What are CIS Benchmarks? 9 Things You Need to Know for Cybersecurity and Compliance

In today’s digital age, cybersecurity threats are ever-present and growing in complexity. Organizations of all sizes and industries are increasingly vulnerable to cyberattacks, which can result in significant financial losses, reputational damage, and legal liability. To mitigate these risks, businesses need to adopt best practices and standards to safeguard their digital assets. One such standard is the CIS Benchmark, developed by the Center for Internet Security (CIS).

1. What are CIS benchmarks?

The world of cybersecurity is always evolving and holds many mysteries. However, CIS benchmarks (or CIS standard) is a part of cybersecurity that is known, and companies should take the time to learn its benefits for their company.

CIS benchmarks are a set of cybersecurity best practices and recommendations that provide organizations with a baseline for securely configuring and managing their IT systems and software. The benchmarks are developed by a community of cybersecurity experts, including government agencies, scholars, and industry leaders, and are regularly updated and reviewed to reflect the latest threats and vulnerabilities.

CIS benchmarks are specifically designed to help a company solidify the security of all of their digital assets. By following the benchmarks, organizations can establish a baseline for their cybersecurity posture, reduce the risk of cyberattacks, and improve their overall security.

While CIS benchmarks are recommendations and best practices that are designed to help organizations with cybersecurity, the way in which they are developed will be discussed in the next section.

How CIS benchmarks are developed

The development of a CIS standard is a thorough and inclusive process that incorporates input from a wide range of experts and stakeholders. This is achieved through a consensus-based approach that seeks to involve individuals with diverse perspectives, experiences, and knowledge in the development process. The development of CIS benchmarks is a collaborative and iterative process that strives to create practical, effective, and widely accepted standards for securing IT systems and data.

To ensure the effectiveness and practicality of the benchmarks, the development process entails rigorous testing and validation. This includes subjecting the benchmarks to various scenarios and evaluating their applicability in real-world environments. The testing and validation process aims to identify any potential weaknesses or limitations in the benchmarks and address them before the benchmarks are released to the public.

Now that we have a clear understanding of how CIS benchmarks are developed, the next section will discuss the different levels of CIS benchmarks that companies can follow.

2. The different levels of CIS benchmarks

CIS benchmarks are organized into three distinct levels, each designed to cater to different security needs and levels of complexity. The levels build on each other, providing increasingly sophisticated security measures for organizations of varying sizes and sensitivities.

Below are the three different levels of CIS benchmarks:

Level 1 profile

Starting at the foundational level, the level 1 profile establishes a strong baseline of security controls that are suitable for organizations with basic cybersecurity needs. These controls are essential for safeguarding against common threats and establishing a secure foundation for future growth. CIS level 1 is the minimum level of security that all companies should follow.

Level 2 profile

Building on the Level 1 profile, the Level 2 profile provides enhanced security controls that are suitable for organizations with more complex security requirements. These controls offer additional protection against advanced threats and help organizations maintain compliance with regulations and industry standards.

Level 3 profile

For organizations that require the highest level of security controls, the Level 3 profile offers the most advanced set of security measures. This profile is designed for organizations with highly sensitive data or mission-critical systems that require the utmost protection against cyber threats.

3. The different categories of CIS benchmarks

CIS benchmarks offer organizations a comprehensive set of best practices for securing their IT systems and software. These benchmarks are divided into 6 core categories that cover a wide range of security configurations. Each category offers recommendations and guidelines for securing specific components of an organization’s IT infrastructure, from operating systems and desktop software to network devices and cloud providers.

