CIS Security Benchmarks and Compliance | What is CIS Compliance?

Michael Nyhuis
16 min read
The Center for Internet Security (CIS) benchmarks are a set of best-practice cybersecurity standards for a range of IT systems and products. CIS Benchmarks provide the baseline configurations to ensure compliance with industry-agreed cybersecurity standards. The benchmarks are developed by CIS alongside communities of cybersecurity experts within industry and research institutes.

CIS Benchmarks can be seen as frameworks to configure IT services and products. Organizations can use the guidelines to improve cybersecurity and help protect against cyber threats. CIS Benchmarks cover a huge range of products and systems including server software, operating systems and network devices. These systems are widespread in all modern organizations and offices, making CIS Benchmarks a vital tool when it comes to closing vulnerabilities in an IT network.

CIS Benchmarks are free to use and are easily downloaded. They're useful to any stakeholders dealing with an organization's IT governance, cybersecurity policies and systems. The Center for Internet Security also offers a membership option which enhances cybersecurity compliance monitoring and resources. CIS Benchmarks are also important to IT system vendors, who can gain certification to show the product reaches CIS compliance.

This article explores CIS Benchmarks, what they consist of, and the benefits they can bring to organizations. It also covers the wider programs and services offered by the Center for Internet Security, including CIS Controls and CIS certification.

What is the Center for Internet Security?

The Center for Internet Security (CIS) is a not-for-profit organization which aims to identify and promote best-practice cybersecurity standards and policies. It develops and promotes IT security guidance with the input from a community of cybersecurity experts. CIS draws members from a range of backgrounds including private companies, government, and research institutions.

The aim is to take a collaborative approach to improving cybersecurity and responding to known cyber threats. To achieve this, CIS provides a range of tools, resources and programs to enable best-practice IT governance within organizations and government. Many of these tools and resources can be accessed free of charge.

CIS actively monitors cyber threats to help national and local governments to promote cybersecurity procedures through the Multi-State Information Sharing and Analysis Center (MS-ISAC). MS-ISAC provides members with resources and tools for improved IT governance, cybersecurity notifications, and reports on active cyber threats.

CIS offer different programs to organizations to promote cybersecurity procedures. CIS Controls provide organizations with a set of procedures to bolster cybersecurity and respond to incidents. They consist of focused actions to lower the risk of cyber threats and steps to resolve serious IT incidents.

CIS Benchmarks help improve cybersecurity by providing best-practice configuration of IT systems and products. Organizations will generally use multiple benchmarks to ensure the secure setup of individual components of an IT Network.

What are CIS Benchmarks?

CIS Benchmarks are frameworks for calibrating a range of IT services and products to ensure the highest standards of cybersecurity. They're developed through a collaborative process with input from experts within the cybersecurity community. There are more than 100 different benchmarks covering a range of well-known vendors and systems. CIS Benchmarks provide guidance for all areas of an IT network, including operating systems, server systems, office software and network devices.

CIS Benchmarks are free to download and use. The documents cover everything from initial set up to configuration of all parts of the IT system. The guidance is regularly updated and renewed to reflect new iterations of the IT service or product. CIS Benchmarks represent the baseline settings to ensure an IT system or product is secure. The aim is to enhance international cybersecurity standards in all types of organizations. CIS Benchmarks are used by organizations, governments and institutes across the world.

CIS Benchmarks are compatible with existing IT risk management policies and procedure. They can slot into well-known frameworks for IT governance such as the NIST Cybersecurity Framework.

The benefits of CIS Benchmarks

CIS Benchmarks help organizations set up IT and technology systems to ensure best practice cybersecurity defense. Guidelines play an important role in forming an organization's cybersecurity policy. There are benchmarks for many types of technologies, including popular operating systems and browsers.

Each element of an organization's IT network may have cybersecurity vulnerabilities if not configured correctly. By following CIS Benchmarks, organizations can secure IT systems using a framework developed by leading cybersecurity experts.

Benefits of CIS Benchmarks include:

  • Strengthen vulnerabilities which can cause serious cybersecurity incidents.
  • CIS Benchmarks are aligned to the best-known IT systems and technology.
  • Free to download and embed.
  • Developed with expert input from a community of cybersecurity specialists.
  • A clear tool in enhancing IT governance procedure.
  • Safeguarding of vital IT systems within an organization, from operating systems to networks.

What is the structure of CIS Benchmarks?

