If you’re looking for a no-nonsense, action-ready set of security best practices, the CIS Controls are a fantastic place to start. Developed by the Center for Internet Security, this framework strips away the fluff and focuses on what really matters when protecting your IT environment.

At 101 IT, we love how practical and tactical these controls are. Whether you’re a growing business or an enterprise, the CIS Controls provide a clear, prioritized roadmap to cybersecurity.

Let’s unpack why this framework is so widely used—and how you can apply it to your business today.

What Are CIS Controls?

The CIS Controls (formerly known as the SANS Top 20) are a set of 18 prioritized actions designed to help organizations prevent the most common and dangerous cyberattacks.

What makes them different?

• They’re prescriptive – Not just “what,” but “how.”
• They’re ranked by importance – So you can focus on what matters most first.
• They’re updated regularly – The latest version (V8) reflects today’s threat landscape.

The Three Implementation Groups (IGs)

CIS Controls are divided into Implementation Groups (IG1, IG2, IG3) based on your organization’s size, risk level, and available resources:

• IG1: Basic cyber hygiene for small organizations.
• IG2: More advanced controls for mid-sized companies.
• IG3: Robust protection for high-risk, large enterprises.

This tiered approach means even small businesses can get started without feeling overwhelmed.

What the 18 CIS Controls Cover

The Controls span across core security areas, including:

1. Inventory and Control of Assets
2. Secure Configuration
3. Continuous Vulnerability Management
4. Controlled Use of Admin Privileges
5. Account Monitoring
6. Data Protection
7. Email and Web Browser Protections
8. Malware Defenses
9. Limiting and Controlling Network Ports
10. Data Recovery Capabilities
11. Secure Configuration for Network Devices
12. Boundary Defense
13. Security Awareness Training
14. Application Software Security
15. Incident Response
16. Penetration Testing
17. Security Skills Assessment
18. Service Provider Management

You don’t have to implement all 18 at once. Start with the basics and grow from there.

How 101 IT Helps You Implement CIS Controls

Many businesses we work with want something that works without needing a PhD in cybersecurity. That’s where the CIS Controls shine—and we help you bring them to life.

Our approach includes:

• Initial Assessment: Which controls are already in place, and which need attention?
• Roadmap Creation: Prioritized implementation based on your IG level.
• Tool Selection & Configuration: We recommend tools aligned with your goals and budget.
• Ongoing Monitoring: Controls don’t mean much if they’re not maintained.
• Training & Awareness: Empowering your team to understand and use these controls effectively.

Real-World Example

A regional accounting firm came to us after experiencing a phishing attack. They didn’t have structured controls in place.

We helped them implement IG1 controls like secure email gateways, multi-factor authentication, and endpoint protection—all part of CIS Controls. Within weeks, their risk posture improved significantly, and they could demonstrate cybersecurity due diligence to their clients.

Final Thoughts

The CIS Controls are like a playbook for cyber defense: simple, direct, and powerful.

At 101 IT, we’re here to help you take that playbook and make it your own. No stress, no tech jargon—just clear steps to a more secure business.

Want to start building a stronger foundation for your cybersecurity? Let’s connect.