What are the differences between CIS IG1, CIS IG2 AND CIS IG3?

CIS IG1, CIS IG2, and CIS IG3 are three different levels of Cybersecurity and Information Security (CIS) Controls developed by the Center for Internet Security (CIS) organization.

CIS IG1

CIS IG1 controls are foundational controls that are essential for any organization seeking to establish a cybersecurity program. They include 18 controls that are designed to provide basic protection against common cyber threats, such as malware, phishing, and unauthorized access. Some of the controls included in CIS IG1 are regular patch management, use of antivirus software, and network segmentation.

CIS IG2

CIS IG2 controls are advanced controls that build on the foundational controls in CIS IG1. They include 20 additional controls that are more complex and require more resources to implement. CIS IG2 controls are designed to protect against more sophisticated cyber threats, such as advanced persistent threats (APTs) and targeted attacks. Some of the controls included in CIS IG2 are continuous monitoring, penetration testing, and incident response planning.

CIS IG3

CIS IG3 controls are the most comprehensive and advanced set of controls developed by CIS. They include an additional 7 controls on top of CIS IG2, and are intended for organizations that operate critical infrastructure or handle highly sensitive data. CIS IG3 controls are designed to provide the highest level of protection against the most advanced cyber threats, including nation-state attacks. Some of the controls included in CIS IG3 are advanced threat intelligence, threat hunting, and secure configuration management.

Which CIS group should you use?

In terms of appropriateness, CIS IG1 controls are suitable for any organization, regardless of size or industry. They provide a solid foundation for building a cybersecurity program and are often used as a benchmark for cybersecurity best practices.

CIS IG2 controls are appropriate for organizations that have more resources and are looking to enhance their cybersecurity posture. These controls are especially relevant for organizations that handle sensitive data or are at higher risk of cyber attacks.

CIS IG3 controls are appropriate for organizations that operate critical infrastructure, such as power plants or financial institutions, or handle highly sensitive data, such as government agencies or healthcare organizations. These controls are designed to provide the highest level of protection against the most advanced cyber threats and require a significant investment in resources to implement.

CyberXposure offers non-technical cyber security assessments for all CIS Information Groups.