CIS Implementation Groups

CIS Controls are divided into three Implementation Groups (IG1, IG2 and IG3) that enable organisations to prioritise and scale their implementation of the CIS Controls based on their size, resources and risk level. IG1 is the minimum for all organisations; IG3 is for the most complex and high-risk environments.

Back to Dictionary

What are Implementation Groups?

Implementation Groups (IGs) are a prioritisation mechanism in CIS Controls v8. Each of the 153 safeguards (specific control requirements) is assigned to an Implementation Group, and organisations need only implement safeguards up to the level corresponding to their IG classification.

The concept is CIS's answer to the need for a scalable approach: not all organisations can or should invest the same resources in cybersecurity. The IGs ensure that effort is proportionate to risk.

IG1 – Essential cyber hygiene

IG1 is aimed at smaller organisations with limited IT and security resources. It comprises the 56 safeguards that CIS considers the minimum for any organisation, regardless of size.

A typical IG1 organisation has: limited IT staff, data of limited sensitivity, and low sector-specific risks. Implementing IG1 provides protection against the most common attack types.

IG2 – Intermediate security

IG2 adds 74 additional safeguards (130 in total) and is aimed at medium-sized organisations with dedicated IT staff and systems supporting critical business processes. An IG2 organisation typically handles sensitive data and is subject to regulatory requirements.

IG3 – Advanced security

IG3 includes all 153 safeguards and is intended for large, complex organisations with specialised security teams. An IG3 organisation processes critical information or serves critical infrastructure and is targeted by sophisticated, persistent threats (APTs).

IG1 is not optional: CIS designates IG1 safeguards as "essential cyber hygiene" – fundamental security that every organisation should have in place. It is not an aspiration level but a baseline.

Which IG is right for your organisation?

The choice of IG depends on factors such as: number of employees, volume and sensitivity of data, criticality of business processes, sector-specific risks and regulatory requirements. Many small and medium-sized enterprises will start with IG1 and gradually progress towards IG2.

Frequently Asked Questions about CIS Implementation Groups

What are CIS Implementation Groups?

Implementation Groups (IG1, IG2, IG3) are a prioritisation mechanism in CIS Controls v8 that allows organisations to scale their cybersecurity implementation according to their size, resources and risk profile. IG1 is the baseline for all organisations.

How many safeguards are in each Implementation Group?

IG1 contains 56 safeguards, IG2 adds 74 more (130 total), and IG3 includes all 153 safeguards. Each higher group builds cumulatively on the previous one.

Is IG1 sufficient for regulatory compliance?

IG1 provides essential cyber hygiene and may satisfy basic security requirements. However, organisations subject to specific regulatory frameworks (such as NIS2 or ISO 27001) may need to implement controls at the IG2 or IG3 level to achieve full compliance.

Can an organisation implement controls from a higher IG without completing a lower one?

CIS recommends completing all safeguards in the current IG before moving to the next. However, organisations may choose to implement specific higher-level safeguards if a risk assessment identifies a particular need.

How do CIS Implementation Groups relate to ISO 27001?

CIS Implementation Groups and ISO 27001 controls address similar security domains but use different structures. IG2 and IG3 broadly correspond to the level of security maturity expected under ISO 27001, though a formal mapping is needed for compliance purposes.