Total Safeguards
Control Groups
Employee Range
Texas Requirement
What Is CIS Controls IG1?
The Center for Internet Security (CIS) publishes a set of cybersecurity best practices called the CIS Controls. The full framework has 18 control groups and 153 individual safeguards — covering everything from basic cyber hygiene to advanced threat hunting.
To make this manageable, CIS divides organizations into three Implementation Groups based on size and resources:
56 safeguards. Designed for small businesses with limited IT resources. This is the minimum every organization should have.
130 safeguards (includes all IG1). For mid-sized organizations with dedicated IT staff.
153 safeguards (all controls). For large enterprises with mature security programs.
IG1 is the starting point — the 56 safeguards that CIS considers essential for every organization, regardless of size. Think of it as the minimum viable security program. Not the ceiling — the floor.
The good news: IG1 was specifically designed for organizations without a dedicated security team. You don't need a CISO or a security operations center to implement it. You need a managed IT provider who knows what they're doing.
Who Needs CIS Controls IG1?
Technically, CIS says IG1 is the baseline for all organizations. But in practice, it's most directly relevant to:
- Small businesses with 20–99 employees that handle any sensitive customer or employee data
- Texas businesses with 20–99 employees that want to qualify for SB 2610 safe harbor protection
- Professional services firms, medical practices, law firms, financial advisors, and retailers
- Government contractors who need a documented security baseline (CMMC Level 1 overlaps significantly with IG1)
- Any organization that wants cyber insurance and needs to demonstrate a baseline security posture
If you're a Texas business with 20–99 employees and you want the SB 2610 safe harbor, IG1 is your specific target. Implement all 56 safeguards, document everything, and you qualify.
The 18 Control Groups — What They Mean in Plain English
Click any control to expand. The number in the badge shows how many IG1 safeguards fall under that control.
The 56 IG1 Safeguards Broken Down by Category
All 56 IG1 safeguards grouped by functional area — what you actually need to implement.
- Establish and maintain a detailed enterprise asset inventory
- Ensure unauthorized assets are either removed or remediated
- Establish and maintain a software asset inventory
- Ensure unauthorized software is either removed or not installed
- Establish and maintain a secure configuration process
- Establish and maintain a secure configuration for network infrastructure
- Configure automatic session locking on enterprise assets
- Implement and manage a firewall on servers
- Implement and manage a firewall on end-user devices
- Securely manage enterprise assets and software
- Manage default accounts on enterprise assets and software
- Establish and maintain an inventory of accounts
- Use unique passwords for all accounts
- Disable dormant accounts
- Restrict administrator privileges to dedicated administrator accounts
- Establish and maintain an inventory of service accounts
- Establish an access granting process
- Establish an access revoking process
- Require MFA for externally-exposed applications
- Require MFA for remote network access
- Establish and maintain a data management process
- Establish and maintain a data inventory
- Configure data access control lists
- Enforce data retention policies
- Securely dispose of data
- Establish and maintain a data recovery practice
- Perform automated backups
- Protect recovery data
- Test data recovery
- Establish and maintain a vulnerability management process
- Establish and maintain a remediation process
- Perform automated operating system patch management
- Perform automated application patch management
- Deploy and maintain anti-malware software
- Configure automatic anti-malware signature updates
- Disable autorun and autoplay for removable media
- Ensure only fully supported browsers and email clients are used
- Use DNS filtering services
- Maintain and enforce network-based URL filters
- Restrict unnecessary or unauthorized browser and email client extensions
- Ensure network infrastructure is kept up-to-date
- Establish and maintain a secure network architecture
- Centralize security event alerting
- Deploy a host-based intrusion detection solution
- Deploy a host-based intrusion prevention solution
- Establish and maintain a security awareness program
- Train workforce members to recognize social engineering attacks
- Train workforce on authentication best practices
- Establish and maintain an incident response process
- Assign key roles and responsibilities for incident response
- Conduct post-incident reviews
- Establish and maintain an audit log management process
- Collect audit logs
- Ensure adequate audit log storage
- Establish and maintain a service provider management policy
- Use vetted and supported third-party software
Documentation is non-negotiable. For SB 2610 purposes, it's not enough to just implement these safeguards — you need dated records proving they were in place before any breach. Policies, training logs, configuration records, backup test results. All of it.
