CIS Controls Implementation Groups: IG1, IG2, and IG3 Explained
One of the most valuable features of the CIS Controls framework is its Implementation Groups model. Rather than presenting all 153 safeguards as equally important, Implementation Groups help organizations prioritize based on their resources, risk profile, and security maturity.
This guide explains the three Implementation Groups, helps you determine which is right for your organization, and provides practical guidance for implementation.
Key Takeaways
| Point | Summary |
|---|---|
| Three tiers | IG1 (essential), IG2 (expanded), IG3 (advanced) |
| IG1 | 56 safeguards for organizations with limited IT resources |
| IG2 | 130 safeguards (IG1 + 74) for organizations with dedicated IT staff |
| IG3 | 153 safeguards (IG2 + 23) for high-risk organizations |
| Start with IG1 | All organizations should implement IG1 as the foundation |
| Progressive model | Each group builds on the previous one |
Quick Answer: Most startups and SMBs should focus on IG1, which contains 56 essential safeguards providing protection against the most common cyber attacks. IG1 is designed to be achievable for organizations without dedicated security staff. Move to IG2 when you have dedicated IT personnel and face increased risks. IG3 is for organizations handling highly sensitive data or facing sophisticated threats.
Understanding Implementation Groups
Implementation Groups were introduced in CIS Controls v7 and refined in v8. They solve a common challenge: organizations with limited resources often feel overwhelmed by the full scope of security frameworks. Implementation Groups provide a practical path forward.
The Progressive Model
Each Implementation Group builds on the previous one:
IG1 (56 safeguards) → IG2 (+74 = 130 total) → IG3 (+23 = 153 total)This means:
- IG2 includes all of IG1, plus 74 additional safeguards
- IG3 includes all of IG2 (and IG1), plus 23 additional safeguards
- You don't skip groups; you progress through them
Implementation Group 1 (IG1): Essential Cyber Hygiene
IG1 represents the minimum standard of information security that all organizations should meet. It's designed for organizations that:
- Have limited IT and cybersecurity expertise
- May not have dedicated security staff
- Need to defend against general, non-targeted attacks
- Have constrained resources for security investments
IG1 Characteristics
| Attribute | Description |
|---|---|
| Safeguards | 56 |
| Target | Small to medium organizations |
| IT staff | Minimal or shared IT responsibilities |
| Primary threats | Opportunistic attacks, commodity malware |
| Focus | Basic cyber hygiene, essential protections |
What IG1 Covers
IG1 safeguards address the most critical security fundamentals:
Asset Management (Controls 1-2)
- Know your hardware and software
- Remove unauthorized assets
- Keep software current
Data Protection (Control 3)
- Classify and inventory data
- Configure access controls
- Encrypt end-user devices
- Secure data disposal
Secure Configuration (Control 4)
- Establish configuration processes
- Implement firewalls
- Manage default accounts
Account and Access Management (Controls 5-6)
- Inventory accounts
- Use unique passwords
- Disable dormant accounts
- Require MFA for sensitive access
Vulnerability and Patch Management (Control 7)
- Establish remediation processes
- Automate patching
Logging (Control 8)
- Collect and store audit logs
Email and Browser Security (Control 9)
- Use supported software
- Implement DNS filtering
Malware Protection (Control 10)
- Deploy anti-malware
- Keep signatures updated
Data Recovery (Control 11)
- Implement automated backups
- Protect backup data
Network Infrastructure (Control 12)
- Keep network equipment updated
Security Training (Control 14)
- Basic security awareness
- Social engineering recognition
- Authentication best practices
- Incident reporting procedures
Service Provider Management (Control 15)
- Maintain provider inventory
Incident Response (Control 17)
- Designate incident handlers
- Establish reporting procedures
Who Should Implement IG1?
IG1 is appropriate for:
| Organization Type | Why IG1 |
|---|---|
| Startups | Limited resources, focused on growth |
| Small businesses | Shared IT responsibilities, no security team |
| Low-risk organizations | Don't handle highly sensitive data |
| Beginning security programs | Building foundational controls |
IG1 provides substantial protection. CIS has mapped the Controls to the MITRE ATT&CK framework, demonstrating that IG1 safeguards defend against a significant portion of documented attack techniques. For many organizations, this level of protection is sufficient.
Implementation Group 2 (IG2): Expanded Protection
IG2 is designed for organizations that have more resources, face greater risks, or need more robust security programs.
