Schedule DemoStart Free Trial

Unified Observability Platform for Modern IT Operations

Summarize with AI what Motadata does:
© 2026 Mindarray Systems Limited. All rights reserved.
Privacy PolicyTerms of Service
Back to Blog
Compliance
10 min read

What Is CIS Compliance? A Complete Guide

Written by

Ramya Shah

Technical Writer

Reviewed by

Keertan Zala

Product Manager

Published

July 17, 2026

10 min read

Most security breaches begin with something small and avoidable. Think of a password still set to its default, a server port left open to the internet, or configuration drift that slowly undoes last year's careful setup.

Gaps like these go unnoticed because nobody is assigned to look for them, and they can be very costly. According to IBM's 2025 Cost of a Data Breach report, the average data breach incident costs companies 4.44 million dollars.

CIS compliance is how you find those gaps before an attacker does.

In this guide, you will find out about the CIS Controls and Benchmarks, and whether any of them are mandatory. You will also understand where NIST and ISO 27001 fit in, plus the free tools that score your systems.

By the end, you will know which 56 Safeguards to start with, and which scans to automate.

What Is CIS Compliance?

CIS compliance means configuring your IT systems to match the security best practices published by the Center for Internet Security (CIS).

Two document sets define the target:

  1. CIS Critical Security Controls: These describe what an enterprise security program should do.

  1. CIS Benchmarks: These get specific about how each technology should be configured.

An organization is CIS compliant when its assets, from Windows servers to AWS accounts, meet the CIS compliance standards in those documents.

Nobody issues a CIS compliance certificate. There is no accredited auditor behind it and no fine for walking away. What you get is a score.

Scan a system against its benchmark, and the tool counts how many recommendations pass. That percentage is your compliance level for that machine.

The day-to-day work is a loop. Pick the benchmarks that match your stack, scan, fix what fails, and keep the score from sliding backward between audits.

Teams that do this well treat the number like uptime: someone owns it, and a drop in the weekly report raises questions.

What Is the Center for Internet Security (CIS)?

The Center for Internet Security is a 501(c)(3) nonprofit founded in October 2000 and headquartered in East Greenbush, New York.

It exists to define and spread configuration security standards. The work happens through a volunteer community of more than 12,000 IT and security professionals who draft, test, and vote on every recommendation.

That consensus model is the reason auditors and regulators take CIS seriously. A hardening rule in a CIS document was argued over by people who run production systems.

The result reflects field experience instead of one vendor's marketing agenda.

CIS also operates the Multi-State Information Sharing and Analysis Center (MS-ISAC), a member-funded threat-sharing body for US state, local, tribal, and territorial governments.

What Are the CIS Controls?

The CIS Critical Security Controls are a prioritized list of 18 security practices that cover the full width of an enterprise defense program.

The range runs from knowing what hardware you own to testing your own defenses. The current version, CIS Controls v8.1, was released in June 2024.

It breaks the 18 Controls into 153 specific actions called Safeguards and aligns them with NIST CSF 2.0, including its governance function.

The 18 CIS Controls, Listed in Priority Order

Here is the full list, in CIS's priority order:

  1. Inventory and Control of Enterprise Assets

  1. Inventory and Control of Software Assets

  1. Data Protection

  1. Secure Configuration of Enterprise Assets and Software

  1. Account Management

  1. Access Control Management

  1. Continuous Vulnerability Management

  1. Audit Log Management

  1. Email and Web Browser Protections

  1. Malware Defenses

  1. Data Recovery

  1. Network Infrastructure Management

  1. Network Monitoring and Defense

  1. Security Awareness and Skills Training

  1. Service Provider Management

  1. Application Software Security

  1. Incident Response Management

  1. Penetration Testing

The order carries a message. The first two Controls are inventories, because you cannot protect a laptop or a database you do not know exists.

CIS puts IT asset management ahead of malware defenses, encryption, and every other flashier discipline. Most teams that skip ahead end up coming back to it.

Implementation Groups: How Many of the 153 Safeguards You Need

Implementation Groups solve the obvious problem with a 153-item list: nobody starts with all of it. CIS splits the Safeguards into three cumulative tiers, assigned by your risk profile and resources rather than your headcount.

