menu
close_24px

The CIS Controls v8.1

Prioritized, Effective, Risk-Sized Controls

The CIS 18 Controls have always been the foundation of CorpInfoTech's managed services and internal security structure.

CorpInfoTech is proud to announce the renewal of its annual accreditation as a Center for Internet Security (CIS) Accredited organization, following an extensive assessment process conducted by CREST (December 2024). This certification underscores our continued commitment to providing clients with unparalleled cybersecurity expertise, integrity, and assurance. As the first CREST-accredited CIS organization, CorpInfoTech reaffirms its leadership in delivering trusted advisory services and technical solutions aligned with global best practices.

CorpInfoTech was the first accredited assessor for the CIS Controls. (November 2023)

Download CIS Whitepaper

cis-controls-acc

What are the CIS Controls?

The CIS Controls (Center for Internet Security Controls) are a set of prioritized cybersecurity best practices designed to help organizations defend against cyber threats. They consist of 18 controls that address fundamental security areas, including asset management, access control, continuous vulnerability management, and incident response. These controls provide a structured framework to reduce risk, enhance resilience, and protect sensitive data by implementing effective security measures. By following the CIS Controls, organizations—especially SMBs—can strengthen their security posture, meet compliance requirements, and defend against common cyber threats such as malware, phishing, and unauthorized access.

How are the Controls Structured?

The CIS Controls are divided into 18 individual controls that each address a particular security domain. Within these controls are "safeguards" that are actionable and proven effective against the most common cyber threats. These safeguards are then divided into several "implementation groups" based off of their risk size. 

Implementation Group 1 (IG1) defines essential cyber hygiene and represents the minimum standard of information security for all enterprises. IG1 typically applies to small-medium sized businesses that have the chief concern of keeping the business operational. The safeguards contained in IG1 should address general, non-targeted attacks and the information sensitivity is considered "low".

What Does an IG1 Organization Look Like?

  • Limited cybersecurity expertise
  • No dedicated cybersecurity staff
  • Organizations with a small/home office or Commercial off the shelf (COTS) hardware and software
  • Organizations face with common, non-targeted attacks

IG1 Contains 56 Safeguards

Implementation Group 2 (IG2), aids organizations in managing their IT infrastructure across multiple departments with differing risk profiles. IG2 includes the safeguards listed in IG1 and helps with operational complexity. 

What Does an IG2 Organization Look Like?

  • Internal IT personnel
  • Multiple departments with differing risk profiles
  • Organizations that face more complicated attacks

IG2 Contains 74 Safeguards

Implementation Group 3 (IG3) assists IT professionals in securing confidential and sensitive data. The safeguards listed in this group are intended to protect against more sophisticated attacks and protect data that may be subject to regulatory and compliance oversight. 

What Does an IG3 Organization Look Like?

  • Dedicated cybersecurity and risk personnel
  • Successful attacks may cause significant harm to the public
  • Organizations with compliance and regulatory responsibilities. 

IG3 Contains 23 Safeguards

CISControls8.1_ig

How Does This Apply to My Organization?

The CIS Controls provide a structured and prioritized approach to cybersecurity, directly enhancing your organization's security posture and compliance efforts. By implementing the controls, your organization will strengthen its defense against cyber threats, reduce vulnerabilities, and align with regulatory frameworks like CMMC Level 2, NIST 800-171, and HIPAA. Additionally, the continuous monitoring and improvement encouraged by these controls helps proactively address risks, improving your ability to detect, prevent, and respond to cybersecurity incidents.