Solutions
Modern IT
Advanced Cybersecurity
Compliance
AI and Automation
Company
About Us
Leadership
M&A
Our Companies
Knowledge Center
Get in Touch
Contact us
30 Cooper Square, Floor 10

New York, NY 10003
contact@propulsiontech.com
What are the CIS Controls? A practical guide for SMBs

Cybersecurity frameworks can feel overwhelming—especially if you’re not sure which one fits your business. The good news? You don’t have to implement them all. Many organizations start with the CIS Controls: a clear, prioritized set of cybersecurity best practices developed and maintained by the Center for Internet Security (CIS).

Whether you’re a small business just getting started or a growing company aiming to strengthen your security posture, the CIS Controls offer a practical, scalable roadmap. Below, we’ll break down what the CIS Controls are, how they work, and why they’re a strong starting point for SMBs looking to improve their cybersecurity resilience.

What are the CIS Controls?

The CIS Controls are a set of 18 prioritized cybersecurity best practices designed to help organizations defend against the most common cyber threats, like ransomware, phishing, and data breaches. Originally introduced as the “SANS Top 20,” the CIS Controls have since evolved into a globally respected framework, now in version 8.

They’re maintained by the Center for Internet Security, a nonprofit organization that develops trusted guidance to help protect public and private sector systems. Today, companies of all sizes, including government agencies, healthcare providers, financial institutions, and schools, use the CIS Controls as a roadmap to stronger security.

Unlike complex regulatory frameworks like CMMC or ISO 27001, the CIS Controls are clear, prescriptive, and easy-to-follow. They’re especially well-suited to SMBs that want a practical starting point or a flexible complement to other compliance requirements. Wherever you are on your journey to leveling up your security efforts, the CIS Controls offer an actionable path forward.

Why CIS Controls matter for your business

For small and mid-sized businesses, cybersecurity can feel like a moving target full of technical jargon, evolving threats, and high expectations from customers, insurers, and regulators alike. The CIS Controls offer clarity in the noise. Here’s why they’re worth your time:

  • Prioritized by risk: You start with what matters most. The Controls are ranked so you can focus on critical, high-impact safeguards before moving on to more advanced protections.
  • Mapped to major frameworks: CIS Controls align with industry standards like NIST, ISO 27001, HIPAA, PCI-DSS, and more, making them a smart choice whether you need a starting point or a bridge to broader compliance.
  • Right-sized for your organization: Whether you’re a five-person startup or scaling past 200 employees, the Controls are structured to grow with you. You can implement what fits now, and expand over time.
  • Cost-effective and practical: These aren’t theoretical guidelines. They emphasize core cyber hygiene, operational readiness, and measurable outcomes without the need for a huge security budget or in-house team.
  • Valuable for insurance and audits: CIS Controls can help demonstrate due diligence to cyber insurers, auditors, and regulators, potentially lowering premiums or expediting reviews.
  • A boost for sales and trust: Many B2B buyers now expect security proof early in the sales process. CIS Controls offer a tangible way to show that your business takes cybersecurity seriously.

In short, the CIS Controls offer SMBs a practical path to risk reduction, regulatory alignment, customer trust, and long-term security maturity. For SMBs navigating limited time and resources, they deliver maximum impact with minimal overhead.

Understanding the three Implementation Groups (IGs)  

The idea of 18 cybersecurity controls can feel daunting at first, but here’s where the CIS framework really stands out. To help organizations implement the Controls in a realistic, risk-aware way, CIS introduced Implementation Groups (IGs).

These tiered groups align your security priorities with your business’s size, complexity, and exposure to risk, so you’re focusing time and resources where they matter most. Instead of trying to tackle everything at once, you begin with the safeguards that matter most for your situation, and evolve them over time.

Here’s how the three Implementation Groups break down:

  • IG1: Basic cyber hygiene. Designed for small businesses and organizations with limited IT resources or lower risk profiles. IG1 covers fundamental safeguards that defend against the most common attacks.
  • IG2: Increased risk environments. For organizations that store or process more sensitive data (e.g., customer PII, medical records, financial information) or face more frequent or sophisticated threats. IG2 builds on IG1 with additional technical and operational controls.
  • IG3: Complex or regulated environments. Tailored for larger enterprises or critical infrastructure sectors with high-value assets, multiple compliance obligations, or advanced adversaries. IG3 includes all CIS Controls and emphasizes depth, monitoring, and documentation.

Most SMBs will start with IG1—and that’s not just acceptable, it’s smart. IG1 alone can help protect your business from a majority of real-world threats, and it's often more than enough to satisfy basic client and auditor requirements. As your business grows or your risk exposure increases, you can scale up to IG2 or IG3 with confidence.

Each group prioritizes a different subset of safeguards. But what exactly do those safeguards focus on, and how do they fit into your broader security strategy? Let’s break down the five functional categories of the CIS Controls and what they mean in practice.

A closer look at the 18 CIS Controls

The 18 CIS Controls span five cybersecurity domains. These functional categories help clarify what kinds of practices your team will focus on as you implement the Controls. These aren’t abstract principles; they’re hands-on practices your team can adopt to reduce risk, one step at a time.  

