The Center for Internet Security (CIS) is a nonprofit organization that publishes a set of cybersecurity Controls and Safeguards for businesses.
If you run a small or mid-sized business, a subset of these Controls—those in Implementation Group 1 (IG1)—is foundational and should be strongly considered for your organization’s solid cybersecurity posture.
A strong security posture results in much better avoidance of the dreaded ‘downtime’ during which your expensive workforce is unproductive.
You can also avoid long-term damage and expense from permanent data loss and data exfiltration.
The Structure of CIS Cybersecurity Controls
The overall structure is as follows.
There are eighteen controls. Each Control has a set of clearly articulated Safeguards categorized by Implementation Groups.
The three Implementation Groups are
Implementation Group 1 (IG1): Focuses on essential cybersecurity controls for small organizations to defend against common threats with minimal complexity.
Implementation Group 2 (IG2): Provides foundational controls for organizations with moderate resources, addressing more advanced threats with layered security.
Implementation Group 3 (IG3): Implement advanced controls for robust protection against sophisticated attacks for mature, high-risk organizations.
This post will focus on Implementation Group 1 (IG1), Basic Cyber Hygiene—essential cyber defense measures applicable to all organizations.
We have organized these essential IG1 Cybersecurity Controls and Safeguards into sections, dot points, and sub-points you can visually scan to get a general idea of the areas that should be addressed.
Your Managed Service Provider (MSP) is a resource to help you implement these essential measures.
For more details on CIS Controls, you can download the complete list.
Table of Contents
- The Structure of CIS Cybersecurity Controls
- Asset Management
- Data Management and Security
- Configuration and Access Management
- Vulnerability and Patch Management
- Audit and Monitoring
- Endpoint and Network Protection
- Backup and Data Recovery
- Network Infrastructure Management
- Security Awareness and Training
- Incident Management
- Third-Party Risk Management
Asset Management
Asset management involves maintaining a complete and detailed inventory of all enterprise assets, including hardware, software, and accounts.
This is the foundation for most other controls, as a lack of visibility into assets can lead to gaps in security.
- Establish and Maintain Detailed Enterprise Asset Inventory
- Address Unauthorized Assets
- Establish and Maintain a Software Inventory
- Ensure Authorized Software is Currently Supported
- Address Unauthorized Software
- Manage Default Accounts on Enterprise Assets and Software
- Establish and Maintain an Inventory of Accounts
Organizations can more easily enforce security policies and detect unauthorized elements by tracking and validating every asset, software, and account.
Data Management and Security
Data management is a core responsibility for SMBs. It encompasses the processes that protect data throughout its lifecycle—from creation to disposal. This includes managing data inventories, access controls, and encryption.
- Establish and Maintain
- a Data Management Process
- a Data Inventory
- Configure Data Access Control Lists
- Enforce Data Retention
- Securely Dispose of Data
- Encrypt Data on End-User Devices
These controls help ensure data is accessed only by authorized personnel, securely stored, and properly disposed of when no longer needed, thus minimizing risks of exposure or loss.
Configuration and Access Management
Securely configuring assets and enforcing strict access control policies are crucial to protecting company systems.
This includes ensuring that all systems are set up with security in mind and that access is restricted based on roles and responsibilities.
- Establish and Maintain
- A Secure Configuration Process
- A Secure Configuration Process for Network Infrastructure
- Configure Automatic Session Locking on Enterprise Assets
- Implement and Manage a Firewall
- On Servers
- On End-User Devices
- Restrict Administrator Privileges to Dedicated Administrator Accounts
- Establish
- An Access Granting Process
- An Access Revoking Process
- Require Multi-Factor Authentication (MFA) for
- Externally-Exposed Applications
- Remote Network Access
- Require MFA for Administrative Access
These measures help limit access to sensitive areas of the network, reduce the chances of unauthorized access, and protect against external threats.
