CIS Controls v8, the practical prioritization most MSPs skip

The CIS Controls are one of the more useful cybersecurity frameworks in the mid-market. They translate abstract security objectives into a specific list of actions, organized into tiers of implementation priority that map directly to organizational maturity. A firm that works the CIS Controls methodically ends up with a defensible program without having to navigate the less-prescriptive mapping work NIST frameworks require.

What does not translate well is the way the controls often get presented. “Implement all 153 safeguards” is a common rendering that sounds thorough and produces almost no actual security improvement because nothing is actually prioritized. The entire point of CIS Controls v8 is the Implementation Group tiering, and ignoring that tiering is how many mid-market firms spend a year working CIS without meaningfully improving posture.

Here is the practical framing, with attention to the prioritization most MSPs skip over.

What CIS Controls v8 actually contains

The framework, published by the Center for Internet Security, organizes 18 top-level controls with 153 subordinate safeguards. The 18 controls cover what you would expect from a modern cybersecurity framework:

1. Inventory and Control of Enterprise Assets
2. Inventory and Control of Software Assets
3. Data Protection
4. Secure Configuration of Enterprise Assets and Software
5. Account Management
6. Access Control Management
7. Continuous Vulnerability Management
8. Audit Log Management
9. Email and Web Browser Protections
10. Malware Defenses
11. Data Recovery
12. Network Infrastructure Management
13. Network Monitoring and Defense
14. Security Awareness and Skills Training
15. Service Provider Management
16. Application Software Security
17. Incident Response Management
18. Penetration Testing

A complete implementation of all 153 safeguards is a multi-year project even for organizations with dedicated security teams. The framework knows this, which is why the Implementation Groups exist.

The Implementation Group tiering

CIS organizes the 153 safeguards into three Implementation Groups, sorted by organizational capability.

IG1, essential cyber hygiene

The 56 safeguards that every enterprise should implement. Addresses the threats that unsophisticated actors use against the broadest swath of targets.

IG1 is aimed at small enterprises with limited IT expertise. For mid-market organizations, IG1 should be considered a floor, not a ceiling. An organization that has not completed IG1 is operating below the baseline the framework identifies as essential.

IG2, enhanced controls

An additional 74 safeguards (130 total) that address threats against more capable targets. IG2 adds detection, response, configuration management, segmentation and more mature access control.

IG2 is aimed at enterprises that store and process sensitive information, run multiple applications and have dedicated IT roles. Most mid-market organizations should target IG2.

IG3, advanced controls

An additional 23 safeguards (all 153) that address threats from sophisticated, funded actors. Adds offensive testing, advanced monitoring, incident-response maturity.

IG3 is aimed at enterprises with security teams, regulated sectors with direct operational or reputational consequences from compromise and firms with specific threat profiles. Most mid-market organizations do not need IG3.

Why the prioritization gets skipped

The default treatment of CIS Controls in many MSP engagements treats all 153 safeguards as a uniform list. A firm that buys an assessment gets a spreadsheet with 153 rows and a red/yellow/green status on each. The output is accurate but not actionable, because a firm cannot remediate 153 items simultaneously, and the assessment does not tell it which to do first.

The prioritization skip happens for a few reasons:

• An assessment that rates all 153 items produces a longer deliverable than an assessment that organizes by Implementation Group. Longer deliverables sometimes signal more value.
• Remediation projects priced against a full 153-row spreadsheet bill more hours than projects priced against a focused IG1 or IG2 scope.
• Assessors who do not understand IG1/IG2/IG3 well enough to tier findings fall back on presenting everything as equal.

The result is a widespread pattern where firms work CIS Controls without achieving the security improvement the framework is designed to produce. The fix is to prioritize.

IG1, the 56 that matter first

The IG1 safeguards, compressed to categories, cover:

• Asset inventory. A list of every device on the network and every software package running on each device. Manual inventories are acceptable at small scale.
• Data protection fundamentals. A data inventory, a data classification scheme and encrypted backup.
• Account management. Unique credentials per user, MFA where external-facing, disabled accounts removed promptly.
• Basic access control. Separate accounts for privileged work, least-privilege principles, documented access approvals.
• Vulnerability management. Regular patching, vulnerability scanning on externally-facing systems.
• Audit logging. Logs collected from critical systems, retained for a defined period.
• Email and web. Secure email gateway, web filtering, secure DNS.
• Malware defense. Endpoint anti-malware, USB execution restrictions.
• Basic recovery. Regular backups with tested recovery.
• Network infrastructure. Basic network segmentation and secure configurations.
• Basic training. Annual security awareness training.
• Incident response. A documented incident response plan with designated personnel.