Here’s a high-level view of what the Controls cover:

  • Asset management: Keep track of what you own and what’s running in your environment—from company laptops to cloud-based tools. (Controls 1–2)
  • Data protection: Safeguard your critical information through encryption, secure storage, and tested recovery procedures. (Controls 3–4)
  • Access control: Make sure only the right people have access to sensitive systems and data. This includes multi-factor authentication (MFA), account monitoring, and permission reviews. (Controls 5–6)
  • Security operations: Stay alert and ready. This includes logging, monitoring, incident response planning, and vulnerability management. (Controls 7–16)
  • Foundational practices: Build awareness and resilience through secure application development, phishing defenses, and workforce training. (Controls 17–18)

Each of the 18 Controls includes a set of Safeguards: concrete, measurable actions that make the control real. Your Implementation Group (IG1, IG2, or IG3) determines which Safeguards apply to your organization, and in what order to implement them.

How to start implementing the CIS Controls

You don’t need a massive team or budget to start using the CIS Controls. What you do need is a clear, step-by-step approach, and a willingness to improve over time. Here’s how SMBs can get started and build momentum:

1. Conduct a baseline assessment

Before you take action, figure out where you stand. What safeguards do you already have in place (e.g., multi-factor authentication, regular data backups, endpoint protection, basic firewall settings)? Where are the gaps? This step gives you a starting point and helps avoid redundant work.

2. Identify your Implementation Group (IG)

Most small and mid-sized businesses will fall into IG1, which focuses on basic cyber hygiene and high-impact protections. It’s the most accessible entry point; and for many SMBs, IG1 alone is enough to meaningfully reduce risk.

3. Use available tools to guide and track progress

CIS offers both free and paid tools to support implementation:

  • CIS Controls Spreadsheet: A comprehensive Excel document detailing all 18 Controls and their associated Safeguards. It's an excellent resource for tracking your implementation progress.
  • CIS-CAT Lite: A free assessment tool that helps organizations evaluate their implementation of the CIS Controls.
  • CIS-CAT Pro: A more advanced, subscription-based tool offering in-depth assessments and additional features.

Starting with the free tools can provide valuable insights. As your organization’s needs grow, transitioning to paid tools like CIS-CAT Pro can offer more comprehensive support.

4. Plan one step at a time

Pick a control area, like asset management or MFA, and focus your efforts there. Document your progress and improvements, and use that momentum to move on to the next area. CIS Controls are designed to be implemented incrementally.

5. Monitor, maintain, and evolve

Cybersecurity is an ongoing process. Regularly review and update your controls to adapt to evolving threats and organizational changes. This means:

  • Periodic reviews: Schedule regular assessments to evaluate the effectiveness of implemented controls.
  • Staying informed: Keep abreast of the latest cybersecurity trends and updates to the CIS Controls.
  • Continuous improvement: Use feedback from assessments to refine and enhance your cybersecurity measures.

By following this structured approach, SMBs can build a robust cybersecurity framework that not only protects their assets but also instills confidence among clients and partners.

Real-world benefits of CIS compliance  

CIS compliance isn’t just good advice; it’s a globally respected guide. By implementing the Controls, SMBs can reduce risk, build trust, and lay the groundwork for long-term security resilience. Here’s what that looks like in action:

  • Establish a repeatable program: CIS compliance gives you a consistent process for assessing, improving, and communicating your security posture over time.
  • Reduce downtime and recovery costs: Proactive safeguards mean fewer surprises—and faster, more effective responses when incidents occur.
  • Strengthen customer trust: B2B buyers increasingly expect security validation early in the sales process. CIS compliance offers a clear way to prove readiness.
  • Accelerate deals and renewals: A documented cybersecurity program can speed up vendor onboarding, procurement reviews, and annual security assessments.
  • Support legal and regulatory defensibility: Following a widely accepted framework like CIS can help demonstrate due diligence in the event of a breach or investigation.
  • Align internal teams around security: The Controls clarify responsibilities and make cybersecurity more accessible to non-technical stakeholders.
  • Create a launchpad for future compliance: Because the CIS Controls map to NIST, ISO 27001, HIPAA, PCI-DSS, and others, they make it easier to grow into more advanced frameworks as your needs evolve.

Whether you're trying to win new business, satisfy a security questionnaire, or simply protect what you’ve built, CIS compliance delivers real-world benefits you can measure.

Final thoughts: Why CIS compliance is a smart starting point

The CIS Controls Framework is more than a list of best practices; it’s a cybersecurity roadmap designed for real-world teams. It’s approachable for small businesses, scalable for growing companies, and compatible with more advanced frameworks like NIST or ISO when you’re ready.

If you’re looking to build a strong foundation without unnecessary complexity, CIS compliance is one of the most effective places to start. It aligns your team around what matters most, helps you make measurable progress, and puts you on a path toward lasting cybersecurity resilience.

That said, the CIS Controls are a smart entry point—but they’re just one part of the cybersecurity puzzle. If your team is handling healthcare data, explore our guide to HIPAA compliance or see how HITRUST certification builds on frameworks like CIS to support more complex environments. You can also learn how the NIST Cybersecurity Framework complements CIS with broader risk management practices, or get a practical overview of PCI DSS compliance if your business processes cardholder data. For an all-up view, our SMB cybersecurity guide brings it all together—making sense of today’s compliance landscape for growing businesses.

Want help getting started? We guide SMBs through CIS compliance every day—mapping the right controls to your goals, tools, and team. Let’s build your foundation together.

Contact us
30 Cooper Square, Floor 10

New York, NY 10003

phone: +1.720.647.6942
contact@propulsiontech.com
© 2025 Propulsion.

All rights reserved.
About
Leadership
Legal
Get in Touch
Please provide your information to access the requested content.
Thank you!
See content
Oops! Something went wrong while submitting the form.