🎯

CIS Controls IG Selector

7 questions to find your Implementation Group

Question 1 of 7

How many employees does your organization have?

1-100 employees

Small business with limited IT resources

100-500 employees

Medium enterprise with dedicated IT team

500-1,000 employees

Large organization with security staff

1,000+ employees

Enterprise with dedicated security operations

What type of data does your organization handle?

Standard business data

Employee records, general business information

Sensitive customer data

PII, payment information, confidential data

Highly regulated data

HIPAA, PCI DSS, financial records, trade secrets

Critical infrastructure

OT/ICS systems, critical services, national security

What IT/security resources do you have?

Limited or outsourced IT

No dedicated security staff, rely on MSP/consultant

Small IT team

1-3 IT staff, security is part-time responsibility

Dedicated security team

1-5 security professionals, some specialized roles

Advanced security operations

SOC team, CISO, multiple specialized security roles

What compliance requirements do you have?

No specific requirements

Basic business security, cyber insurance only

Basic compliance

Texas SB2610, customer security questionnaires

Moderate compliance

SOC 2, ISO 27001, state privacy laws

Strict compliance

HIPAA, PCI DSS Level 1, FedRAMP, CMMC

How would you describe your threat environment?

Low threat profile

General internet threats, opportunistic attacks

Moderate threat profile

Targeted phishing, ransomware risk, competitive intelligence

Elevated threat profile

Industry targeted by threat actors, valuable IP/data

High threat profile

APT targets, nation-state actors, critical infrastructure

What is your annual security budget?

Under $25K

Essential tools only, limited consulting budget

$25K-$100K

Enterprise tools, some consulting/outsourcing

$100K-$500K

Advanced tools, staffing, managed services

$500K+

Comprehensive security program, full SOC, dedicated staff

What is your target implementation timeline?

3-6 months

Quick wins, essential controls, rapid compliance

6-12 months

Balanced approach, phased implementation

12-18 months

Comprehensive program, full maturity

18+ months

Multi-year transformation, enterprise-wide

IG1

Implementation Group 1

Essential Cyber Hygiene

View IG Details Schedule Assessment

Data Sources & References

CIS Controls v8.1 (2024) — Center for Internet Security, cisecurity.org/controls
IG1: 56 safeguards | IG2: 130 total | IG3: 153 total
Cost and timeline estimates: CyberPoint Advisory market analysis, 2024-2025
Texas SB 2610: Tier 2 requires CIS IG1 — TX B&C Code Chapter 542

This tool provides general guidance based on CIS Controls v8. Consult a qualified professional for your specific situation.