What Is CIS Compliance? A Complete Guide
Most security breaches begin with something small and avoidable. Think of a password still set to its default, a server port left open to the internet, or configuration drift that slowly undoes last year's careful setup.
Gaps like these go unnoticed because nobody is assigned to look for them, and they can be very costly. According to IBM's 2025 Cost of a Data Breach report, the average data breach incident costs companies 4.44 million dollars.
CIS compliance is how you find those gaps before an attacker does.
In this guide, you will find out about the CIS Controls and Benchmarks, and whether any of them are mandatory. You will also understand where NIST and ISO 27001 fit in, plus the free tools that score your systems.
By the end, you will know which 56 Safeguards to start with, and which scans to automate.
What Is CIS Compliance?
CIS compliance means configuring your IT systems to match the security best practices published by the Center for Internet Security (CIS).
Two document sets define the target:
CIS Critical Security Controls: These describe what an enterprise security program should do.
CIS Benchmarks: These get specific about how each technology should be configured.
An organization is CIS compliant when its assets, from Windows servers to AWS accounts, meet the CIS compliance standards in those documents.
Nobody issues a CIS compliance certificate. There is no accredited auditor behind it and no fine for walking away. What you get is a score.
Scan a system against its benchmark, and the tool counts how many recommendations pass. That percentage is your compliance level for that machine.
The day-to-day work is a loop. Pick the benchmarks that match your stack, scan, fix what fails, and keep the score from sliding backward between audits.
Teams that do this well treat the number like uptime: someone owns it, and a drop in the weekly report raises questions.
What Is the Center for Internet Security (CIS)?
The Center for Internet Security is a 501(c)(3) nonprofit founded in October 2000 and headquartered in East Greenbush, New York.
It exists to define and spread configuration security standards. The work happens through a volunteer community of more than 12,000 IT and security professionals who draft, test, and vote on every recommendation.
That consensus model is the reason auditors and regulators take CIS seriously. A hardening rule in a CIS document was argued over by people who run production systems.
The result reflects field experience instead of one vendor's marketing agenda.
CIS also operates the Multi-State Information Sharing and Analysis Center (MS-ISAC), a member-funded threat-sharing body for US state, local, tribal, and territorial governments.
What Are the CIS Controls?
The CIS Critical Security Controls are a prioritized list of 18 security practices that cover the full width of an enterprise defense program.
The range runs from knowing what hardware you own to testing your own defenses. The current version, CIS Controls v8.1, was released in June 2024.
It breaks the 18 Controls into 153 specific actions called Safeguards and aligns them with NIST CSF 2.0, including its governance function.
The 18 CIS Controls, Listed in Priority Order
Here is the full list, in CIS's priority order:
Inventory and Control of Enterprise Assets
Inventory and Control of Software Assets
Data Protection
Secure Configuration of Enterprise Assets and Software
Account Management
Access Control Management
Continuous Vulnerability Management
Audit Log Management
Email and Web Browser Protections
Malware Defenses
Data Recovery
Network Infrastructure Management
Network Monitoring and Defense
Security Awareness and Skills Training
Service Provider Management
Application Software Security
Incident Response Management
Penetration Testing
The order carries a message. The first two Controls are inventories, because you cannot protect a laptop or a database you do not know exists.
CIS puts IT asset management ahead of malware defenses, encryption, and every other flashier discipline. Most teams that skip ahead end up coming back to it.
Implementation Groups: How Many of the 153 Safeguards You Need
Implementation Groups solve the obvious problem with a 153-item list: nobody starts with all of it. CIS splits the Safeguards into three cumulative tiers, assigned by your risk profile and resources rather than your headcount.
Here is how the three groups break down:
Group | Safeguards | Built For |
IG1 | 56 | Every organization; the baseline CIS calls essential cyber hygiene |
IG2 | 130 (IG1 + 74) | Teams with dedicated IT staff and sensitive data |
IG3 | 153 (all) | Mature, regulated, or targeted organizations |
IG1 is the honest starting line, and CIS itself says every enterprise should begin there.
The 56 Safeguards in IG1 cover the basics that block the most common attacks: inventories, secure configuration, account hygiene, and vulnerability assessment.
IG2 and IG3 can wait until your risk profile or your staffing grows into them.
What Are CIS Benchmarks?
CIS Benchmarks are configuration guides for specific technologies. Each benchmark lists the exact settings that make one product safe to run, recommendation by recommendation.
There are more than 100 of them, covering 25+ vendor product families across eight categories.
Those categories are operating systems, server software, cloud providers, mobile devices, network devices, desktop software, multi-function print devices, and DevSecOps tools.
Every recommendation inside a benchmark follows the same anatomy. You get a description of the setting, the rationale behind it, and the impact of applying it.
A step-by-step audit procedure and the remediation steps follow. Each one is also marked Automated or Manual, which tells you whether a scanning tool can verify it without a human.
