When a cyber insurer asks whether you have endpoint detection, when a client sends a security questionnaire, when your board asks "how secure are we?" — the answer should be grounded in something more specific than "we have antivirus and a firewall."
That's what CIS Controls v8.1 provides: a prioritized, measurable set of 153 security safeguards organized into 18 control families. Developed by the Center for Internet Security with input from security practitioners across industries, it's the closest thing the cybersecurity world has to a universal checklist.
And unlike frameworks written for enterprises with dedicated security teams, CIS Controls were designed to scale. A 15-person accounting firm and a 300-employee manufacturer can both use the same framework — they just implement different levels of it.
Implementation Groups: The Priority System
The most important concept in CIS Controls is the Implementation Group model. Instead of handing every organization the same 153-item list and saying "do all of this," CIS breaks the safeguards into three tiers based on organizational size, risk, and resources.
Implementation Group 1 (IG1) contains 56 safeguards that CIS calls "essential cyber hygiene." These are the controls that stop the most common attack patterns: keeping an inventory of your hardware and software, configuring systems securely, controlling who has access, defending against malware, backing up data, and training employees to recognize phishing.
For many small businesses, IG1 is the right target. It covers what cyber insurers ask about, what clients expect in a security questionnaire, and what stops the vast majority of opportunistic attacks. If you implement nothing else, implement IG1.
Implementation Group 2 (IG2) adds 74 more safeguards for organizations with increased risk. If you handle protected health information (HIPAA), consumer financial data (FTC Safeguards Rule), or face contractual security obligations from clients, IG2 is where you need to be. It adds vulnerability management, audit logging, network monitoring, incident response, service provider management, and application security.
Implementation Group 3 (IG3) rounds out the full 153 safeguards with advanced controls like penetration testing, advanced network defense, and threat intelligence. IG3 is appropriate for organizations with sophisticated threat exposure or highly sensitive data.
What IG1 Actually Looks Like
Abstract framework descriptions don't help anyone. Here's what IG1 looks like in practice for a small business with 20 to 50 employees:
Asset inventory (Controls 1 & 2). You maintain a current list of every device on your network and every piece of software in use. Not a spreadsheet someone updates once a year — an automated inventory from your RMM tool that reflects reality.
Data protection (Control 3). You know where sensitive data lives, who can access it, and how it's protected. Customer records aren't sitting on shared drives with no access controls. Data in transit is encrypted. Data at rest is encrypted.
Secure configuration (Control 4). Devices and software are configured to a security baseline before deployment — default passwords changed, unnecessary services disabled, automatic updates enabled. This isn't aspirational; it's enforced through policy and your management tools.
Account management (Control 5). Every user account is tied to a real person. Shared accounts are eliminated. Former employees are disabled promptly. Admin access is limited to people who need it.
Access control (Control 6). Multi-factor authentication is enabled on all accounts that access sensitive systems. Access follows the principle of least privilege. Remote access is controlled and logged.
Email and browser protection (Control 9). Email security filters are in place. DNS filtering blocks known malicious domains. Users are protected from phishing, BEC, and malicious attachments before they have to make a judgment call.
Malware defenses (Control 10). Endpoint detection and response is deployed on every workstation and server. It's centrally managed, automatically updated, and monitored for alerts.
Data recovery (Control 11). Automated backups run on a defined schedule. Backups are encrypted and stored offsite. Recovery is tested regularly — not assumed to work because it ran without errors.
Security awareness training (Control 14). Employees receive ongoing security training covering phishing, social engineering, data handling, and incident reporting. Not a once-a-year video — regular, relevant, and tracked.
Why CIS Controls Matter for Cyber Insurance
If you've filled out a cyber insurance application recently, you've essentially answered a CIS Controls IG1 assessment without knowing it. Insurers ask about MFA, endpoint protection, backup, access controls, vulnerability management, and employee training — all IG1 safeguards.
The businesses that struggle with insurance applications are the ones that can't answer those questions with documented evidence. They have MFA "for most people" but can't prove it. They back up data but haven't tested a restore. They did security training but can't show completion records.
Documenting your CIS Controls implementation changes the conversation. Instead of vague answers, you provide evidence: control inventories, configuration baselines, access reviews, backup test logs, and training completion reports. That documentation gets you better coverage terms, more favorable premiums, and a stronger position if you ever need to make a claim.
CIS Controls and Other Frameworks
One of the most practical advantages of CIS Controls is that they map to other compliance frameworks. The Center for Internet Security publishes official crosswalk documents showing how CIS Controls align with HIPAA, NIST CSF, PCI DSS, and other standards.
This means if your business needs to comply with HIPAA and also satisfy cyber insurance requirements and also respond to client security questionnaires, you don't need three separate compliance programs. You implement CIS Controls once, maintain one evidence library, and map the outputs to each framework as needed.
For a detailed breakdown of how West Computers implements and maintains CIS Controls, see our CIS Controls v8.1 implementation page.
Where to Start
If your business doesn't have a formal security framework in place, CIS Controls IG1 is the right starting point. It's practical, it's prioritized, and it directly addresses the controls that insurers, clients, and regulators ask about.
The approach is straightforward: assess where you stand against IG1, document the gaps, close them in priority order, and maintain the evidence. For most small businesses with an existing managed IT environment, IG1 implementation takes 30 to 60 days.
The result is a defensible security baseline — not just tools running in the background, but a documented program that proves your business takes security seriously and can back it up with evidence.