How CIS Controls IG1 Connects to Texas SB 2610
Texas SB 2610 — the "Safe Harbor" law effective September 1, 2025 — gives small businesses a legal defense against punitive damages in data breach lawsuits. But to claim that defense, you need a documented cybersecurity program that meets the requirements for your employee tier.
For businesses with 20–99 employees, that requirement is CIS Controls Implementation Group 1. Implement all 56 safeguards, document everything, and you qualify for the safe harbor.
Under 20 employees
Basic policies + training + incident plan
20–99 employees
CIS Controls IG1 (all 56 safeguards)
← This article
100–249 employees
NIST CSF / ISO 27001 / SOC 2
The critical rule: your IG1 program must be implemented and documented before a breach occurs. You cannot retroactively claim the safe harbor after an incident. This is why acting now — not after something goes wrong — is so important.
Want the full SB 2610 picture?
Read our complete plain-English guide to Texas SB 2610 — who qualifies, all three tiers, and what to do right now.
How to Implement CIS Controls IG1
Here's a realistic implementation sequence. Don't try to do everything at once — prioritize by impact and build from there.
Start with inventory (Controls 1 & 2)
You can't secure what you don't know about. Spend a week documenting every device and every piece of software in your environment. This is the foundation everything else builds on.
Lock down accounts and access (Controls 5 & 6)
Enable MFA on everything. Remove accounts for people who no longer work there. Make sure nobody has more access than they need. These two controls prevent the majority of successful attacks.
Get patching under control (Control 7)
Set up automatic updates for operating systems and applications. Critical patches should be applied within 14 days. This closes the vulnerabilities attackers exploit most.
Implement backups and data protection (Controls 3 & 11)
Set up automated, tested backups stored somewhere ransomware can't reach. Document your data inventory. This is your recovery plan if everything else fails.
Secure your configurations (Control 4)
Change default passwords on all devices. Enable firewalls. Configure automatic screen locks. Disable features you don't use. This is tedious but critical.
Deploy email and malware protection (Controls 9 & 10)
Set up email filtering, DNS filtering, and anti-malware on all devices. Keep them updated. Email is the #1 attack vector — this is non-negotiable.
Train your team and build your incident plan (Controls 14 & 17)
Run annual security awareness training. Write a simple incident response plan. Document who to call, what to do first, and how to notify customers. Keep records of training attendance.
Document everything as you go
For SB 2610 purposes, documentation is as important as implementation. Date-stamp your policies. Keep training records. Log your backup tests. This is your legal evidence trail.
Common Mistakes to Avoid
Implementing without documenting
You can have every control in place and still lose the SB 2610 defense if you can't prove it. Documentation isn't optional — it's the whole point. Date everything.
Treating it as a one-time project
IG1 is an ongoing program, not a checkbox. Accounts need to be reviewed when people leave. Patches need to be applied continuously. Backups need to be tested regularly. If you set it up and forget it, you're not compliant.
Skipping the inventory steps
Controls 1 and 2 (asset and software inventory) feel boring, but they're the foundation. If you don't know what's on your network, you can't secure it. Don't skip them.
Confusing "installed" with "configured"
Installing anti-malware software doesn't mean you're compliant with Control 10. It needs to be configured for automatic updates and regular scans. The configuration matters as much as the installation.
Waiting until after a breach
This is the big one. SB 2610 requires your program to be in place before a breach. There is no retroactive protection. If you're reading this after an incident, it's too late for this breach — but not for the next one.
The Bottom Line
CIS Controls IG1 is not a compliance burden — it's a practical security checklist that makes your business genuinely harder to attack. The 56 safeguards cover the most common attack vectors: weak passwords, unpatched software, phishing emails, missing backups, and uncontrolled access.
For Texas businesses with 20–99 employees, implementing IG1 does double duty: it makes you more secure and it qualifies you for the SB 2610 safe harbor against punitive damages in breach lawsuits.
The implementation isn't trivial — 56 safeguards across 18 control areas takes real work. But it's absolutely achievable for a business your size, especially with a managed security provider handling the technical implementation and documentation.
The only wrong move is waiting. Every day without a documented program is a day you're exposed — both to attackers and to the full weight of a breach lawsuit.
Ready to Implement CIS Controls IG1?
Segler.Net implements and manages all 56 IG1 safeguards for Texas small businesses — including full documentation for SB 2610 safe harbor qualification. Start with a free assessment.