CIS Introduces V7.1 of CIS Controls Featuring New Implementation Groups

On April 4th 2019, the Center of Internet Security (CIS) released its latest CIS Controls Version 7.1 which featured the new Implementation Groups (IGs) to help companies of different sizes determine what essential CIS Sub-Controls should be implemented to meet their business requirements under technical resource constraints.  

The CIS Controls are a prioritized set of best practices that organizations of different industries and sizes can follow to improve their cybersecurity posture. Practically, not all organizations have resources to implement all the CIS Controls and hence these need to be prioritized. The last release CIS Controls V7 separated the 20 Controls into three distinct categories: basic (CIS Controls 1-6), foundational (Controls 7-16), and organizational (Controls 17-20) to make them more flexible, relevant and adaptive to apply to different organizations. 

But to defend against the latest advanced malicious attacks, organizations need to implement some of the important Sub-Controls in the foundational and organizational categories on top of the ‘basic’ Controls for effective defense-in-depth protection. 

Therefore, CIS reassesses the prioritization scheme for the CIS Controls down to the Sub-Controls level and develops the Implementation Groups (IGs) as part of CIS Controls V7.1. Each IG identifies which Sub-Controls are reasonable for an organization to implement based on their risk profile and their available resources.


CIS Controls team first identified a core set of Sub-Controls that organizations with limited resources, expertise, and risk exposure should focus on. This is IG1. For example, a small family owned business with approx. 10 employees may classify themselves as IG1.


 • The core 43 CIS Sub-Controls identified in IG1 represent the redefined “Cyber Hygiene” – the essential protections that must be put into place to defend against common attacks regardless of their sizes. These include important Sub-Controls such as email & browser protection, malware defense, boundary defense, data recovery and data protection etc. These provide the minimum ‘defense-in-depth’ protection all organizations must implement in today’s threat landscape


Each IG builds upon the previous one. IG2 identifies additional Sub-Controls for organizations with greater risk exposure and with more resources and expertise than those in IG1. E.g. most mid-size enterprises in Hong Kong which often interface with customers via internet may be classified as IG2. Finally, the rest of the Sub-Controls are included in IG3, e.g. a large corporate with thousands of employees.


A resource constrained organization may need to implement Sub-Controls in a higher IG (e.g. IG3) based on data sensitivity and criticality of services offered by the organization. They may consult experienced security consultant or make reference to applicable risk assessment method.

Customers can visit CIS website to learn more about the NEW Implementation Groups and download the CIS Contril V7.1 document for reference

GTI provides a holistic portfolio of security services to help customers safeguard their business and important data assets against cyberthreats and malicious attacks. Our security consultants can help customers assess their risk posture to determine and prioritize their remedial and preventive actions. We can help customers implement state-of-the-art solutions together with best-practice control measures to defend against pervasive attacks and malicious activities. Moreover, we can provide ISO27001 certified, 7x24 SOC (Security Operations Center) services and tailored managed security (MSS) and incident response services to meet your specific business and compliance requirements.

Contact our GTI security consultants to understand how to implement the important CIS V7.1 Sub-Controls to meet your business needs to effectively defend against the latest cyber threats.