Here is how the three groups break down:

Group

Safeguards

Built For

IG1

56

Every organization; the baseline CIS calls essential cyber hygiene

IG2

130 (IG1 + 74)

Teams with dedicated IT staff and sensitive data

IG3

153 (all)

Mature, regulated, or targeted organizations

IG1 is the honest starting line, and CIS itself says every enterprise should begin there.

The 56 Safeguards in IG1 cover the basics that block the most common attacks: inventories, secure configuration, account hygiene, and vulnerability assessment.

IG2 and IG3 can wait until your risk profile or your staffing grows into them.

The First Two CIS Controls Are an Inventory Problem

Motadata ServiceOps discovers hardware and software assets automatically, agent-based or agentless, and keeps them in one central register. Controls 1 and 2 stop depending on a spreadsheet.

Start a Free 30-Day ServiceOps Trial

What Are CIS Benchmarks?

CIS Benchmarks are configuration guides for specific technologies. Each benchmark lists the exact settings that make one product safe to run, recommendation by recommendation.

There are more than 100 of them, covering 25+ vendor product families across eight categories.

Those categories are operating systems, server software, cloud providers, mobile devices, network devices, desktop software, multi-function print devices, and DevSecOps tools.

Every recommendation inside a benchmark follows the same anatomy. You get a description of the setting, the rationale behind it, and the impact of applying it.

A step-by-step audit procedure and the remediation steps follow. Each one is also marked Automated or Manual, which tells you whether a scanning tool can verify it without a human.

The volunteer community drafts each benchmark on CIS WorkBench, opens it to review, and revises it as vendors ship new versions.

IBM notes that the Windows benchmark gets a refresh within roughly 90 days of a new release. The scope runs from a Windows Server or Ubuntu build all the way to network configuration management for Cisco and FortiGate devices.

Kubernetes clusters and the AWS, Azure, and GCP foundations get benchmarks of their own. They provide free PDFs to download for non-commercial use after a short registration.

What Is a Level 1 or Level 2 CIS Benchmark?

A Level 1 benchmark profile hardens a system with minimal impact on how it runs, and a Level 2 profile trades some convenience for tighter security. Some benchmarks add a third STIG profile for government work.

Here is what each level means:

Level

What It Does

Use It When

Level 1

Baseline hardening with minimal impact on functionality

General environments; the default starting point

Level 2

Defense in depth; some settings restrict functionality

Systems handling sensitive or regulated data

STIG

Maps recommendations to DISA STIG requirements

US Department of Defense and government work

Level 1 is the default starting point for most environments. Stage Level 2 in testing first, because some of its settings will disable features your applications depend on.

The STIG profile lets one configuration satisfy CIS and DoD requirements at the same time.

CIS Controls vs. CIS Benchmarks: What Is the Difference?

The CIS Controls tell you what your security program should do. The CIS Benchmarks tell you how to configure each technology to do it.

The Controls sit at program level. It includes 18 practices, such as asset inventory, access management, and audit logging.

On the other hand, the Benchmarks sit at device level, turning those practices into concrete settings.

A worked example makes the split clear. CIS Control 4 says to establish and maintain secure configurations for enterprise assets and software.

The Microsoft Windows Server 2022 Benchmark implements that Control as hundreds of specific settings, each with its own audit and fix. CIS compliance, done properly, means working both layers at once.

Is CIS Compliance Mandatory?

No, CIS compliance is voluntary. No law requires it, no regulator fines you for skipping it, and CIS offers no formal certification for organizations.

That surprises many teams, because CIS shows up in so many audits that it feels like a regulation. However, it shows up because other frameworks lean on it.

PCI DSS Requirement 2.2 tells you to build configuration standards on an industry-accepted hardening standard. CIS Benchmarks are the most cited example.

FedRAMP accepts CIS Benchmarks as configuration baselines where no government baseline exists.

Customer security questionnaires and cyber insurers ask for a hardening standard by name. Answering CIS ends the conversation quickly. CIS became a de facto requirement for regulatory compliance work without ever being law.

If you have ever sat through a PCI audit, you already know how this plays out.

