CIS Controls v7.1 IG1

Deprecated Framework

This framework has been superseded by CIS Critical Security Controls version 8.0, IG1. Organizations should migrate to version 8.0, which was released in May 2021 with modernized controls and improved implementation guidance.

Best for: Organizations that adopted CIS Controls v7.1 IG1 as their security baseline and have not yet migrated to v8. IG1 targets small to medium enterprises with limited security staff, typically under 500 employees, that need minimum cyber hygiene standards without a full-time security team. Some cyber insurance providers and managed service providers still reference v7.1 in policy language or contractual obligations, making continued compliance necessary until those agreements are updated.

Mandatory?	Voluntary security baseline
Who validates?	Self-assessment or third-party
Renewal	No fixed cycle
Scope	All organizations; Implementation Group 1 (basic hygiene)

🏛 Center for Internet Security (CIS) · CIS Controls v7.1 IG1 (superseded by v8.0) Official source →

Get Started

module "..." {
  source  = "cisv71ig1.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

What Compliance.tf automates

Access Control and Credential Hygiene: Runs 4 controls evaluating IAM policies for wildcard service access and flagging access keys or console logins inactive beyond 45 or 90 days. Controls: iam_all_policy_no_service_wild_card, iam_user_access_key_unused_45, iam_user_console_access_unused_45, iam_user_unused_credentials_90.
Backup and Data Recovery: Two controls check AWS Backup plan configuration: one enforces minimum 35-day retention, the other validates that all recovery points have encryption enabled. Controls: backup_plan_min_retention_35_days, backup_recovery_point_encryption_enabled.
Logging and Monitoring: Checks whether S3 server access logging is enabled across buckets. One control: s3_bucket_logging_enabled.
Patch Management: Validates that SSM-managed instances report compliant patch status against your defined baselines. One control: ssm_managed_instance_compliance_patch_compliant.
Network Segmentation and Remote Access: Flags network ACLs that allow unrestricted inbound access on ports 22 and 3389. One control: vpc_network_acl_remote_administration.

What you handle

Access Control and Credential Hygiene: Defining and enforcing an access review cadence, documenting role-based access control decisions, and handling credential revocation workflows when controls flag stale accounts.
Backup and Data Recovery: Restore testing is on you. Document RTOs and RPOs, run periodic restore drills, and verify that recovered data passes integrity checks.
Logging and Monitoring: Configuring log retention policies, setting up alerting on suspicious access patterns, and ensuring log destination buckets are secured and not publicly accessible.
Patch Management: Defining patch windows, approving patches through SSM patch baselines, ensuring all EC2 instances are registered with SSM, and documenting exceptions for instances that cannot be patched immediately.
Network Segmentation and Remote Access: Implementing VPN or bastion host architectures for administrative access, maintaining network diagrams, and reviewing security group rules (evaluated separately from NACLs).

Controls by Category

CIS Control 10: Data Recovery Capabilities (1 control)

Organizations frequently fail here by relying on default backup settings that lack explicit retention configurations, or by leaving recovery point encryption disabled in dev and staging accounts. Auditors want to see backup plans with documented minimum retention (at least 35 days) and encryption enabled on all recovery points, not just production.

Backup plans should have minimum frequency and minimum retention configured

CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs (1 control)

A common gap: CloudTrail is running for API-level activity, but S3 server access logging is off, leaving object-level read/write events unrecorded. Assessors specifically check logging on buckets handling sensitive data or serving as log destinations themselves.

S3 buckets should have logging enabled

compliance.tf module

CIS Controls v8.0 IG1 — 🟢 High overlap (85%)

CIS v8 IG1 is the direct successor. Most v7.1 IG1 safeguards map to v8 IG1, but v8 reorganized the control numbering (e.g., v7.1 Control 4 maps to v8 Controls 5 and 6) and added safeguards around service provider management. Migration requires remapping but rarely introduces net-new technical controls.

NIST CSF v1.0 — 🟢 High overlap (60%)

CIS publishes an official mapping of Controls v7.1 to NIST CSF subcategories. IG1 covers the Protect and Detect functions well but has limited coverage of the Identify, Respond, and Recover functions, which NIST CSF addresses more broadly.

NIST 800-53 Rev 5 — 🟡 Medium overlap (30%)

NIST 800-53 Rev 5 contains over 1,000 controls across 20 families. CIS v7.1 IG1's 43 safeguards map to a small subset, primarily AC (Access Control), SI (System and Information Integrity), CP (Contingency Planning), and AU (Audit and Accountability) families.

Frequently Asked Questions

CIS v7.1 has been superseded by v8. Should I still use this benchmark?

Only if you have a specific contractual or insurance requirement that references CIS v7.1 by version number. Otherwise, migrate to CIS v8 IG1. CIS publishes a v7.1-to-v8 migration guide with documented control mappings. If your cyber insurance policy says 'CIS Controls' without specifying a version, use v8.

What is the difference between IG1, IG2, and IG3?

Implementation Groups are cumulative tiers. IG1 (43 safeguards in v7.1) covers basic hygiene for organizations with limited security resources. IG2 adds safeguards for organizations with moderate risk and a dedicated IT team. IG3 covers all safeguards and targets organizations with mature security programs facing sophisticated threats. Each higher IG includes all safeguards from the tiers below it.

Does CIS require a formal audit or certification?

No. CIS Controls are voluntary and self-assessed, with no certification body or accredited auditor program. Organizations typically demonstrate compliance through internal assessments using the CIS CSAT tool or automated scanning results from tools like compliance.tf. Some industries and insurers accept CIS self-assessments as evidence of due diligence.

Why does this benchmark only have 9 controls mapped when IG1 has 43 safeguards?

Many IG1 safeguards address organizational processes (asset inventory, security awareness training, incident response planning) that cannot be verified through infrastructure-as-code scanning. The 9 controls here cover the subset that can be technically validated against AWS resource configurations.

How long does it take to implement IG1 from scratch?

For a small AWS environment (under 50 accounts), the technical controls in this benchmark can typically be remediated in 1 to 2 weeks. The organizational safeguards not covered here (asset inventory, security training, incident response procedures) usually take 4 to 8 weeks to document and operationalize. Total IG1 implementation for a small enterprise generally runs 2 to 3 months.