CIS Benchmarks are free to download and implement and take the form of a PDF document. Each benchmark follows a similar structure. The beginning provides an overview of the benchmark, outlining definitions and the benchmark's intended audience.

The main bulk of the CIS Benchmarks document is a series of recommendations to ensure correct configuration of an IT system. Each CIS Benchmark may have hundreds of recommendations, which are grouped into different policies and areas of the IT system. For example, this may include cybersecurity recommendations for security options or account policies.

Each recommendation follows the same structure. It includes a description, the rationale behind the guidance, the impact it may have on cybersecurity, and how to implement it. There is also guidance on performing an internal audit to confirm CIS compliance.

The recommendations are either 'scored', or 'not scored'. 'Scored' recommendations are mandatory to achieve CIS compliance, and if not met will lower the total benchmark score. Recommendations which are 'not scored' have no impact on the overall score of the benchmark. CIS Benchmarks contain a checklist appendix which helps compliance monitoring for each recommendation.

What parts of an organization can CIS Benchmarks help?

CIS Benchmarks provide standards for the proper configuration of a range IT technologies and systems. Covering everything from desktop software to mobile devices, these systems are an integral part of any modern organization. CIS Benchmarks provide clear best practice guidance created by a community of experts, so are an important tool for any IT governance strategy.

Organizations can use CIS Benchmarks to make focused improvements to specific areas of their IT systems. Properly embedding IT systems will strengthen vulnerabilities in an organization's IT network, improving cybersecurity defense.

CIS Benchmarks can be grouped into seven main areas:

  • Server software

CIS Benchmarks provide guidance for proper configuration of different server software from a range of vendors. This includes commonly used server software such as VMware or Microsoft Windows Server. The aim is to strengthen cybersecurity through best practice configurations across different areas of the IT server system. There are CIS Benchmarks for database servers, web servers, DNS servers and authentication servers. Recommendations cover topics such as storage settings and restrictions, admin controls, and server settings.

  • Multi-function print devices

This is a best practice benchmark for setting up printer devices across an organization's office space. These devices have become targets for cyber threats as a gateway into an organization's network. Recommendations cover topics like file sharing, server configurations, and secure access to wireless networks.

  • Cloud providers

Best practice cybersecurity configurations for setting up the most well-known cloud services and infrastructure. There are benchmarks for cloud services and infrastructure from Amazon Web Services, Microsoft Azure, Oracle Cloud Infrastructure, and Google Cloud Computing Platform.

Recommendations cover topics such as network settings, safeguards to ensure compliance with regulations, and IT governance and management.

  • Mobile devices

These benchmarks focus on Apple iOS and Google Android mobile operating systems and devices. Benchmarks provide guidance for configuring both Apple iOS and iPadOS, as well Google Android operating systems. Recommendations cover topics such as browser and developer settings, app permissions and privacy, and mobile operating system settings.

  • Desktop software

CIS Benchmarks provide best practice configuration for desktop software commonly used within modern organizations. This includes benchmarks for the Microsoft Office suite of software, an integral part of the modern office. CIS Benchmarks are also provided for the top web browsers including Google Chrome, Mozilla Firefox, Safari, and Microsoft web browser. Recommendations cover areas like browser settings, management of third-party software, server settings, and device management.

  • Network devices

These CIS Benchmarks help with the configuration of network devices and hardware used within an organization's IT system. These cover network devices and products from a variety of vendors, including Cisco, Juniper, Check Point Firewall, and Palo Alto Networks. Recommendations help to ensure cybersecurity standards across all network devices and hardware within an organization to enhance and strengthen the overall IT Governance strategy.

  • Operating systems

CIS Benchmarks help to ensure proper cybersecurity configurations for a range of the top operating systems widely used by organizations. This includes Linux, Microsoft Windows and servers, and Apple macOS. Benchmarks are mapped to different iterations of these operating systems, with best practice guidance for both enterprise and personal versions.

Operating systems form a core part of any organization's IT systems. CIS Benchmarks help organizations configure them securely, closing vulnerabilities and lowering the risk from cyber threats. Best practice recommendations cover protocols for drivers installation, user profile management, and remote access restrictions.

How are CIS Benchmarks developed?

CIS Benchmarks are developed with input from a range of volunteer cybersecurity and IT system experts. Every CIS Benchmark completes a two-step process of consensus review.

The first step sees a panel or cybersecurity experts create, discuss and test a draft version of the benchmark recommendations. Once the experts achieve a consensus on the draft CIS Benchmark guidance, it is published for review from the wider community of cybersecurity experts.

