What are CIS benchmarks?
Developed by a global community of cybersecurity professionals, CIS Benchmarks are best practices for securely configuring IT systems, software, networks, and cloud infrastructure.
Black and Blue Gradient Background
What are CIS Benchmarks?

CIS Benchmarks are a collection of best practices for securely configuring IT systems, software, networks, and cloud infrastructure.

CIS Benchmarks are published by the Center for Internet Security (CIS). As of this writing there are more than 140 CIS Benchmarks in total, spanning seven core technology categories. CIS Benchmarks are developed through a unique consensus-based process involving communities of cybersecurity professionals and subject matter experts around the world, each of which continuously identifies, refines, and validates security best practices within their areas of focus.

About the Center for Internet Security (CIS)

CIS (link resides outside ibm.com) is a nonprofit organization established in October 2000. CIS is driven by a global IT community with the common goal of identifying, developing, validating, promoting, and sustaining best practice solutions for cyber defense. Over the years, CIS has produced and distributed several free tools and solutions for enterprises of all sizes, designed to strengthen their cybersecurity readiness.

CIS is most commonly known for its release of CIS Controls (link resides outside ibm.com), a comprehensive guide of 20 safeguards and countermeasures for effective cyber defense. CIS Controls provide a prioritized checklist that organizations can implement to reduce their cyber-attack surface significantly. CIS Benchmarks reference these controls when building recommendations for better-secured system configurations.

How are CIS Benchmarks organized?

Each CIS Benchmark includes multiple configuration recommendations based on one of two profile levels. Level 1 benchmark profiles cover base-level configurations that are easier to implement and have minimal impact on business functionality. Level 2 benchmark profiles are intended for high-security environments and require more coordination and planning to implement with minimal business disruption.

There are seven (7) core categories of CIS Benchmarks:

  1. Operating systems benchmarks cover security configurations of core operating systems, such as Microsoft Windows, Linux, and Apple OSX. These include best-practice guidelines for local and remote access restrictions, user profiles, driver installation protocols, and internet browser configurations.

  2. Server software benchmarks cover security configurations of widely used server software, including Microsoft Windows Server, SQL Server, VMware, Docker, and Kubernetes. These benchmarks include recommendations for configuring Kubernetes PKI certificates, API server settings, server admin controls, vNetwork policies, and storage restrictions.

  3. Cloud provider benchmarks address security configurations for Amazon Web Services (AWS), Microsoft Azure, Google, IBM, and other popular public clouds. They include guidelines for configuring identity and access management (IAM), system logging protocols, network configurations, and regulatory compliance safeguards.

  4. Mobile device benchmarks address mobile operating systems, including iOS and Android, and focus on areas such as developer options and settings, OS privacy configurations, browser settings, and app permissions.

  5. Network device benchmarks offer general and vendor-specific security configuration guidelines for network devices and applicable hardware from Cisco, Palo Alto Networks, Juniper, and others.

  6. Desktop software benchmarks cover security configurations for some of the most commonly used desktop software applications, including Microsoft Office and Exchange Server, Google Chrome, Mozilla Firefox, and Safari Browser. These benchmarks focus on email privacy and server settings, mobile device management, default browser settings, and third-party software blocking.

  7. Multi-function print device benchmarks outline security best practices for configuring multi-function printers in office settings and cover such topics as firmware updating, TCP/IP configurations, wireless access configuration, user management, and file sharing.
CIS Hardened Images

CIS also offers pre-configured Hardened Images that enable enterprises to perform computing operations cost-effectively without needing to invest in additional hardware or software. Hardened images are much more secure than standard virtual images, and they significantly limit the security vulnerabilities that can lead to a cyberattack.

CIS Hardened Images (link resides outside ibm.com) were designed and configured in compliance with CIS Benchmarks and Controls and have been recognized to be fully compliant with various regulatory compliance organizations. CIS Hardened Images are available for use in nearly all major cloud computing platforms and are easy to deploy and manage.

CIS Benchmarks and regulatory compliance

CIS Benchmarks align closely with–or 'map to'—security and data privacy regulatory frameworks including the NIST (National Institute of Standards and Technology) Cybersecurity Framework, the PCI DSS (Payment Card Industry Data Security Standard) (PCI DSS), HIPAA (Health Insurance Portability and Accountability Act), and ISO/EIC 2700. As a result, any organization operating in an industry governed by these types of regulations can make significant progress toward compliance by adhering to CIS Benchmarks. In addition, CIS Controls and CIS Hardened Images can help support an organization's compliance with GDPR (the EU's General Data Protection Regulation).

Benefits of CIS Benchmarks

While enterprises are always free to make their own choices around security configurations, CIS Benchmarks offer:

  • The collected expertise of a global community of IT and cybersecurity professionals

  • Regularly updated, step-by-step guidance for securing every area of the IT infrastructure

  • Compliance management consistency

  • A flexibility template for securely adopting new cloud services and for executing digital transformation strategies

  • Easy-to-deploy configurations for improved operational efficiency and sustainability.
Related solutions
Cloud security solutions

Move confidently to hybrid multicloud and integrate security into every phase of your cloud journey. Safeguard and monitor your data, applications and environments with IBM security services.

Explore cloud security solutions
IBM Cloud Security and Compliance Center

Govern cloud resource configurations and centrally manage your compliance to organization and regulatory guidelines.

Explore security and compliance
Resources What is cybersecurity?
Cybersecurity technology and best practices protect critical systems and sensitive information from an ever-growing volume of continually evolving threats.
What is Kubernetes?
Kubernetes is an open source container orchestration platform that automates deployment, management and scaling of containerized applications.
Take the next step

Integrating cloud into your existing enterprise security program is not just about adding a few more controls or point solutions. It requires an assessment of your resources and business needs to develop a fresh approach to your culture and cloud security strategy. To manage a cohesive hybrid, multicloud security program, you need to establish visibility and control. IBM Security® products and experts can help you integrate the appropriate controls, orchestrate workload deployment and establish effective threat management.

Explore IBM cloud security solutions