IG2 Characteristics
| Attribute | Description |
|---|---|
| Safeguards | 130 (IG1 + 74 additional) |
| Target | Medium to large organizations |
| IT staff | Dedicated IT personnel |
| Primary threats | Targeted attacks, sophisticated malware |
| Focus | Expanded monitoring, detection, and response |
What IG2 Adds
IG2 builds on IG1 with more sophisticated controls:
Enhanced Asset Discovery (Control 1)
- Active and automated discovery tools
- DHCP logging for asset tracking
Software Allowlisting (Control 2)
- Allowlist authorized software and libraries
Data Classification and Encryption (Control 3)
- Formal classification schemes
- Data flow documentation
- Encryption in transit and at rest
Advanced Configuration (Control 4)
- Disable unnecessary services
- Configure trusted DNS
- Remote wipe capabilities
Centralized Account Management (Control 5)
- Service account inventory
- Centralized management
Centralized Access Control (Control 6)
- Inventory of auth systems
- Centralized access control
Vulnerability Scanning (Control 7)
- Automated internal and external scanning
- Formal remediation tracking
Comprehensive Logging (Control 8)
- Time synchronization
- Detailed logs (DNS, URL, command-line)
- Centralized logging
- Regular log reviews
Email and Browser Hardening (Control 9)
- URL filtering
- Extension restrictions
- DMARC implementation
Advanced Malware Protection (Control 10)
- Centralized management
- Behavior-based detection
Backup Testing (Control 11)
- Regular recovery testing
Network Architecture (Control 12)
- Documented architecture
- Centralized AAA
- VPN requirements
Network Monitoring (Control 13)
- Security event alerting
- Intrusion detection
- Traffic filtering
- Network flow logs
Advanced Training (Control 14)
- Insecure network awareness
Service Provider Assessment (Control 15)
- Provider classification
- Security requirements in contracts
- Regular assessments
Application Security (Control 16)
- Secure development process
- Third-party component management
- Security testing
Incident Response Process (Control 17)
- Formal IR process
- Defined roles
- Communication plans
- Regular exercises
- Post-incident reviews
Penetration Testing (Control 18)
- Periodic external testing
- Remediation tracking
Who Should Implement IG2?
IG2 is appropriate for:
| Organization Type | Why IG2 |
|---|---|
| Growing companies | Increased attack surface, more at stake |
| Organizations with IT teams | Can implement and maintain controls |
| Regulated industries | Need more robust controls |
| B2B companies | Customer security requirements |
| Companies handling sensitive data | Higher risk requires more protection |
Implementation Group 3 (IG3): Advanced Protection
IG3 is designed for organizations that face sophisticated adversaries, handle highly sensitive data, or operate critical infrastructure.
IG3 Characteristics
| Attribute | Description |
|---|---|
| Safeguards | 153 (IG2 + 23 additional) |
| Target | Large enterprises, critical infrastructure |
| Security staff | Dedicated security team |
| Primary threats | Advanced persistent threats, nation-state actors |
| Focus | Defense-in-depth, advanced detection |
What IG3 Adds
IG3 includes the most sophisticated safeguards:
Advanced Asset Discovery (Control 1)
- Passive discovery tools
Script Allowlisting (Control 2)
- Control authorized scripts
Advanced Data Protection (Control 3)
- Data loss prevention
- Sensitive data access logging
Mobile Security (Control 4)
- Workspace separation on mobile devices
Role-Based Access (Control 6)
- Formal RBAC implementation
Service Provider Monitoring (Control 15)
- Ongoing provider monitoring
- Secure decommissioning
Advanced Application Security (Control 16)
- Code-level security checks
- Application penetration testing
- Threat modeling
Advanced Incident Response (Control 17)
- Security incident thresholds
Advanced Network Defense (Control 13)
- Intrusion prevention (not just detection)
- Port-level access control
- Application layer filtering
- Tuned alerting thresholds
Dedicated Administration (Control 12)
- Separate computing resources for admin work
Comprehensive Penetration Testing (Control 18)
- Internal penetration testing
- Security measure validation
Advanced Training (Control 14)
- Role-specific training
Who Should Implement IG3?
