group strongly aligns with general Cybersecurity Strategies for SMEs.
• Risk Profile: These organizations have a limited tolerance for downtime, as their principal concern is keeping the business operational. The data they protect is generally of lower sensitivity, typically limited to employee and basic financial information.
• Implementation: Safeguards selected for IG1 can generally be implemented using Commercial Off-The-Shelf (COTS) hardware and software, requiring minimal specialized cybersecurity expertise.

IG2: Managing Operational Complexity (Includes IG1)

IG2 builds upon the foundational hygiene of IG1, shifting focus toward environments with greater complexity and regulatory scrutiny.

• Target Audience: Enterprises that employ dedicated individuals responsible for managing and protecting IT infrastructure across multiple departments.
• Risk Profile: These organizations often store and process sensitive client or enterprise information. While they can withstand short interruptions of service, a major concern is the loss of public confidence in the event of a breach. They may also face specific regulatory compliance burdens.
• Implementation: Safeguards at this tier help security teams cope with increased operational complexity. They often depend on enterprise-grade technology and require specialized expertise to properly install, configure, and maintain.

IG3: Defending Against Sophisticated Adversaries (Includes IG1 & IG2)

IG3 encompasses all CIS Safeguards and is designed for highly mature, heavily targeted organizations.

• Target Audience: Enterprises that employ specialized security experts across different facets of cybersecurity, such as risk management, application security, and penetration testing.
• Risk Profile: IG3 assets contain highly sensitive information subject to strict regulatory and compliance oversight. Successful attacks against these organizations could cause significant harm to public welfare. These enterprises must rigidly ensure the availability, confidentiality, and integrity of sensitive data.
• Implementation: Safeguards selected for IG3 are designed to abate targeted attacks from sophisticated adversaries and reduce the impact of zero-day attacks.