A firm that works through IG1 methodically ends up with a defensible baseline that meets most cyber insurance application questions and clears the floor most client security audits require.

IG2, where most mid-market targets should land

IG2 adds the controls that address more sophisticated threats.

• Software inventory expanded. Licensed software tracking, application allowlisting.
• Data protection enhanced. Data loss prevention, more granular classification.
• Account management enhanced. Privileged access management, session monitoring for privileged accounts, centralized authentication.
• Access control enhanced. Role-based access, multi-factor authentication universal, access reviews on a quarterly cadence.
• Configuration management. Documented baselines, change control, secure configuration enforcement.
• Vulnerability management expanded. Automated scanning, defined remediation SLAs, prioritization by exploitability.
• Audit logging expanded. SIEM, correlation rules, alerting thresholds.
• Email and web enhanced. Advanced phishing protection, DMARC enforcement, browser isolation.
• Malware defense enhanced. Endpoint detection and response with managed response, behavioral analysis.
• Recovery enhanced. Immutable backups, documented RTO/RPO, tested multi-system recovery.
• Network enhanced. Segmentation with documented zones, network access control, monitored internal traffic.
• Training enhanced. Role-based training, simulated phishing, secure development training for developers.
• Service provider management. Vendor inventory, security questionnaires, ongoing monitoring.
• Incident response enhanced. Tabletop exercises, documented playbooks, coordinated external relationships.

Most mid-market organizations should aim for IG2 within 18 to 36 months of starting a real CIS Controls program.

IG3, only where the threat profile justifies it

IG3 adds controls aimed at sophisticated threat actors. Red team engagements, advanced monitoring, internal security testing, maturity-driven continuous improvement cycles.

The IG3 safeguards are appropriate for:

• Organizations in sectors with direct, material adversary interest (defense, advanced manufacturing, financial services at scale, healthcare systems)
• Organizations that have completed IG2 and have specific known-gap categories IG3 addresses
• Organizations with security functions of sufficient scale to actually execute the controls

Most mid-market organizations should not pursue IG3 until IG1 and IG2 are substantially complete. Starting IG3 while IG1 gaps remain is a common misallocation.

A practical two-year program

A realistic CIS Controls v8 program for a mid-market firm starting from a typical baseline:

• Months 1 to 3. IG1 gap assessment. Asset inventory. Software inventory. Initial policy baseline.
• Months 3 to 9. IG1 remediation. MFA universal, EDR deployed, backup hardened, IR plan documented, basic training delivered.
• Months 9 to 12. IG1 evidence accumulation. First tabletop exercise. Annual policy review.
• Months 12 to 18. IG2 gap assessment and prioritization. Privileged access management deployed. Quarterly access reviews begin. Vendor inventory built.
• Months 18 to 24. IG2 remediation. SIEM deployed, network segmentation matured, advanced training delivered, vendor management operationalized.

A program executed this way at a 200 to 500-employee mid-market firm typically runs $150,000 to $400,000 per year during the active program period, declining to a lower run-rate at maturity.

Where we fit

Atticus Rowan works with mid-market clients to build CIS Controls v8 programs that respect the Implementation Group tiering rather than treating all 153 safeguards as equal. The engagement model:

• Start with the IG1 assessment and remediation, not the comprehensive 153-row spreadsheet
• Build evidence artifacts that would hold up to cyber insurance renewal, SOC 2 readiness or enterprise customer audit
• Advance to IG2 only after IG1 is substantially complete, with prioritization reflected in the sequence
• Coordinate with any external assessment (CIS Controls Self-Assessment Tool, CSF 2.0 mapping, SOC 2 readiness) so the work compounds rather than duplicates

If your firm has adopted or is considering CIS Controls v8 and wants a practical read on how to sequence the implementation without burning cycles on flat-list remediation, schedule a discovery call. We can review the current posture against IG1 and IG2 and scope a realistic program.