The volunteer community drafts each benchmark on CIS WorkBench, opens it to review, and revises it as vendors ship new versions.
IBM notes that the Windows benchmark gets a refresh within roughly 90 days of a new release. The scope runs from a Windows Server or Ubuntu build all the way to network configuration management for Cisco and FortiGate devices.
Kubernetes clusters and the AWS, Azure, and GCP foundations get benchmarks of their own. They provide free PDFs to download for non-commercial use after a short registration.
What Is a Level 1 or Level 2 CIS Benchmark?
A Level 1 benchmark profile hardens a system with minimal impact on how it runs, and a Level 2 profile trades some convenience for tighter security. Some benchmarks add a third STIG profile for government work.
Here is what each level means:
Level | What It Does | Use It When |
Level 1 | Baseline hardening with minimal impact on functionality | General environments; the default starting point |
Level 2 | Defense in depth; some settings restrict functionality | Systems handling sensitive or regulated data |
STIG | Maps recommendations to DISA STIG requirements | US Department of Defense and government work |
Level 1 is the default starting point for most environments. Stage Level 2 in testing first, because some of its settings will disable features your applications depend on.
The STIG profile lets one configuration satisfy CIS and DoD requirements at the same time.
CIS Controls vs. CIS Benchmarks: What Is the Difference?
The CIS Controls tell you what your security program should do. The CIS Benchmarks tell you how to configure each technology to do it.
The Controls sit at program level. It includes 18 practices, such as asset inventory, access management, and audit logging.
On the other hand, the Benchmarks sit at device level, turning those practices into concrete settings.
A worked example makes the split clear. CIS Control 4 says to establish and maintain secure configurations for enterprise assets and software.
The Microsoft Windows Server 2022 Benchmark implements that Control as hundreds of specific settings, each with its own audit and fix. CIS compliance, done properly, means working both layers at once.
Is CIS Compliance Mandatory?
No, CIS compliance is voluntary. No law requires it, no regulator fines you for skipping it, and CIS offers no formal certification for organizations.
That surprises many teams, because CIS shows up in so many audits that it feels like a regulation. However, it shows up because other frameworks lean on it.
PCI DSS Requirement 2.2 tells you to build configuration standards on an industry-accepted hardening standard. CIS Benchmarks are the most cited example.
FedRAMP accepts CIS Benchmarks as configuration baselines where no government baseline exists.
Customer security questionnaires and cyber insurers ask for a hardening standard by name. Answering CIS ends the conversation quickly. CIS became a de facto requirement for regulatory compliance work without ever being law.
If you have ever sat through a PCI audit, you already know how this plays out.
The practical payoff is evidence. A benchmark score gives an auditor something checkable, which beats a policy document that says systems are hardened appropriately.
Much of that evidence rests on knowing what you own. Our piece on how asset management supports compliance and security goes deeper into that connection.
How Does CIS Compare to NIST, ISO 27001, and PCI DSS?
CIS is the most prescriptive of the major security frameworks, and it works alongside the others rather than against them. The others tell you to manage risk. CIS tells you which registry key to change.
Here is how the four compare:
Framework | What It Is | Required? | How CIS Fits |
CIS | Prescriptive controls and configuration baselines | Voluntary | The hands-on layer of the stack |
NIST CSF | Risk management framework for governance | Voluntary | CIS v8.1 maps to CSF 2.0 functions |
ISO 27001 | Certifiable management system standard | Contractual, often | CIS Safeguards implement Annex A controls |
PCI DSS | Card-data security standard | Mandatory for cardholder data | Accepts CIS as its hardening standard |
CIS publishes official mapping documents for NIST CSF 2.0, NIST SP 800-53, ISO/IEC 27001:2022, PCI DSS 4.0, and HIPAA.
The same work also supports SOC 2 readiness. That mapping is the quiet superpower here. Harden a server to its CIS Benchmark once, and that work counts toward several frameworks at the same time.
The alternative is a separate hardening project per framework, and nobody staffs that.
How Do You Achieve CIS Compliance?
You achieve CIS compliance by working through a sequence: know what you own, pick a realistic scope, scan, fix, and repeat. The seven steps below are the shape that sequence takes for most IT teams.
1. Build Your Asset Inventory
Start where the Controls start. List every server, workstation, cloud account, and network device, plus the software running on each. Discovery tooling helps here, because the assets you forgot are exactly the ones that fail the scan.
2. Pick Your Implementation Group
Choose IG1, IG2, or IG3 based on your risk profile and staffing, and write the choice down. IG1's 56 Safeguards are the right scope for most teams starting out, whatever their size.
3. Select the Benchmarks That Match Your Stack
Download the benchmark for each technology you actually run: one per operating system, cloud platform, database, and network vendor. Check the version number against what is deployed, because a benchmark for the wrong release audits the wrong settings.
4. Run a Baseline Scan
Assess each system against its benchmark before you change anything. The first score is usually humbling, and that is fine. The baseline exists to measure progress, and a rough first number makes the improvement easier to show.
