Enum: ImplementationGroup
Self-assessed tier of CIS Controls applicability based on an enterprise's risk profile and resources. Each IG is cumulative — IG2 includes IG1, IG3 includes both. Introduced in CIS Controls v7.1 as the recommended way to prioritize implementation.
URI: cis_controls:ImplementationGroup
Permissible Values
| Value | Meaning | Description |
|---|---|---|
| IG1 | None | Small to medium-sized enterprise with limited IT and cybersecurity expertise ... |
| IG2 | None | Enterprise employing individuals responsible for managing and protecting IT i... |
| IG3 | None | Enterprise employing security experts that specialize in the different facets... |
Slots
| Name | Description |
|---|---|
| implementation_groups | The Implementation Group(s) for which this Safeguard is applicable |
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/cis-controls
LinkML Source
name: ImplementationGroup
description: Self-assessed tier of CIS Controls applicability based on an enterprise's
risk profile and resources. Each IG is cumulative — IG2 includes IG1, IG3 includes
both. Introduced in CIS Controls v7.1 as the recommended way to prioritize implementation.
from_schema: https://w3id.org/lmodel/cis-controls
rank: 1000
permissible_values:
IG1:
text: IG1
description: Small to medium-sized enterprise with limited IT and cybersecurity
expertise to dedicate toward protecting IT assets and personnel. The principal
concern is to keep the business operational; limited tolerance for downtime;
data sensitivity is low, principally surrounding employee and financial information.
Safeguards should be implementable with limited cybersecurity expertise and
designed to thwart general, non-targeted attacks using COTS hardware and software.
Also called "Essential Cyber Hygiene."
IG2:
text: IG2
description: Enterprise employing individuals responsible for managing and protecting
IT infrastructure. Supports multiple departments with differing risk profiles
based on job function and mission; may have regulatory compliance burdens; often
stores and processes sensitive client or enterprise information and can withstand
short interruptions of service. A major concern is loss of public confidence
if a breach occurs. Safeguards help security teams cope with increased operational
complexity; some depend on enterprise-grade technology and specialized expertise
to properly install and configure. Includes all IG1 safeguards.
IG3:
text: IG3
description: Enterprise employing security experts that specialize in the different
facets of cybersecurity (e.g., risk management, penetration testing, application
security). Assets and data contain sensitive information or functions subject
to regulatory and compliance oversight; must address availability of services
and the confidentiality and integrity of sensitive data; successful attacks
can cause significant harm to the public welfare. Safeguards must abate targeted
attacks from a sophisticated adversary and reduce the impact of zero-day attacks.
Includes all IG1 and IG2 safeguards.