The second step has a network of cybersecurity professionals from across the globe review the CIS Benchmark recommendations. Feedback from the wider community is collected and reviewed by the expert panel, with the benchmark amended to ensure best practice standards.

Updates to CIS Benchmarks will generally be triggered by new versions of the IT system or product being released.

What are CIS Benchmark profiles?

To help organizations with implementation, each recommendation within a CIS Benchmark is assigned a level 1 or level 2 profile. The profile levels represent the potential impact of a recommendation on the organization's IT systems and cybersecurity defense. It helps organizations understand which recommendations meet their cybersecurity needs and available resources. Profiles reiterate the importance of using a test environment when implementing CIS Benchmark recommendations.

A level 1 profile is generally assigned to surface-level recommendations which can be quickly implemented. Organizations will generally be able to continue normal operations when introducing recommendations of this level.

Level 2 profiles are linked to recommendations which deal with areas of significant importance to IT systems and cybersecurity. These recommendations will cover policies and parts of IT systems which are vital to cybersecurity. Level 2 profiles deal with areas with heightened security considerations, or where there is risk of negative impact on IT systems.

What are CIS Controls?

CIS Controls, or CIS Critical Security Controls for Effective Cyber Defense, are a set of clear actions for organizations to strengthen cybersecurity. CIS Controls are a separate program by the Center for Internet Security, but are referenced throughout CIS Benchmarks.

The aim of CIS Controls is to provide clear, focused actions which will have an impact on severe threats to IT systems. There are 20 different CIS Controls, which consist of a range of actions to improve resilience to cyberattacks. They are designed to be straightforward and effective, helping to mitigate the potential damage from known cyber threats.

Whereas CIS Benchmarks focus on cybersecurity baseline of a specific system or product, CIS Controls are guidelines for the entire IT system. They are important tools for any strategic IT governance decisions or risk management process.

CIS Controls are referenced throughout CIS Benchmarks, as each recommendation will be mapped to one or more CIS Controls. This helps organizations understand the impact of each CIS Benchmark recommendation on the wider cybersecurity defense.

20 CIS Controls explained

The 20 CIS Controls are grouped into three categories to help with implementation. The first six are in the 'basic' category, and consist of clear baseline actions to help any organization prepare cybersecurity defense. The next eight are within the 'foundational' category, which provide technical actions to further improve cybersecurity defense in all organizations.

The final four CIS Controls are within the 'organizational' category, which deal with the general operation of the IT system. This category focuses on the structure of the organization itself, including procedures for incident response and wider training programs.

The 20 CIS Controls are:

Basic CIS Controls

  1. Inventory and Control of Hardware Assets
Actions to prevent unauthorized devices accessing the organization's network through device tracking and management.
  1. Inventory and Control of Software Assets
Preventing unauthorized software from being installed on the network through proper IT governance and management.
  1. Continuous Vulnerability Management
Taking a proactive approach to identifying and fixing vulnerability in the IT system to improve cybersecurity.
  1. Controlled Use of Administrative Privileges
Tracking and controlling administrative privileges across networks, computers, and IT systems.
  1. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
Managing hardware and software configurations to mitigate vulnerable settings across the organization's IT systems.
  1. Maintenance, Monitoring and Analysis of Audit Logs
Performing internal audits of event logs to detect and respond to cybersecurity incidents.

Foundational CIS Controls

  1. Email and Web Browser Protections
Actions to help strengthen email and browser systems against cyber threats.
  1. Malware Defenses
Actions to ensure rapid response to malware attack and proactively limit the likelihood of installation and spread.
  1. Limitation and Control of Network Ports, Protocols and Services
Managing and controlling network devices to secure vulnerabilities against cyber threats.
  1. Data Recovery Capabilities
Implementing processes to recover and periodically back up critical data and information.
  1. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
The use of CIS Benchmarks to securely configure network devices against cyber threats.
  1. Boundary Defense
Managing the flow of data within the organization's network, a key aspect of IT governance.
  1. Data Protection
Protecting privacy and sensitive data by preventing the exfiltration of data and information.
  1. Controlled Access Based on the Need to Know
Determining the systems and employees that have access to critical IT systems.
  1. Wireless Access Control
Tracking the use of wireless systems to prevent improper use of access points and networks.
  1. Account Monitoring and Control
Tracking the creation and control of accounts to ensure no unauthorized access to systems.