5. Remediate in Stages
Fix Level 1 findings first, and stage Level 2 changes through testing before they reach production. Fold the recurring work, such as patch compliance, into the processes your team already runs. A separate compliance track dies in the first busy quarter.
6. Document Every Deviation
Some recommendations will conflict with a business need, and that is expected. CIS supports tailoring. Record each exception with its reason and a compensating control. Auditors accept a documented deviation far more readily than an unexplained failure.
7. Rescan on a Schedule
Set a recurring cadence, monthly or quarterly, and rescan after major changes. Configuration drift begins the day after remediation, and a score from last year proves nothing about today.
How Do You Check and Automate CIS Compliance?
You check CIS compliance by scanning each system against its benchmark and scoring how many recommendations pass.
CIS ships its own tooling for this, with a clear split between the free and paid tiers:
CIS-CAT Lite: This free assessor scans a short list of benchmarks, including Windows, Ubuntu, and Google Chrome, and produces an HTML report with a score.
CIS-CAT Pro: The paid assessor comes with a CIS SecureSuite membership, covers the full benchmark library, and adds dashboards that track scores over time.
CIS CSAT: This free hosted tool tracks your progress through the Controls, Safeguard by Safeguard.
Build Kits: These Group Policy Objects and scripts, available through SecureSuite, apply benchmark settings in bulk instead of one at a time.
CIS Hardened Images: These pre-configured virtual machine images on the AWS, Azure, GCP, and Oracle Cloud marketplaces bill at a small hourly rate. Every new instance starts life already hardened.
Automation matters because manual checking collapses at scale. A benchmark carries hundreds of recommendations, your estate carries hundreds of assets, and both change constantly.
The teams that hold their scores treat CIS Benchmark compliance as a monitoring problem. That means automated scans on a schedule, alerts when a config drifts, and audit logs retained as the evidence trail.
Control 8 asks for that logging anyway, so the evidence and the requirement conveniently overlap.
CIS Compliance Checklist for IT Teams
Use this checklist to turn the guide into a working plan:
Inventory every hardware asset, cloud account, and installed application.
Pick your Implementation Group and record the reasoning.
Download the current benchmark for each technology in your stack.
Run a baseline scan with CIS-CAT Lite or your existing scanner.
Remediate Level 1 findings across all systems first.
Test Level 2 settings in staging before production rollout.
Document every deviation with its reason and compensating control.
Schedule recurring rescans and rescan after major changes.
Retain scan reports and audit logs as compliance evidence.
Review new benchmark versions when vendors ship OS or platform upgrades.
Make CIS Compliance Something You Can Measure
CIS compliance turns the vaguest question in security (are we configured safely?) into a number you can put on a dashboard and defend in an audit.
The documents are free, the starter tooling is free, and IG1 scopes your first target down to 56 Safeguards.
The honest part is that some of it will hurt. A Level 2 setting will break an application you care about, and the first scan will sting. Drift will claw back progress the moment you stop rescanning.
A perfect benchmark score also does not make you secure by itself, because configuration is one layer of defense among several.
Teams that keep at it walk into every audit with evidence instead of promises. The habit underneath that evidence is continuous monitoring of your configurations: a scan on a schedule and an owner for the score.
FAQs
What does CIS stand for in cybersecurity?
CIS stands for the Center for Internet Security, a nonprofit founded in 2000 that publishes consensus-based security standards. CIS compliance means aligning your systems with its two main publications, the CIS Critical Security Controls and the CIS Benchmarks.
Are CIS Benchmarks free to use?
Yes, every CIS Benchmark PDF is free to download for non-commercial use after registration. The paid CIS SecureSuite membership adds the CIS-CAT Pro assessor, Build Kits for bulk remediation, and machine-readable benchmark formats on top of the free documents.
Can an organization get CIS certified?
No formal CIS certification exists for organizations. CIS certifies software vendors' products through its certification program. An enterprise demonstrates CIS compliance through assessment reports and benchmark scores rather than a certificate, so your scan evidence carries the weight an auditor needs.
How often are CIS Benchmarks updated?
The volunteer community revises benchmarks continuously as vendors release new product versions. IBM notes the Windows benchmark updates within roughly 90 days of a release. Always check that your benchmark version matches the deployed version before scanning.
Which Implementation Group should you start with?
Start with Implementation Group 1 regardless of company size. IG1 includes the 56 Safeguards that CIS calls essential cyber hygiene. It targets the most common attacks with the least effort. IG2 and IG3 build on it cumulatively as your risk profile or resources grow.
Author
Ramya Shah
Technical Writer
Ramya Shah is a technical content writer with a computer engineering background and roots in automotive journalism. He covers IT Service Management, observability, IT operations, and AI-driven automation. An early adopter of AI-assisted writing workflows, he turns complex IT processes into clear, engaging content optimized for search and answer engines (AEO), lifting content output and organic visibility.