Vulnerability and Patch Management
Identifying, assessing, and addressing vulnerabilities is essential for preventing cyber threats. A proactive approach to vulnerability management keeps systems up-to-date and secure, reducing the likelihood of successful attacks.
- Establish and Maintain
- A Vulnerability Management Process
- A Remediation Process
- Perform Automated
- Operating System Patch Management
- Application Patch Management
Patch management ensures systems are continuously protected against known vulnerabilities, while a structured remediation process helps prioritize and address potential weaknesses efficiently.
Audit and Monitoring
Monitoring systems and events is critical to detect and respond to potential incidents. Logging and auditing provide visibility into system activity and help organizations quickly identify and react to suspicious behavior.
- Establish and Maintain an Audit Log Management Process
- Collect Audit Logs
- Ensure Adequate Audit Log Storage
Audit and logging practices provide the evidence and tracking needed to respond to incidents and verify compliance, creating an accountability trail for security events.
Endpoint and Network Protection
Protecting endpoints and network infrastructure is crucial in preventing malware, unauthorized access, and other cyber threats. This includes installing anti-malware software, using DNS filtering, and configuring firewalls on all devices.
- Ensure Use of Only Fully Supported Browsers and Email Clients
- Use DNS Filtering Services
- Deploy and Maintain Anti-Malware Software
- Configure Automatic Anti-Malware Signature Updates
- Disable Autorun and Autoplay for Removable Media
These measures help shield enterprise assets from malicious software and prevent untrusted applications or media from compromising systems.
Backup and Data Recovery
An effective backup and recovery strategy is essential in case of data loss. Regular backups and protected storage of recovery data minimize the impact of cyber incidents and facilitate a quick return to normal operations.
- Establish and Maintain a Data Recovery Process
- Perform Automated Backups
- Protect Recovery Data
- Establish and Maintain an Isolated Instance of Recovery Data
By safeguarding backup data, businesses can restore data and minimize downtime should there be a breach or failure.
Network Infrastructure Management
Keeping network infrastructure secure is critical to preventing unauthorized access and vulnerabilities. This includes configuring network devices and ensuring they remain updated with the latest security protocols.
- Ensure Network Infrastructure is Up-to-Date
Properly maintained network infrastructure is less susceptible to security vulnerabilities and can support other protective measures, such as firewalls and encryption.
Security Awareness and Training
An organization’s security is only as strong as its most minimally aware employee.
Regular security training for all staff ensures that everyone understands their role in protecting the organization and can identify potential threats.
- Establish and Maintain a Security Awareness Program
- Train Workforce Members On
- Recognizing Social Engineering Attacks
- Authentication Best Practices
- Data Handling Best Practices
- Causes of Unintentional Data Exposure
- Recognizing and Reporting Security Incidents
- How to Identify and Report if Their Enterprise Assets are Missing Security Updates
- The Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
Educating employees on security best practices, social engineering, and secure data handling reduces the risk of human error leading to security incidents.
Incident Management
When security incidents occur, it’s essential to have a clear plan for handling them. This includes designating responsible personnel, maintaining up-to-date contact information, and having a robust reporting structure.
- Designate Personnel to Manage Incident Handling
- Establish and Maintain
- Contact Information for Reporting Security Incidents
- An Enterprise Process for Reporting Incidents
A structured incident response plan ensures that incidents are reported, managed, and mitigated effectively, minimizing damage and downtime.
Third-Party Risk Management
Vendors and service providers introduce potential security risks. Monitoring and managing these relationships helps ensure they adhere to security standards and do not introduce vulnerabilities.
- Establish and Maintain an Inventory of Service Providers
Documenting and reviewing service providers helps ensure third-party relationships support security objectives and comply with internal policies.
Incorporating these security controls into your business security strategy provides a robust and layered defense against cyber threats.
By logically grouping controls, organizations can streamline implementation, improve compliance, and enhance resilience against security incidents.
