CIS Controls v8.1 is the most widely adopted cybersecurity framework for small and mid-sized businesses — 18 control families, 153 safeguards, organized by priority. West Computers implements, documents, and maintains CIS Controls so your security program has a defensible, evidence-based foundation.
Most compliance frameworks were written for large organizations with dedicated security teams. CIS Controls v8.1 was built differently. Its Implementation Group model lets any business — from a 10-person law firm to a 500-employee manufacturer — adopt controls that match their size, risk, and resources.
IG1 alone covers the foundational safeguards that stop the vast majority of common attacks: inventory management, secure configuration, access control, malware defense, data recovery, and security awareness training. For many small businesses, IG1 is the right starting point — and it's often all that's needed to satisfy cyber insurance requirements and client security questionnaires.
For businesses with regulatory obligations or sensitive data, IG2 and IG3 add the controls needed for deeper protection — vulnerability management, audit logging, incident response, penetration testing, and application security.
CIS Controls are organized into three Implementation Groups so every business has a clear, prioritized path forward.
56 safeguards that every organization should implement regardless of size or industry. IG1 covers the fundamentals — asset inventory, secure configuration, access controls, malware defense, data backup, and security awareness. This is the baseline that stops most common attacks and satisfies most cyber insurance applications.
74 additional safeguards for organizations with increased risk exposure, regulatory obligations, or sensitive data. IG2 adds vulnerability management, audit logging, network monitoring, incident response planning, service provider management, and application security controls.
23 additional safeguards for organizations handling highly sensitive data or facing sophisticated threat actors. IG3 adds penetration testing, advanced network defense, and controls designed to detect and respond to targeted attacks.
Every CIS Control maps to corresponding requirements in HIPAA, FTC Safeguards Rule, NIST CSF, and Cyber Essentials. One set of implemented controls can satisfy multiple compliance obligations simultaneously — reducing overhead and eliminating redundant work.
Each safeguard is tracked with documented evidence: configuration screenshots, policy records, audit logs, training completion records, and test results. When an auditor, insurer, or client asks for proof, it exists.
Cyber insurance applications are essentially asking whether you've implemented CIS Controls IG1. West Computers documents your controls in the format insurers expect — giving you stronger coverage terms and more defensible renewal conversations.
We assess your business size, industry, data sensitivity, and regulatory obligations to determine the right Implementation Group. Most small businesses start at IG1; businesses with compliance requirements like HIPAA or FTC Safeguards typically need IG2.
A structured review of your current environment against every safeguard in your target Implementation Group. Each control is scored as implemented, partially implemented, or missing — producing a documented gap report with risk ratings and remediation priorities.
We close gaps in priority order: asset inventory, secure configurations, access controls, endpoint protection, backup verification, email security, and security training. Every remediation is documented with before/after evidence and mapped to its CIS safeguard number.
Written policies aligned to CIS Controls — acceptable use, access management, incident response, data protection, vendor management, and change control. Policies are written for your business, not copied from a template.
Quarterly control reviews, continuous monitoring through our 24/7 SOC, annual gap reassessments, and evidence library maintenance. CIS Controls are a living program — not a one-time project.
The biggest advantage of CIS Controls is that they map directly to other compliance frameworks your business may need. Instead of implementing separate sets of controls for HIPAA, FTC Safeguards, and cyber insurance, you implement CIS Controls once and map the evidence to each framework.
West Computers maintains these cross-framework mappings for every client. When you need to prove HIPAA compliance, we pull the relevant CIS Controls evidence. When a cyber insurer asks about endpoint protection, we reference the same documented controls. One source of truth, multiple outputs.
This approach eliminates the compliance overhead that comes from treating each framework as a separate project — and it means every new compliance requirement you face is partially addressed before you start.