CIS Controls and Implementation Groups

CIS Controls v8 contains 18 Controls and 153 Safeguards. The Controls are numbered 1 to 18 and are intentionally ordered: the first Controls address foundational visibility (knowing what assets and software you have), because every subsequent defence depends on that inventory. Later Controls address more specific threat scenarios such as email and web browser defences, network monitoring, and penetration testing.

A Control is a category or theme. A Safeguard is the specific, actionable task within that category. For example, Control 1 is 'Inventory and Control of Enterprise Assets'. Safeguard 1.1 within it is 'Establish and Maintain Detailed Enterprise Asset Inventory', assigned to IG1. Safeguard 1.2 is 'Address Unauthorised Assets', also IG1. Safeguard 1.3 is 'Utilise an Active Discovery Tool', assigned to IG2. The distinction matters for audit scope: when an auditor says an organisation is assessed against IG1, they mean all Safeguards marked IG1 across all 18 Controls.

Each Safeguard entry in the CIS Controls document specifies: the Safeguard title, a description of the activity, the asset type it applies to (devices, software, data, users, network, or services), the security function it performs (Identify, Protect, Detect, Respond, or Recover, drawn from the NIST CSF taxonomy), and the lowest Implementation Group at which it is required. This metadata makes it straightforward to filter the catalogue for a specific assessment scope.

Implementation Groups were introduced in CIS Controls v7.1 to address a practical problem: a single unified control list gave small organisations no guidance on where to start. A dental clinic and a national bank both need security controls, but their resources and risk profiles differ by orders of magnitude. The IG structure provides a tiered answer.

IG1 is the essential cyber hygiene baseline. Its 56 Safeguards represent the actions that every organisation, regardless of size, should complete to defend against the most common, non-targeted attacks. CIS describes IG1 as appropriate for organisations with limited IT expertise and cybersecurity staff, constrained resources, and data that is primarily non-sensitive. Examples include small retailers, small professional service firms, and single-site non-profits.

IG2 adds 74 Safeguards to the IG1 baseline, totalling 130. The additional Safeguards address more complex environments with multiple departments, multiple network segments, cloud infrastructure, and a dedicated IT or security function. IG2 organisations handle sensitive client data or face compliance requirements such as HIPAA, PCI-DSS, or the EU General Data Protection Regulation. The additional Safeguards include activities such as establishing a vulnerability management programme, implementing multi-factor authentication for all accounts, and deploying a security information and event management (SIEM) system.

IG3 includes all 153 Safeguards. The 23 Safeguards added at this level address the requirements of organisations whose security failures could cause significant harm to critical infrastructure or public safety, or that face sophisticated adversaries including nation-state actors. IG3-only Safeguards include application layer filtering, advanced malware defence, and structured red team testing. Financial institutions, defence contractors, healthcare systems, and utilities typically operate at this level.

The CIS Controls define what to do in broad terms: Control 4, 'Secure Configuration of Enterprise Assets and Software', says that organisations should establish and maintain secure configurations for devices and software. CIS Benchmarks translate that principle into exact, technology-specific settings. A Benchmark for Windows Server 2022, for example, specifies the exact Group Policy setting for password complexity, the exact value for the account lockout threshold, and the exact audit policy required for each event category.

Each Benchmark recommendation is classified as either Level 1 or Level 2. Level 1 recommendations are intended to be applicable to any organisation without significant disruption to normal operations. Level 2 recommendations provide higher security assurance but may reduce functionality or require additional effort to maintain. An organisation applying all Level 2 recommendations to a server operating system is making a deliberate choice to accept some operational constraint in exchange for a smaller attack surface.

CIS publishes Benchmarks for several hundred technology products, including major operating systems (Windows, Linux distributions, macOS), cloud platforms (AWS, Azure, GCP), container technologies (Docker, Kubernetes), databases (MySQL, PostgreSQL, Oracle, SQL Server), network devices (Cisco, Palo Alto), and browsers. CIS also provides CIS-CAT Pro, a paid scanning tool that automates the audit process by checking live systems against a chosen Benchmark and producing a scored report. Open-source tools such as OpenSCAP can evaluate some CIS content as well.

A CIS Controls assessment starts by determining the organisation's Implementation Group. This is not a technical question initially: it requires understanding the organisation's size, IT staffing, regulatory obligations, and the sensitivity of the data it processes. A hospital system subject to HIPAA in the United States, the NHS in the United Kingdom, or the Health Insurance Portability requirements of India's National Digital Health Mission will almost always fall into IG2 or IG3, because their data sensitivity and regulatory obligations place them beyond the IG1 profile.

