What is CIS and the Critical Security Controls?
The Center for Internet Security (CIS) is a nonprofit organization known for producing practical cybersecurity guidance for both the public and private sectors. Its most influential contribution is the CIS Critical Security Controls — a prioritized set of best practices designed to help organizations reduce risk, improve resilience, and defend against the most common types of cyberattacks.
Think of them as a cybersecurity roadmap: instead of guessing what to do next, CIS tells you where to start, what to focus on, and how to track your progress.
The CIS Controls are grouped into three Implementation Groups (IG1–IG3), which correspond to an organization’s size, complexity, and available resources:
- IG1: Basic cyber hygiene – for small or resource-limited organizations.
- IG2: Recommended practices for organizations with moderate complexity or regulatory pressure.
- IG3: Advanced safeguards for high-value targets with dedicated security teams.
Each group includes a subset of controls tailored to its risk profile. This tiered approach makes it easier for organizations to adopt controls at a pace and scale that makes sense for them — and to grow into stronger security postures over time.
What Is CIS Implementation Group 1 (IG1)?
IG1 is the foundation — the “must-do” list for any organization that uses IT to run day-to-day operations. It consists of 56 safeguards selected for their effectiveness against the most common attacks, including ransomware, phishing, insider misuse, and basic malware.
Key traits of IG1:
- Designed for organizations with limited IT and security resources
- Prioritizes ease of implementation with off-the-shelf tools
- Focuses on operational continuity and essential defense
Organizations that implement IG1 are often K-12 schools, local governments, nonprofit entities, and small to midsize businesses — groups frequently targeted by attackers but often underprepared.
CIS Control 2: Inventory and Control of Software Assets
CIS Control 2 is critical because you can’t protect what you don’t know exists. This control focuses on ensuring organizations maintain an accurate, up-to-date inventory of all software in use — and that only authorized software is permitted to run.
Here’s how it breaks down under IG1:
| Safeguard | Description | IG1 Requirement |
| 2.1 | Maintain a current inventory of all authorized software | Required |
| 2.2 | Ensure only authorized software is installed and executed | Required |
| 2.3 | Track software via automated tools | Required |
| 2.4 | Promptly address unauthorized or outdated software | Required |
| 2.5 | Implement application allowlisting | Not required in IG1 (first appears in IG2) |
PC Matic: How It Aligns with Control 2 IG1 (and Then Some)
PC Matic is a U.S.-based cybersecurity solution built around proactive protection. While many tools focus on detection and response, PC Matic flips the model — using default-deny allowlisting to stop threats before they execute.
Let’s see how it stacks up against the requirements of Control 2 under IG1:
2.1 – Software Inventory
PC Matic automatically builds and maintains a real-time inventory of installed applications across every endpoint. This inventory includes software name, version, installation path, and execution status — all accessible via a central dashboard.
2.2 – Enforce Authorized Software Use
While allowlisting is technically an IG2 control, PC Matic enables it by default. Only trusted, verified software can execute, and admins can manage rules globally or per device. That means IG1 organizations get a level of protection above and beyond the baseline.
2.3 – Use of Automated Tools
With centralized policy management and continuous software monitoring, PC Matic fulfills the automation requirement with minimal IT lift. New installs, unauthorized software, and changes are automatically flagged.
2.4 – Response to Unauthorized Software
PC Matic can block execution of unauthorized apps, send real-time alerts to administrators, and log all activity — giving teams fast visibility and response capabilities even without a full SOC.
2.5 – Built-In Application Allowlisting
Even though not required at the IG1 level, PC Matic provides full allowlisting from day one. For organizations looking to “punch above their weight” and start climbing toward IG2 readiness, this feature is already baked in.
Final Takeaways
- CIS Controls give organizations a practical, phased roadmap to strengthen cybersecurity.
- IG1 is designed to be achievable and high-impact — especially for SMBs and local government.
- Control 2 is foundational: knowing what’s running and ensuring it’s supposed to be there.
- PC Matic not only aligns with Control 2 under IG1 — it exceeds it, providing automation, enforcement, and allowlisting that typically only show up in higher-tier frameworks.
For organizations that need results without complexity, PC Matic represents a strong, compliant, and forward-thinking choice.
