top of page



The CIS Critical Security Controls (CIS Controls) are cybersecurity best practices developed by a global community of cybersecurity experts that can help support compliance in a multiframework era.


The CIS Controls provide enterprises of all sizes a prioritized path to improve their cybersecurity posture through Implementation Groups (IGs) based on the sensitivity of the data they need to protect and the resources they can dedicate toward Information Technology and cybersecurity. 


  • IG1 is the definition of essential cyber hygiene and represents an emerging minimum standard of information security for all enterprises.

  • IG2 prescribes what has to be done for more sensitive components of an enterprises depending upon the services and information they handle.

  • IG3 is the highest level of cyber hygiene. These are steps taken for fully mature enterprises to protect the most sensitive parts of their missions. 


IG1 provides a viable defense against the top five attack types. Enterprises achieve a high level of protection and are well-positioned to defend against the top five attack types through implementation of essential cyber hygiene, or IG1. Enterprises should aim to start with IG1 to obtain the highest value and work up to IG2 and IG3, as appropriate.



The CIS Controls are referenced by multiple legal, regulatory, and policy frameworks, and are included in many state statutes, making it simpler for enterprises to achieve cybersecurity.

Prioritized & Simplified

Prioritized actions to mitigate cyber attacks

Independent & Trusted

bottom of page