Once the IG is set, the auditor works through every Safeguard in scope. For each Safeguard, the assessment records: the current implementation status (not implemented, partially implemented, or fully implemented), the evidence reviewed (policy documents, configuration outputs, tool reports, interview notes), and the risk implication of any gap. The CIS Controls Self-Assessment Tool (CSAT) provides a structured form for this process and generates a dashboard showing implementation percentages by Control and by IG tier.

The output of a CIS Controls assessment is a gap report in which gaps are already ordered by priority, because the IG structure places the highest-impact, most frequently exploited Safeguards first. A gap in Safeguard 1.1 (asset inventory) is almost always more consequential than a gap in a Control 18 Safeguard (penetration testing cadence), because the Controls are ordered to reflect attack frequency data. This built-in prioritisation distinguishes the CIS Controls from compliance frameworks where all controls nominally carry equal weight.

Most large organisations face multiple compliance obligations simultaneously. A financial services firm in India may need to satisfy the Reserve Bank of India's cybersecurity framework, the Digital Personal Data Protection Act 2023, and ISO 27001 certification requirements, while also preferring to use the CIS Controls as an operational baseline. In the European Union, the same firm might need DORA compliance alongside ISO 27001. The challenge is avoiding duplicated assessment work across frameworks.

CIS publishes official crosswalk documents that map each Safeguard to corresponding controls in NIST CSF, NIST SP 800-53, ISO 27001:2022 Annex A, PCI-DSS v4.0, and HIPAA. The mapping is many-to-many: a single Safeguard may satisfy multiple NIST CSF subcategories, and a single ISO 27001 Annex A control may be addressed by several Safeguards. Auditors use these crosswalks to build a unified evidence library: a single policy document or configuration report can satisfy a CIS Safeguard and its NIST or ISO equivalent simultaneously, reducing the total audit workload.

The relationship between CIS Controls and NIST CSF is particularly close. The NIST CSF functions (Identify, Protect, Detect, Respond, Recover) are used in the CIS Controls documentation to classify each Safeguard's security function. This shared taxonomy means that a CIS Controls gap report can be restated directly as a NIST CSF coverage map without significant rework. See Mapping Controls Across Frameworks for a detailed treatment of this translation process.

When a client engages an auditor to assess against CIS Controls, the first deliverable is an agreement on scope: which systems are in scope, which Implementation Group applies, and whether any Safeguards are formally excluded (with documented justification). Scope exclusions are common for Safeguards that apply to technology the organisation does not use; a company with no wireless network can exclude wireless-specific Safeguards if it documents the absence of wireless infrastructure.

Evidence collection follows the Safeguard type. Policy and process Safeguards (for example, 'Establish and Maintain a Data Management Process') require document review: the auditor reads the policy, checks its approval date and review cycle, and confirms it covers the required elements. Technical Safeguards require configuration evidence: system outputs, tool reports, or direct inspection of settings. CIS Benchmark reports satisfy configuration Safeguards for specific platforms. Personnel Safeguards (for example, 'Establish and Maintain a Security Awareness Programme') require training records and content review.

The audit report presents findings in order of risk, not in Controls order. Gaps in IG1 Safeguards, if any remain in an IG2 or IG3 organisation, are flagged as critical because they represent failures in the most basic defensive layer. The report should state each gap as a finding, reference the specific Safeguard number and title, describe the evidence (or absence of evidence) reviewed, assess the risk, and recommend a specific remediation action. Recommendations should reference available CIS guidance, including relevant Benchmarks, so the organisation's technical staff can implement the fix without ambiguity.

Auditors working in the financial sector should note that regulators in multiple jurisdictions have endorsed CIS Controls as an acceptable baseline. The US Federal Financial Institutions Examination Council (FFIEC) references CIS Controls in its cybersecurity assessment tool. India's Securities and Exchange Board of India (SEBI) Cybersecurity and Cyber Resilience Framework accepts CIS Controls alignment as partial evidence for its requirements. The UK National Cyber Security Centre (NCSC) Cyber Essentials scheme overlaps substantially with IG1. Understanding these regulatory endorsements allows an auditor to frame CIS Controls findings directly in terms of regulatory exposure.