What are CIS Benchmarks?
CIS Benchmarks are free, detailed configuration guides published by the Center for Internet Security (CIS), a nonprofit organization. Unlike broader frameworks that tell you what to do ("implement access controls"), CIS Benchmarks tell you exactly how to do it ("set this specific Windows registry key to this value").
There are benchmarks for almost every technology you use — Windows, macOS, Linux, routers, firewalls, cloud platforms, databases, web servers, and more. Each one is a checklist of hundreds of settings that should be configured a certain way to be secure.
Think of it this way
When you buy a new car, the owner's manual tells you the correct tire pressure, the right oil type, and how often to service it. You don't have to figure it out yourself — the manufacturer already knows the optimal settings. CIS Benchmarks are the owner's manual for your IT systems. They tell you exactly how every setting should be configured for maximum security.
Why Do Default Settings Need Changing?
When you install an operating system or set up a router, the default settings are designed for convenience, not security. Manufacturers want their products to work out of the box with minimal hassle. That means:
- Extra services running — features you don't use that create extra ways for attackers to get in
- Weak password policies — no complexity requirements, no lockout after failed attempts
- Logging disabled — if something bad happens, there's no record of it
- Remote access enabled — management features turned on that should only be active when needed
- Old protocols allowed — outdated, insecure methods of communication left active for backwards compatibility
CIS Benchmarks go through each of these defaults and tell you which ones to change and what to change them to.
What Do Benchmarks Cover?
There are benchmarks for almost everything in your environment:
Operating Systems
Windows 10/11, Windows Server, macOS, Ubuntu, Red Hat, Debian — each has its own benchmark with hundreds of configuration checks specific to that OS.
Network Equipment
Cisco routers and switches, Palo Alto firewalls, Juniper, Fortinet — benchmarks cover management access, routing protocols, access control lists, and logging.
Cloud Platforms
AWS, Azure, Google Cloud — benchmarks cover IAM policies, storage permissions, network security groups, logging, and encryption settings.
Applications
Microsoft 365, Google Workspace, web browsers, databases (SQL Server, PostgreSQL, MySQL) — each has configuration settings that affect security.
Level 1 vs. Level 2
Most CIS Benchmarks have two levels:
- Level 1 — essential security settings that can be applied without affecting how your systems work. These are the basics that every organization should implement. They won't break anything or slow things down.
- Level 2 — more advanced hardening for organizations that need stronger security. Some of these settings might restrict certain features or require workarounds. Best for environments handling sensitive data.
Most businesses start with Level 1 and move to Level 2 as needed.
What We Do With CIS Benchmarks
- Audit your systems — we check every relevant setting against the appropriate CIS Benchmark
- Compliance score — a clear percentage showing how many checks pass vs. fail
- Per-system results — individual reports for each server, workstation, or device
- Fix list — exact settings to change, organized by priority and risk level
- Quick wins — low-effort changes that immediately improve your security
- Validation — after you make the changes, we can re-run the audit to confirm everything is in place