What is the difference between IG1, IG2, and IG3?

Implementation Group 1 is the baseline — every organisation should achieve at least IG1. IG2 adds additional safeguards for organisations with sensitive data and moderate IT complexity. IG3 adds further safeguards for organisations with extensive IT complexity, regulated data, and adversaries that target them specifically.

Are CIS Controls and CIS Benchmarks the same?

No. CIS Controls v8 are the high-level prioritised security controls. CIS Benchmarks are the configuration-hardening guides for specific systems (Windows 11, macOS, RHEL, M365, etc.) that operationalise many of the controls.

Does Lavawall® enforce CIS Benchmark configurations?

Lavawall® assesses configuration against CIS Benchmarks and surfaces deviations. Active enforcement (changing the configuration to match the benchmark) is supported via policy and scripting.

Best CIS Controls v8 implementation tools for MSPs (2026)

CIS Controls v8 (the Center for Internet Security Critical Security Controls) are the prioritised cybersecurity controls maintained by CIS — 18 top-level controls divided into three Implementation Groups (IG1, IG2, IG3) by organisation maturity. They are widely cited by cyber-insurance carriers, US state governments, and enterprise security programmes.

CIS Benchmarks are the related configuration-hardening guides for specific operating systems, applications, and cloud services. They are the practical “how do I configure this securely” reference behind many controls.

For MSPs, CIS Controls v8 plus CIS Benchmarks is one of the most actionable framework pairs to deliver against — concrete, prioritised, and broadly accepted by insurers and assessors.

What to look for

Direct CIS Controls v8 mapping (IG1 / IG2 / IG3). Direct mapping to all 18 controls and their safeguards, segmented by Implementation Group.
CIS Benchmarks support. Configuration-hardening evidence aligned to CIS Benchmarks for Windows, macOS, Linux, M365, and other targets.
Continuous endpoint evidence. Configuration, patching, software inventory, account inventory, audit log evidence collected continuously from endpoints.
Multi-tenant for MSPs. Per-client isolation; standard CIS profile pushed to new tenants in minutes.
Co-branded posture reports. Per-client reports formatted for cyber-insurance assessment and client business reviews.
Bundled with patching, application control, and breach detection. Many CIS controls require active enforcement. Bundled platforms close gaps without separate tools.

Options to evaluate

Lavawall®MSP platform with CIS Controls v8 first-class

Direct CIS Controls v8 mapping across all 18 controls and IG1/IG2/IG3 safeguards. Configuration-vulnerability assessment aligned to CIS Benchmarks for Windows, macOS, and Linux. Continuous endpoint evidence. Multi-tenant by design with co-branded posture reports. Bundled with 7,500+ application patching, kernel-free application control, and breach detection so CIS gaps can be closed in the same platform.

Best when: MSPs delivering CIS Controls v8 readiness as a service, particularly for cyber-insurance assessments.

ConnectSecure / CyberCNSVulnerability scanning with CIS reporting

MSP-focused vulnerability scanning with CIS reporting. Strong on per-client vulnerability deliverables; not bundled with patching, app control, or breach detection.

Best when: MSPs whose primary need is CIS-aligned vulnerability scanning.

Tenable / Nessus + custom dashboardsVulnerability scanning + manual reporting

Mature vulnerability scanning with manual mapping to CIS Controls. Powerful but operationally heavy.

Best when: Organisations with dedicated vulnerability-management teams.

Excel + audit-firm engagementManual approach

Manual control inventory and evidence collection. Doesn't scale to MSP delivery.

Best when: Single small organisations with one-off CIS assessments.

How Lavawall® fits

Lavawall® maps to CIS Controls v8 directly across all 18 controls and IG1/IG2/IG3 safeguards. Configuration evidence is collected continuously from Windows, macOS, and Linux endpoints with results aligned to CIS Benchmarks.

Patching evidence (CIS Control 7), software inventory (Control 2), account inventory (Control 5), application control (Control 2.5), audit log management (Control 8), and other controls flow directly from the same agent — no separate integration.

For cyber-insurance assessments specifically, the CIS-aligned posture report covers what most carriers ask about and produces co-branded output the MSP can deliver to the client.

Frequently asked

What is the difference between IG1, IG2, and IG3?: Implementation Group 1 is the baseline — every organisation should achieve at least IG1. IG2 adds additional safeguards for organisations with sensitive data and moderate IT complexity. IG3 adds further safeguards for organisations with extensive IT complexity, regulated data, and adversaries that target them specifically.
Are CIS Controls and CIS Benchmarks the same?: No. CIS Controls v8 are the high-level prioritised security controls. CIS Benchmarks are the configuration-hardening guides for specific systems (Windows 11, macOS, RHEL, M365, etc.) that operationalise many of the controls.
Does Lavawall® enforce CIS Benchmark configurations?: Lavawall® assesses configuration against CIS Benchmarks and surfaces deviations. Active enforcement (changing the configuration to match the benchmark) is supported via policy and scripting.