The 6 core categories of CIS benchmarks

  1. The benchmarks for operating systems cover the security configurations for major operating systems such as Windows and macOS. These benchmarks offer recommended guidelines for securing user profiles, restricting local and remote access, implementing secure driver installation protocols, and configuring internet browsers for safe use. For instance, the macOS benchmark provides guidelines on securing the OS and mitigating risks associated with software installation and system configuration.
  2. Desktop software benchmarks cover security configurations for some of the most commonly used desktop software applications. Benchmark tests for desktop software evaluate security configurations of frequently used applications such as Adobe Photoshop, VLC media player, iTunes, QuickTime player, and WinRAR. These tests are centered around aspects like network privacy, antivirus settings, registry editing, third-party add-ons, and firewall protection.
  3. The network device benchmarks provide security configuration guidelines for various network devices and hardware from leading vendors such as Fortinet, Huawei, and Arista Networks, among others.
  4. The mobile device benchmarks focus on enhancing the security of mobile operating systems, such as iOS and Android, by providing best practices and guidelines for developer options and settings, privacy configurations, browser settings, and app permissions.
  5. Cloud provider benchmarks address security configurations for Amazon Web Services (AWS), Microsoft Azure, Google, IBM, and other popular public clouds.
  6. Benchmarking tests for server software evaluate the security settings of various commonly used server software, such as Apache, Nginx, MySQL, PostgreSQL, and Redis. The benchmarking tests provide guidance on how to configure the server software’s security settings, including SSL/TLS encryption, authentication, access controls, network configuration, and file permissions.

With the different categories of CIS benchmarks established, it appeals to organizations in many different industries.

4. Who are the main users of CIS benchmarks?

CIS benchmarks are used by a wide range of organizations, including government agencies, businesses, and non-profit organizations. The benchmarks are applicable to a variety of IT systems and software, including operating systems, databases, web servers, and cloud platforms.

Organizations that deal with sensitive data, such as healthcare providers, financial industries, and government agencies, have a particular responsibility to maintain the highest level of cybersecurity. These companies have the highest risk of cyberattacks and must adhere to a level 3 CIS benchmark profile. Because of the importance of cybersecurity in these industries, they may be subject to regulations and compliance requirements that mandate the use of CIS benchmarks.

5. What are CIS Hardened Images?

CIS Hardened Images are virtual machine images that have been pre-configured with the CIS benchmarks for specific operating systems, applications, and cloud platforms. By using CIS Hardened Images, organizations can quickly and easily deploy secure IT systems that are compliant with the latest CIS benchmarks.

To prevent potential cybersecurity threats, it’s essential to harden systems by limiting possible weaknesses that can make them vulnerable to attacks. By doing so, systems become more secure and better protected against a wide range of cyber threats.

One of the most effective ways to harden systems is through the use of hardened virtual machine images. These images provide a higher level of security than standard images, making it much more difficult for cybercriminals to launch attacks such as denial of service or unauthorized data access. This extra layer of security can also give organizations greater peace of mind, knowing that their critical data and operations are more secure and less vulnerable to cyber attacks.

CIS hardened images are an excellent tool of security that businesses should incorporate, but there are some other factors that explain why CIS benchmarks are necessary for businesses’ security and compliance.

6. Why are CIS benchmarks critical for security and compliance?

CIS benchmarks are critical for both security and compliance, enabling organizations to safeguard their IT systems and data, as well as comply with industry regulations and standards. Failing to adhere in CIS benchmarks could result in hefty fines from compliance regulatory boards. The next two sections will discuss why security and compliance are crucial areas to focus on when following CIS benchmarks.


CIS benchmarks provide organizations with a set of best practices and controls to ensure that their IT systems and software are configured securely and are less vulnerable to cyber attacks. CIS benchmarks delete any settings that are recognized as being insecure as well as protecting companies from known cyber threats.


CIS benchmarks are widely recognized and adopted as a standard for cybersecurity compliance by regulatory bodies, such as PCI DSS and HIPAA. CIS compliance can help organizations avoid costly fines and legal liabilities. By implementing CIS benchmarks, organizations can demonstrate that they are taking the necessary steps to protect sensitive data and comply with industry regulations.

Compliance with CIS benchmarks can also help organizations avoid costly fines and legal liabilities that can result from a data breach or cybersecurity incident.