Organizational CIS Controls

  1. Implement a Security Awareness and Training Program
Identify and develop the skills and knowledge needed for best practice cybersecurity across the organization.
  1. Application Software Security
Identify and fix vulnerabilities in software used within the organization.
  1. Incident Response and Management
Develop and embed incident response processes across the organization to restore the IT system after serious cybersecurity incidents.
  1. Penetration Tests and Red Team Exercises
Simulating a cyberattack to test cybersecurity strengths of the organization.

What are CIS Controls implementation groups?

CIS Controls are prioritized, as to help organizations perform actions with the most positive impact. The CIS Controls are prioritized for different 'implementation groups'. In effect, these are different groups of organizations which vary in scale, scope, and cybersecurity requirements. Organizations assess which group they belong to, which helps them understand which CIS Controls to implement in line with their risk profile and strategic resources.

Implementation groups play a key role in strategic risk management and planning. They weight up the risks and resources to help organizations take focused actions suitable to their cybersecurity needs.

There are three implementation groups:

  • Implementation group 1

Smaller organizations with limited resources to allocate to cybersecurity. Data sensitivity may be low, and organizations will likely be using off-the-shelf software and IT systems.

  • Implementation group 2

Larger organizations with multiple departments and more complex IT systems. There may be the need for cybersecurity compliance, and the organizations will likely be using enterprise-level IT systems and products.

  • Implementation group 3

Complex organizations with requirements for cybersecurity compliance. There may be cybersecurity specialists within the organization, with complex IT governance and risk management responsibilities. CIS Controls will help to reduce the risk of targeted cyber threats.

Across all three groups of organization, CIS Controls aims to improve cybersecurity defense and properly align resources for the best possible outcome. They are mapped to other cybersecurity standards such as the ITIL Framework, so can be easily integrated into existing IT governance systems. CIS Controls help organizations to prioritize their resources for the biggest impact on cybersecurity defense.

How to achieve CIS Compliance

It's important to test and monitor compliance with the CIS Benchmarks, so that the best-practice guidelines are fully embedded. The Center for Internet Security offer both a free and professional tool to perform compliance monitoring and internal audits for CIS Benchmarks. Organizations can choose the IT system or product and the tool will compare configuration with the best-practice standards within the CIS Benchmark.

Tools such as Diligent Compliance software can also help track compliance with CIS Benchmarks. The software will help to identify the gaps between the current system settings and the CIS Benchmark recommendations. It's also a tool to help with wider IT governance projects, and can help manage change across the organization. Diligent Compliance software can help monitor CIS Controls, and embed a plan to achieve compliance.

What is CIS certification?

Organizations that provide cybersecurity products as a service can get CIS certification for the product. This certifies that the product in question is compatible with the cybersecurity recommendations in the relevant CIS Benchmark.

Organizations will need to have CIS Security Software Vendor (SSV) membership before getting certified. Certification proves that the IT product or system meets best-practice cybersecurity standards. It also means users can configure the product to meet CIS Benchmark recommendations.

Organizations will need to test and document the product to demonstrate compliance with CIS Benchmarks. The Center for Internet Security will then need to validate the test results before providing certification. Once certified, organizations can display the CIS certified logo alongside the product to highlight CIS compliance. Potential customers will know that the product is fully compliant with CIS Benchmarks, informing IT governance decisions.

What is the CIS certification process?

To achieve CIS certification, organizations must first be members of CIS Security Software Vendor (SSV) group. The next step is to record and submit evidence to prove compliance with a CIS Benchmark. Certification is against one CIS Benchmark.

Organizations will need to perform tests against each recommendation in the CIS Benchmark. Results are collected and submitted in the main section of the application. Documentation explores the pass or fail state for each recommendation, and highlights any exemptions or mitigating factors. This includes detailed explanations for any failure.

It will usually take around two weeks for the Center for Internet Security to review a certification application. This process will take longer if the organization isn't compliant, needs to make improvements, or submits an incomplete application.

Support from Diligent

Planning, tracking and embedding CIS Benchmarks can seem complex, but Diligent Compliance can help. Plan your CIS project, track process, and record compliance, all in one place.

Streamline the entire process for straightforward IT governance. Trace your journey to better cybersecurity with Diligent Compliance software.

Book a demo with Diligent today.
Related Insights
This is where Author Role goes
Michael Nyhuis
Michael Nyhuis is the former Director of Audit & Compliance at Diligent and a modern governance expert with over 25 years of experience.