The practical payoff is evidence. A benchmark score gives an auditor something checkable, which beats a policy document that says systems are hardened appropriately.

Much of that evidence rests on knowing what you own. Our piece on how asset management supports compliance and security goes deeper into that connection.

How Does CIS Compare to NIST, ISO 27001, and PCI DSS?

CIS is the most prescriptive of the major security frameworks, and it works alongside the others rather than against them. The others tell you to manage risk. CIS tells you which registry key to change.

Here is how the four compare:

Framework

What It Is

Required?

How CIS Fits

CIS

Prescriptive controls and configuration baselines

Voluntary

The hands-on layer of the stack

NIST CSF

Risk management framework for governance

Voluntary

CIS v8.1 maps to CSF 2.0 functions

ISO 27001

Certifiable management system standard

Contractual, often

CIS Safeguards implement Annex A controls

PCI DSS

Card-data security standard

Mandatory for cardholder data

Accepts CIS as its hardening standard

CIS publishes official mapping documents for NIST CSF 2.0, NIST SP 800-53, ISO/IEC 27001:2022, PCI DSS 4.0, and HIPAA.

The same work also supports SOC 2 readiness. That mapping is the quiet superpower here. Harden a server to its CIS Benchmark once, and that work counts toward several frameworks at the same time.

The alternative is a separate hardening project per framework, and nobody staffs that.

How Do You Achieve CIS Compliance?

You achieve CIS compliance by working through a sequence: know what you own, pick a realistic scope, scan, fix, and repeat. The seven steps below are the shape that sequence takes for most IT teams.

1. Build Your Asset Inventory

Start where the Controls start. List every server, workstation, cloud account, and network device, plus the software running on each. Discovery tooling helps here, because the assets you forgot are exactly the ones that fail the scan.

2. Pick Your Implementation Group

Choose IG1, IG2, or IG3 based on your risk profile and staffing, and write the choice down. IG1's 56 Safeguards are the right scope for most teams starting out, whatever their size.

3. Select the Benchmarks That Match Your Stack

Download the benchmark for each technology you actually run: one per operating system, cloud platform, database, and network vendor. Check the version number against what is deployed, because a benchmark for the wrong release audits the wrong settings.

4. Run a Baseline Scan

Assess each system against its benchmark before you change anything. The first score is usually humbling, and that is fine. The baseline exists to measure progress, and a rough first number makes the improvement easier to show.

5. Remediate in Stages

Fix Level 1 findings first, and stage Level 2 changes through testing before they reach production. Fold the recurring work, such as patch compliance, into the processes your team already runs. A separate compliance track dies in the first busy quarter.

6. Document Every Deviation

Some recommendations will conflict with a business need, and that is expected. CIS supports tailoring. Record each exception with its reason and a compensating control. Auditors accept a documented deviation far more readily than an unexplained failure.

7. Rescan on a Schedule

Set a recurring cadence, monthly or quarterly, and rescan after major changes. Configuration drift begins the day after remediation, and a score from last year proves nothing about today.

Automate the Patch Work Behind Your Remediation Steps

Motadata ServiceOps scans the network for missing patches across Windows, macOS, and Linux, and stages them through a test group first. It also produces compliance reports for PCI DSS, HIPAA, and SOX.

See Patch Management

How Do You Check and Automate CIS Compliance?

You check CIS compliance by scanning each system against its benchmark and scoring how many recommendations pass.

CIS ships its own tooling for this, with a clear split between the free and paid tiers:

  • CIS-CAT Lite: This free assessor scans a short list of benchmarks, including Windows, Ubuntu, and Google Chrome, and produces an HTML report with a score.

  • CIS-CAT Pro: The paid assessor comes with a CIS SecureSuite membership, covers the full benchmark library, and adds dashboards that track scores over time.

  • CIS CSAT: This free hosted tool tracks your progress through the Controls, Safeguard by Safeguard.

  • Build Kits: These Group Policy Objects and scripts, available through SecureSuite, apply benchmark settings in bulk instead of one at a time.

  • CIS Hardened Images: These pre-configured virtual machine images on the AWS, Azure, GCP, and Oracle Cloud marketplaces bill at a small hourly rate. Every new instance starts life already hardened.