IG3 is appropriate for:
| Organization Type | Why IG3 |
|---|---|
| Financial institutions | High-value targets, regulatory requirements |
| Healthcare organizations | Sensitive patient data |
| Critical infrastructure | National security implications |
| Government contractors | Classified or sensitive information |
| Large enterprises | Resources and threat profile require it |
Choosing Your Implementation Group
Assessment Criteria
Consider these factors when selecting your Implementation Group:
| Factor | IG1 | IG2 | IG3 |
|---|---|---|---|
| IT staff | Shared/minimal | Dedicated IT | Security team |
| Data sensitivity | Standard business | Customer/regulated | Highly sensitive |
| Regulatory requirements | Minimal | Moderate | Stringent |
| Threat profile | Opportunistic | Targeted | Advanced/APT |
| Resources | Limited | Moderate | Substantial |
| Security maturity | Beginning | Developing | Mature |
Decision Flow
Start with IG1 if you:
- Are a startup or small business
- Don't have dedicated IT security staff
- Handle primarily standard business data
- Face general, non-targeted threats
- Are building your first formal security program
Consider IG2 if you:
- Have dedicated IT personnel
- Handle customer data or regulated information
- Face targeted attack risks
- Need to demonstrate security to enterprise customers
- Are pursuing compliance frameworks like SOC 2 or ISO 27001
Consider IG3 if you:
- Have a dedicated security team
- Handle highly sensitive data (healthcare, financial, government)
- Face advanced persistent threats
- Operate critical infrastructure
- Have stringent regulatory requirements
Implementation Strategy
Progressive Implementation
Don't try to implement your target IG all at once. Use a progressive approach:
Phase 1: IG1 Foundation
- Complete asset inventory (Controls 1-2)
- Implement access controls and MFA (Controls 5-6)
- Enable backups and recovery (Control 11)
- Deploy basic security tools (Controls 9-10)
- Establish incident response basics (Control 17)
Phase 2: IG1 Completion
6. Implement remaining IG1 safeguards
7. Validate and document implementation
8. Establish ongoing maintenance processes
Phase 3: IG2 Expansion (if applicable)
9. Prioritize IG2 safeguards based on risk
10. Implement monitoring and detection (Controls 8, 13)
11. Build out vulnerability management (Control 7)
12. Develop application security program (Control 16)
Phase 4: IG3 Advanced (if applicable)
13. Implement advanced detection and prevention
14. Build out penetration testing program
15. Develop sophisticated response capabilities
Timeframes
Typical implementation timeframes:
| Group | Typical Duration | Notes |
|---|---|---|
| IG1 | 3-6 months | Depends on starting point |
| IG1 → IG2 | 6-12 months | After IG1 completion |
| IG2 → IG3 | 6-12 months | After IG2 completion |
These are estimates; actual timelines depend on organizational size, complexity, and resources.
Common Questions
Can I skip IG1 and go directly to IG2?
No. Implementation Groups are progressive. IG2 assumes IG1 is in place. Skipping IG1 safeguards would leave gaps in your foundational security.
What if I need some IG2 safeguards but not all?
You can prioritize specific IG2 safeguards based on your risk profile. However, you should complete IG1 first and implement IG2 safeguards systematically rather than cherry-picking.
How do I know when I've "completed" an Implementation Group?
Each safeguard should be:
- Implemented (controls are in place)
- Operational (controls are functioning)
- Measured (you can demonstrate effectiveness)
- Maintained (ongoing processes exist)
Use CIS's Self Assessment Tool (CSAT) to evaluate your implementation status.
Do Implementation Groups map to compliance frameworks?
Not directly, but there are correlations:
| Compliance Need | Typical IG |
|---|---|
| SOC 2 Type 2 | IG1-IG2 |
| ISO 27001 | IG1-IG2 |
| HIPAA | IG2 minimum |
| PCI DSS | IG2-IG3 |
| CMMC | IG2-IG3 |
IG1: The Essential Foundation
For most readers of this guide, IG1 is the starting point and possibly the appropriate long-term target. Here's why IG1 matters:
Effectiveness: IG1 safeguards address the attack techniques used in the majority of breaches. Implementing IG1 significantly reduces your attack surface.
Achievability: IG1 is designed to be implementable without dedicated security staff. The safeguards are practical and within reach.
Foundation: IG1 creates the foundation for more advanced controls. Even if you plan to progress to IG2 or IG3, you need IG1 first.
Business value: IG1 enables you to confidently answer customer security questionnaires and provides a baseline for compliance frameworks.
For practical guidance on implementing IG1 in startup environments, see our CIS Controls for Startups guide.
Need help determining which Implementation Group is right for your organization? Talk to our team
Sources
- CIS Controls Implementation Groups - Official CIS IG documentation
- CIS Controls v8 - Complete safeguards with IG designations
- CIS Controls Self Assessment Tool - Tool for assessing IG implementation
- MITRE ATT&CK Navigator - ATT&CK coverage mapping