While security and compliance have been shown to be major benefits associated with CIS benchmarks, there are a few other benefits that come from adhering to the requirements set by CIS benchmarks.

7. The main benefits of CIS benchmarks

CIS benchmarks come with some obvious consequences if companies don’t adhere to their standards, but the benefits of following these standards are also important to look at for companies.

Some of the main benefits of CIS benchmarks include:

  • Improved cybersecurity.
  • Compliance with regulatory requirements. CIS benchmarks are widely recognized and adopted as a standard for cybersecurity compliance by regulatory bodies, which can help organizations avoid costly fines and legal liabilities.
  • Cost-effective. Implementing CIS benchmarks can be a cost-effective way for organizations to improve their cybersecurity posture. The benchmarks provide a baseline for securely configuring and managing IT systems and software, reducing the need for costly custom solutions or expensive security consultants.
  • Industry recognition. CIS benchmarks are widely recognized and adopted by industry leaders, making them a valuable credential for organizations looking to demonstrate their commitment to cybersecurity. Compliance with these benchmarks can help organizations establish themselves as trustworthy partners and increase their credibility among customers and stakeholders.

In addition to the benefits mentioned, the Center for Internet Security (CIS) also offers additional security resources that organizations can take advantage of.

8. Additional security resources the Center for Internet Security (CIS) offers

The Center for Internet Security (CIS) also offers addition security resources to help organizations improve their overall cybersecurity posture. The two additional security resources the CIS offers are CIS controls and CIS hardened images.

CIS Controls

While CIS Benchmarks provide a set of best practices for securely configuring IT systems and software, CIS Controls provide a prioritized framework for improving overall cybersecurity posture. Together, they can provide a comprehensive approach to cybersecurity.

An example of a CIS control is the implementation of multi-factor authentication (MFA) for all remote access to the organization’s network, systems, and data. MFA requires users to provide additional verification, such as a one-time code or biometric data, in addition to a username and password, which significantly reduces the risk of unauthorized access even if credentials are compromised. This CIS control mitigates the risks associated with remote access, which is a common attack vector for cybercriminals.

CIS Hardened Images

As mentioned previously in this article, CIS hardened images are, simply, virtual machine images that have been pre-configured with the CIS benchmarks for specific operating systems, applications, and cloud platforms.

An example of a CIS hardened image would be an Amazon Machine Image (AMI) that is configured to meet the security requirements outlined in the CIS Amazon Web Services Foundations Benchmark.

Now that we have a better understanding of the additional security resources that the Center for Internet Security (CIS) offers, let’s explore how your company can implement and maintain CIS benchmarking with 8 essential steps.

9. How your company can implement and maintain CIS benchmarking with 8 steps

Implementing CIS standards can be a straightforward process, but it requires careful planning and execution. The following 8 steps can help your company implement CIS benchmarking:

  1. Identify the IT systems and software that need to be benchmarked.
  2. Choose the appropriate CIS benchmark level based on your organization’s security requirements.
  3. Download the relevant CIS benchmark from the Center for Internet Security website.
  4. Review and assess your current IT systems and software against the CIS benchmark.
  5. Implement the recommended changes and configurations to align with the CIS benchmark.
  6. Regularly review and update your IT systems and software to ensure continued compliance with the CIS benchmark.
  7. Frequently implement any necessary updates or changes to ensure compliance with the latest benchmarks.
  8. Train and educate employees on CIS benchmarks and best practices for cybersecurity.

Implement and maintaining CIS benchmarks will establish a baseline for your company’s cybersecurity and will provide you with many benefits such as reducing costs and gaining recognition as a trustworthy company.

Enhancing your cybersecurity with CIS benchmarks

Cybersecurity threats are continuously growing in complexity and can have significant consequences for organizations, including financial losses, reputational damage, and legal liability. Following the CIS benchmark puts your company in secure position to battle these cybersecurity threats and adhere to the compliance guidelines.

Have any questions about adopting CIS benchmarks for your cybersecurity plans? Please reach out to our experts at any time!

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author