Automation matters because manual checking collapses at scale. A benchmark carries hundreds of recommendations, your estate carries hundreds of assets, and both change constantly.

The teams that hold their scores treat CIS Benchmark compliance as a monitoring problem. That means automated scans on a schedule, alerts when a config drifts, and audit logs retained as the evidence trail.

Control 8 asks for that logging anyway, so the evidence and the requirement conveniently overlap.

CIS Compliance Checklist for IT Teams

Use this checklist to turn the guide into a working plan:

  1. Inventory every hardware asset, cloud account, and installed application.

  1. Pick your Implementation Group and record the reasoning.

  1. Download the current benchmark for each technology in your stack.

  1. Run a baseline scan with CIS-CAT Lite or your existing scanner.

  1. Remediate Level 1 findings across all systems first.

  1. Test Level 2 settings in staging before production rollout.

  1. Document every deviation with its reason and compensating control.

  1. Schedule recurring rescans and rescan after major changes.

  1. Retain scan reports and audit logs as compliance evidence.

  1. Review new benchmark versions when vendors ship OS or platform upgrades.

Configuration Drift Is the Part Nobody Catches by Hand

Motadata ObserveOps backs up network device configurations, flags changes in real time, and assesses them against CIS standards. An audit trail keeps your evidence ready.

Book an ObserveOps Demo

Make CIS Compliance Something You Can Measure

CIS compliance turns the vaguest question in security (are we configured safely?) into a number you can put on a dashboard and defend in an audit.

The documents are free, the starter tooling is free, and IG1 scopes your first target down to 56 Safeguards.

The honest part is that some of it will hurt. A Level 2 setting will break an application you care about, and the first scan will sting. Drift will claw back progress the moment you stop rescanning.

A perfect benchmark score also does not make you secure by itself, because configuration is one layer of defense among several.

Teams that keep at it walk into every audit with evidence instead of promises. The habit underneath that evidence is continuous monitoring of your configurations: a scan on a schedule and an owner for the score.

FAQs

What does CIS stand for in cybersecurity?

CIS stands for the Center for Internet Security, a nonprofit founded in 2000 that publishes consensus-based security standards. CIS compliance means aligning your systems with its two main publications, the CIS Critical Security Controls and the CIS Benchmarks.

Are CIS Benchmarks free to use?

Yes, every CIS Benchmark PDF is free to download for non-commercial use after registration. The paid CIS SecureSuite membership adds the CIS-CAT Pro assessor, Build Kits for bulk remediation, and machine-readable benchmark formats on top of the free documents.

Can an organization get CIS certified?

No formal CIS certification exists for organizations. CIS certifies software vendors' products through its certification program. An enterprise demonstrates CIS compliance through assessment reports and benchmark scores rather than a certificate, so your scan evidence carries the weight an auditor needs.

How often are CIS Benchmarks updated?

The volunteer community revises benchmarks continuously as vendors release new product versions. IBM notes the Windows benchmark updates within roughly 90 days of a release. Always check that your benchmark version matches the deployed version before scanning.

Which Implementation Group should you start with?

Start with Implementation Group 1 regardless of company size. IG1 includes the 56 Safeguards that CIS calls essential cyber hygiene. It targets the most common attacks with the least effort. IG2 and IG3 build on it cumulatively as your risk profile or resources grow.

RS

Author

Ramya Shah

Technical Writer

Ramya Shah is a technical content writer with a computer engineering background and roots in automotive journalism. He covers IT Service Management, observability, IT operations, and AI-driven automation. An early adopter of AI-assisted writing workflows, he turns complex IT processes into clear, engaging content optimized for search and answer engines (AEO), lifting content output and organic visibility.

Share:
Table of Contents
Subscribe to Our Newsletter

Get the latest insights and updates delivered to your inbox.

Related Articles

Continue reading with these related posts

Compliance

What is DPDPA Compliance? A Complete Guide

Ramya ShahJul 2, 202610 min read
Compliance

POPIA Compliance: What It Requires and How Motadata Supports It

Jagdish SajnaniJun 23, 202610 min read